On Sat, Feb 08, 2003, Chandrasekhar R S wrote: > I have posted a similar message earlier. Hoping to convey self better and > get some help this time around. > > I have the following scenario - > > Client Cert -- Tunnel Server - Tunnel Client -- Backend server. > > The requirement is to pass the Client Cert to the Backend server. > > I could extract the Client Cert at the Tunnel Server. Tunnel Server and > Tunnel client reside in the same program on a machine, hence Tunnel Server > can pass on Client Cert to Tunnel Client without much ado. > > Now in the my Tunnel Client program, I use SSL_use_certificate(ctx, X509*). > The X509* pointer contains the Client Cert which the Tunnel Server has just > extracted. > > But then I dont have the private key for the Client Cert at the Tunnel > Client. Hence I could not do a SSL_CTX_use_PrivateKey(ctx,...) at the > Tunnel Client. > > My question is, "Is it possible to just give a Cert for an SSL connection > (like giving SSL_use_certificate()) without a corresponding > SSL_use_PrivateKey(..) call made, and expect SSL to somehow generate its own > keys but take our certificate?" >
No because certificates are meant to be public objects and private keys are, erm private. If you could do that then anyone who had access to a certificate (for example the recipent of signed email) could impersonate the sender or read all their encrypted mail, not to mention impersonating all the public CAs. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
