On Tue, Nov 09, 2010 at 06:39:15AM -0600, Larry Stone wrote:
> > NO, NO, NO!
> >
> > A pkcs12 file carries both the private key and the certificate, in
> > this case the phone needs only a public certificate to add to its trust
> > chain. It MUST NOT have access to the server's private key.
> >
> > Please don't answer questions in areas where your expertise is very
> > limited...
>
> Victor correctly points out that you should not answer where your expertise
> is very limited (which applies to me regarding certificates) but since I was
> following the instructions of (I hope) experts when I did it, those
> instructions had me send the public root (self-signed certificate authority)
> certificate to the phone (and other clients that would be accessing the
> server). I suspect there is more than one way to do it. But I'd wait until
> someone else says that's a valid way as well and that I haven't created a
> security mess.
Don't confuse certificates (signed bindings of a public key to a subject
identifier) with private keys and/or key-pairs that consist of a private
key plus an associated certificate. There is nothing wrong with distributing
CA certificates, or even leaf certificates (sans) keys to parties other
than the key holder. It is quite wrong to send your key-pair (that's
what a pkcs12 container holds) to someone who merely needs to be able
to authenticate (rather than impersonate) you.
--
Viktor.
