Zerg wrote:
> Hi. > I have such problem. > The client side need to get certificate from server side. > But there is no possibility to generate a certificate request > on client. So the server have to do it by itself.
Why? If client can create a key pair, which requires both a good random number generator and significant arithmetic and computational capability, why is simply packing up the data into an ASN.1 formatted CSR such an added burden?
> Client send all the required data for creating request except > private key of key pair! Server is assured that pair is valid by > organizational method. Is there the opportunity to create not > signed request and then to generate from it the certificate > without the request verification. What ways are to do it?
As I said before, in another posting, there is a security exposure to accepting a public key without proof that the submitter also has the private key. Doing so allows public keys to be "hijacked". Signing the CSR with the private key supplies that proof.
If you feel that your "organizational method" is sufficient to achieve the level of security you require, I suggest you change the source code of OpenSSL to defeat the test on the signature of a submitted CSR. Then you can make the CSR at the server, sign it with any convenient key, and x509 or ca will accept it. But, this is NOT a good approach.
If you're using ca you might consider making a spkac at the client, but I don't see that as any easier than making a CSR.
Another approach would be to create the key pair at the server, then transport both the certificate and private key to the client. Perhaps your "organizational method" could help provide an adequate level of security for the private key in transit?
> Sorry for bad english.
I hope I have understood you well enough to give you a functional response.
-- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
