Hi! Maybe Mathias is in a situation similar to mine?
I have an eToken. In keygen time I told the eToken that my new key is for encryption/verifying only. Now I wanted to have a cert req. Which should have been signed with the key. Which is encryption-only, enforced by the token. Because the key is RSA, and the encryption process is the same like the signing process, it is possible to do it. But not with openssl with the normal cert req procedure. Unfortunately I cannot remember whether I did it at last (and how), or just generated a multiple-use key (which is a hack supported by opensc for eToken). I seem to remember to a bug report I left in the openssl issue tracker about it. I have no idea what one could do to have a cert req with an encryption-only key which have dissimilar algorithm for encryption and signing (I am not a crypto guru, but heard that there are such key types. Maybe this is a thing which have something to do with ellipses;). 2007/9/30, Michael Sierchio <[EMAIL PROTECTED]>: > > Yes. No. Maybe. > > Such a question suggests some possible confusion. > > A certificate is a binding of a keypair to an identity. > > While only the public key is contained in the cert, some proof of possession > of the corresponding private key is required. > > This usually requires a certificate signing request that includes a component > signed using that private key. > > The private key need not be present to the signer, and in fact must not be if > non-repudiation is desired. > > In the case of smart cards and embedded devices, the keypair and CSR are > generated and the private key is never exposed. > > Google the terms 'PKCS#10' 'SPKAC' and 'CSR' > > - Michael > -----Original Message----- > > From: Mathias Tausig <[EMAIL PROTECTED]> > Subj: certificate withou private key > Date: Sun 2007 Sep 30 14:33 > Size: 459 bytes > To: openssl-users@openssl.org > > Hy! > > Is it possible to create a certificate with openssl without using the > coresponding private key (which is stored in a smartcard) but with the public > key only? > > Mathias > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
