> Actually I am using Client Authentication to identify and login to a
> website. But now I want to add the possibility to encrypt files
> with another
> users' public key.
The reason to encrypt a file with a users' public key would be so that
only
that user could decrypt it. If that's really what you want, then that's
really the way to do it. If that's not really what you want, then that's not
the way to do it.
> My question is: Is it possible to use a SSL-certificate as a private key?
No, but everyone who has an SSL certificate also has a private key.
> E.g. the following scenario: There are two users, user A and user B. Both
> have a certificate to authenticate and login to site xyz.com . Now user A
> wants to upload a file to xyz.com, but it should be only for user
> B's eyes.
> So the file gets encrypted automatically by the server with user
> B's public
> key (all users public keys are on the server, too).
Note that if the server chooses to do that, then only user B can decrypt
it. Are you sure that's what you want? (As opposed to the server being able
to decrypt it at B's request?)
> Now, when user B logs
> on, and downloads the file, it gets automatically decrypted, using his
> private Key (inside his SSL-Cert).
Yes, that's possible, depending on what you mean by "automatically".
However, your scenario doesn't really make any sense. If you trust the
server, why not have the server encrypt the data with its own key? And if
you don't trust the server, why is user A sending the data unencrypted to
the server?
You need to answer the following question: To precisely what extent are
user A and user B supposed to trust the server? If the answer is "totally",
then you are going to a lot of effort for (perhaps) no reason. If it's "the
server is not trusted with the unencrypted data", then your proposed
solution will only work if user A encrypts the data (after verifying user
B's certificate, which it can receive from the server).
It comes down to a very basic principle of cryptographic system design
--
you have to know what threats your system is supposed to resist.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
