Hello Peter:
On 08/04/10 3:45 AM, peter23452345 wrote: > > hi, i have been trying to create a certificate for use on my webscarab proxy. > essentially what i want to do is this: run a php curl script which redirects > certain https traffic though the webscarab proxy so that i can see the > output from the curl script (php curl doesnt provide visibility into the > http post string and i need to see this). i have already got this working > with regular http - but i need https. > > the certificate is on a server which is not under my control: > https://partner.caltex.com.au/caltexau/default.asp . its in .crt format but > webscarab needs .p12 format. i realise that i will need some kind of key to > create the p12 file using this statement: > > openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in > certificate.crt -certfile CACert.crt > > however i dont know where to find this key. i know the key must be somewhere > on my computer otherwise the web browser wouldnt be able to view the web > page. can someone please tell me where to get the key from? > No, you don't need the server's private key to see that web page - you simply need the public key (the key that is contained in the certificate) - all the RSA keys are being used for is to authenticate the server to you. The encryption isn't done using the key, it is done at the TLS/SSL layer, using a symmetric key negotiated between the client and the server. If you are curious as to how this works, the RFC describing the TLS protocol is quite clear. In order for you to become an SSL Proxy and impersonate the server, you need to get the private key from that server. Since you say that the server is not under your control, this means that you are quite likely not authorised to impersonate this server by transparently proxying for it. It is for exactly this reason that people use TLS/SSL :) So, the short answer is - until you can convince the administrators of the server that you are proxying for to hand over their private keys, what you want to do is not possible. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
