I created a self signed with the following command: openssl x509 -req -days 365 -in blahcsr.pem -signkey blahkey.pem -out blahcert.pem blahkey was created with the genrsa command. Now, docs and info I can gleen state that the -signkey option causes the resulting output file, in this case "blahcert.pem", to be a self signed certificate using the private key supplied in the file "blahkey.pem". However when I tried to use this file (blahcert.pem) in "openssl s_server" or with the "serv" program what I find is that both bitch that thier is no private key. So, I concatinated the private key as follows: cat blahcert.pem blahkey.pem > goodcert.pem Sure enough, both "s_server" and "serv" quieted down and became quite contented and well behaved. So my questions are as follows: 1) clearly there must be a distinction between a certificate signed with a private key and a file which contains both the cert as well as the private key. I originally thought the process of signing a cert resulted in the private key being included in the certificate. 2) When a private key file is generated with say "openssl genrsa" both the public and the private parts of the key end up in the file. Clearly when this key is concatinated as I did into a file such as "goodcert.pem", both parts are known. It seems to me that any software actually using the private key - such as a server - must know both the public and private parts of the key. This would be the case because the server for instance must send out the public portion of the key to whatever client it is establishing a connection with, and it must of course have the private part available in order to decode the message coming back. Ok, supposing this to be the case - what happens if we create a "goodcert.pem" file with a self signed cert created with key "A" and a private key "B" where key "A" and key "B" are different. What is used for what? Will the server say "here is who I am - key "A" identifies me as being legitimate" meanwhile you can encrypt information for me with key "B"? If so - then key "A" in this senerio is the Certificate Authority key while key "B" is just an arbitrary public key that can be generated at will. Is this 100% correct or have I missed something. 3) When the selfsigned certificate is created as in the x509 command above, what specifically happens. I suspect the public portion of the key is stripped out of the "blahkey.pem" file and pasted into the "blahcert.pem" file and that not much more happens. If so - then the "blahcert.pem" file created above could theoretically be distributed willy nilly to anyone without compromising security. Is this true? 4) Finally, is there a chart that shows the pieces of this jigsaw puzzle? Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
