I based my GUI fields on the Distinguised Name prompts displayed when I ran the command,
openssl req -new -nodes -keyout private.key -out public.csr
from the command line. These fields included Country Name, State or Province Name,
Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email address.
Additionally, the command prompted for *extra* attributes. These included a challenge
password and optional company name. So the term challenge password came from the openssl
prompt. This challenge password is sent with the certificate request.
I am able to execute the command via the c language "system" call and a public.csr is
generated. I can send this csr to verisign to get a trial id and plug it into code
written by someone else and it appears to work. I am just curious about this challenge password
and what is it used for...and do i want to use it. Also, the private key is in PEM format so
isn't it already encrypted? Do I need to do anything else to it?
Bear Giles <[EMAIL PROTECTED]> wrote:
> When I was
> looking at how other GUI based applications worked, I
> noticed that after all of the common name information
> was entered it asked for the challenge password.
This sounds a bit confused. (Just because someone else
wrote a GUI for this task doesn't mean that they understood
what needed to be done. You need to be sure you understand
what you're doing, not just blindly mimicking another
package.)
If you're authenticating a request with a SPKAC (signed public
key and challenge), instead of a self-signed cert, you need
to include a challenge string in the SPKAC. The purpose of
the challenge string is to prevent a SPKAC being reused by
an imposter, and it is usually specified by the CA when it
provides a template for the certificate request, although
it could also be specified in a way that requires the user
t! o enter the information manually.
The private key should also be encrypted, but that's
usually referred to as a "passphrase" or "password".
A "challenge password" sounds a lot like somebody hearing
"challenge" and assuming it must refer to the private key,
not the SPKAC.
(Aside: do self-signed certs used as requests also include
challenge strings as an "attribute"?)
> question is, after you have generated
> the private key, how do you store it in a token? Then,
> how do you protect the token with a password?
Token? Again this is a bit confusing - when I read
"token" I think of a physical device like a smart card.
Somehow I doubt that's what you mean. ;-)
One standard format for private keys is PKCS8 (see pkcs8(1)).
The keys may be kept as standalone files, or stored in a
database or other type of 'keystore'.
> openssl genrsa -out outfile.pem 1024
openssl genrsa 1024 | openssl pkcs! 8 -topk8 [-v2 bf] -out outfile.pem
but between the pipe and the passphrase I found it easier
to use the C API directly.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail.
