Mark wrote:
Ahh, now I think we are coming back to the thing that seems to confuse most beginners. There are two problems in cryptography, one is secrecy (encryption) and the other is authenticity. The best encryption algorithms will not help you anything if you are encrypting your data with the key of your evil adversary. If you do this the evil one can intercept the message, decrypt it with his private key, re-encrypt it (after having read it) with the true key of your trusted partner and resent it to him. So you have to be sure that the public key you are using to encrypt really belongs to your trusted partner and not your evil adversary. This is where a CA enters the game. A CA signs other public keys and assures that they belong to those entities which are described in the certificate in form of a Canonical Name (CN). So a CA is something like a government which issues passports so you can be sure that the person on the other side on the desk is the one described in the passport if his face is the one on the passport's photo. If you choose to trust a CA you assume that this CA is doing good work and will not let itself trick into signing keys of your evil adversary which contain the CN of your trusted partner. So you do not have to check all your partner's keys yourself.1) you create a private key ( this is the secret key ... )2) you create a public key corresponding to the private key. This key can not be reversed to get a private key, tat is the main advantage of public key cryptography.Ok. I understand this. Would the following command do these two steps in one (combined with my openssl.cnf file)? # openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -nodesEffectively these 2 keys are enough for u to communicate to any others.But there are potential vulnerabilities on using a self signed certificateWhat are the potential vulnerabilities?
Now a self signed certificate is something like someone saying "I am your Trusted Partner. You can trust me because I have a passport which I issued myself". You can believe in this if for example you can check the key's fingerprints with your partner over telephone. But if you received the certificate (which, by the way, contains the public keys) in an unauthenticated eMail this eMail cold as well have been sent by your evil adversary...
Those are standards on how to format certificates and how to package public and private keys.[...]I'm not sure what X509 or PKCS12 are.
It's a Certificate Signing Request. A file containing the public key and additional data (for example the CN) about the owner of this key. A CA should check if those additional data indeed describes the owner and if it is so the CA can generate a certificate (and send this certificate to the owner) which the owner of the key can use to authenticate himself (or herself).[...] I am beginning to get confused again! What is a CSR?
You described it yourself, by doing "openssl ca -in nucreq.pem". But I guess your problem is how to use this certificate/key in an application like an internet browser or mail client. If this is so there are different ways depending on your application. You should be more specific on your (client and server) applications...The following command seems to create a new public and private key: # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM What are these key files for? How can I create a certificate for a client?
Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
