Carl Youngblood wrote:
I'm a little confused by the following part of the Liquid Reality musclecard HOWTO:
If you have a certificate in form of a pkcs#12 keystore (normally .p12) you can
simply import it into the keystore.
By integrating openssl with muscle it should also be possible to generate the
key directly on the card and issue a csr, but I have not yet managed to do
this. But the pkcs12 solution works very well.
You can use the imported certificate and key to sign mails, encrypt/decrypt
mails and access ssl Webservers that require a client certificate.
Does this mean that the RSA public key that I exported from XCard is not enough for me to use inside the Mozilla security manager? I'm not surprised, but then why did I export it in the first place? So, if what I need is a "pkcs12 keystore," how can I generate one of those?
Hi Carl,
the problem is that you do not only need a public/private key pair but also a certificate. If you generate the key on the card with xcard then the private key is normally not readable. That is one of the core security features of smartcards. But if you want to issue a certificate signing request you need to sign it with your private key to proof that you own the key and have the right to get the certificate for this key. As openssl does not work with muscle yet you can not sign the csr.
So my solution was to create the key externally in openssl. Then issue a csr, get it signed from a certificate authority and export the key and the certifacte into a pkcs#12 keystore. This keystore can then be imported to muscle.
If you want an official certificate you do the following:
|# First generate a rsa key with 1024 bits length and store it in a des3 protected file
openssl genrsa -des3 -out /keyfile/ 1024
# Then create a certificate request from that key
||openssl req -new -key /keyfile
# You now have to enter some personal data
Then you have a so called certificate request that is sent to a certificate authority. They check your data and then send you back your certifcate.
# At the end you export the key and the certificate to the pkcs#12 keystore
/||openssl pkcs12 -export -inkey /keyfile/ -certfile /othercertfile/ -in /certfile/ -out mycert.p12|
|/
This keystore can be imported into a correctly configured netscape or mozilla. Btw. you can also use this way without muscle. But then your key is sotred on the disk. If you store the certificate and key on the card you should delete the key on the disk.
As the above descriptions are not exactly complete you should take a look at:
http://www.kfu.com/~nsayer/encryption/openssl.html
If you want to create your own certifcate authority you can look at: http://www.dfn-pca.de/certify/ssl/handbuch/ossl095/ossl095.html This description is in german. Perhaps someone knows a document in english?
They also have an extensive link list: http://www.pki-page.org/#CA
Hope I could help a little.
/|best regards,
Christian
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
