Re: Creating password-protected certs.
In message [EMAIL PROTECTED] on Tue, 30 Apr 2002 06:30:34 -0700 (PDT), Tim Jones [EMAIL PROTECTED] said: t0psecret Thanks for the help... I'm pretty new at this stuff. t0psecret So, the private key is protected with the export t0psecret password, but this is a one-time password that is only t0psecret used when importing? From my standpoint it would t0psecret really be nice to have a permanent password on the t0psecret private key... Is this something that is common with t0psecret SSL? If not, I'm wondering how Windows would react to t0psecret such a thing. It *is* a permanent password. The private key is simply encrypting with that password as a master key. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
In message [EMAIL PROTECTED] on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones [EMAIL PROTECTED] said: t0psecret I'm trying to create password-protected client certs t0psecret with OpenSSL and ssl.ca-0.1.tar.gz. Is this what t0psecret export password refers to (when creating the key), t0psecret or is there another way? I'm not sure whether the t0psecret export password is a permanent password for the cert t0psecret or just a one-time password used to import the .p12 t0psecret file. t0psecret t0psecret If it's the former, it seems as though Window strips t0psecret this password when I import the cert, because I'm only t0psecret asked for it the one time when importing. Is there any t0psecret way around this? You're mixing up certificate and private key. The password will protect the private key. The certificate is (or should be) filled with public information only, and therefore doesn't require any password protection. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
At 10:52 30.04.2002 +0200, you wrote: In message [EMAIL PROTECTED] on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones [EMAIL PROTECTED] said: t0psecret I'm trying to create password-protected client certs t0psecret with OpenSSL and ssl.ca-0.1.tar.gz. Is this what t0psecret export password refers to (when creating the key), t0psecret or is there another way? I'm not sure whether the t0psecret export password is a permanent password for the cert t0psecret or just a one-time password used to import the .p12 t0psecret file. t0psecret t0psecret If it's the former, it seems as though Window strips t0psecret this password when I import the cert, because I'm only t0psecret asked for it the one time when importing. Is there any t0psecret way around this? You're mixing up certificate and private key. The password will protect the private key. The certificate is (or should be) filled with public information only, and therefore doesn't require any password protection. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] That reminds me of a question I once asked, but didn't get a reply: pkcs#12 files can contain encrypted certificates or unencrypted certificates. Since, like you notice, the cert doesn't require protection, why can't openssl generate pkcs#12 file with encrypted private key, but cleartext cert? Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
In message [EMAIL PROTECTED] on Tue, 30 Apr 2002 11:03:15 +0200, Joern Sierwald [EMAIL PROTECTED] said: joern That reminds me of a question I once asked, but didn't get a reply: joern pkcs#12 files can contain encrypted certificates or unencrypted certificates. joern Since, like you notice, the cert doesn't require protection, why can't openssl joern generate pkcs#12 file with encrypted private key, but cleartext cert? That's a very good question. I think Steve should answer that one, since he implemented the PKCS#12 part... Steve? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
--- Richard Levitte - VMS Whacker [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED] on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones [EMAIL PROTECTED] said: t0psecret I'm trying to create password-protected client certs t0psecret with OpenSSL and ssl.ca-0.1.tar.gz. Is this what t0psecret export password refers to (when creating the key), t0psecret or is there another way? I'm not sure whether the t0psecret export password is a permanent password for the cert t0psecret or just a one-time password used to import the .p12 t0psecret file. t0psecret t0psecret If it's the former, it seems as though Window strips t0psecret this password when I import the cert, because I'm only t0psecret asked for it the one time when importing. Is there any t0psecret way around this? You're mixing up certificate and private key. The password will protect the private key. The certificate is (or should be) filled with public information only, and therefore doesn't require any password protection. Thanks for the help... I'm pretty new at this stuff. So, the private key is protected with the export password, but this is a one-time password that is only used when importing? From my standpoint it would really be nice to have a permanent password on the private key... Is this something that is common with SSL? If not, I'm wondering how Windows would react to such a thing. __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
On Tue, 30 Apr 2002, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones [EMAIL PROTECTED] said: t0psecret I'm trying to create password-protected client certs t0psecret with OpenSSL and ssl.ca-0.1.tar.gz. Is this what t0psecret export password refers to (when creating the key), t0psecret or is there another way? I'm not sure whether the t0psecret export password is a permanent password for the cert t0psecret or just a one-time password used to import the .p12 t0psecret file. t0psecret t0psecret If it's the former, it seems as though Window strips t0psecret this password when I import the cert, because I'm only t0psecret asked for it the one time when importing. Is there any t0psecret way around this? You're mixing up certificate and private key. The password will protect the private key. The certificate is (or should be) filled with public information only, and therefore doesn't require any password protection. PKCS12 also specify mac-based integrity check that use another one password and may be usefull for certificate. Yes, one could ignore integrity check while parsing pkcs12 data. just a note, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]