I based my GUI fields on the Distinguised Name prompts displayed when I ran the command,openssl req -new -nodes -keyout private.key -out public.csrfrom the command line. These fields included Country Name, State or Province Name,Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email address.Additionally, the command prompted for *extra* attributes. These included a challengepassword and optional company name. So the term challenge password came from the openssl prompt. This challenge password is sent with the certificate request.
I am able to execute the command via the c language "system" call and a public.csr is generated. I can send this csr to verisign to get a trial id and plug it into codewritten by someone else and it appears to work. I am just curious about this challenge passwordand what is it used for...and do i want to use it. Also, the private key is in PEM format soisn't it already encrypted? Do I need to do anything else to it?
Bear Giles <[EMAIL PROTECTED]> wrote:
> When I was> looking at how other GUI based applications worked, I> noticed that after all of the common name information> was entered it asked for the challenge password.This sounds a bit confused. (Just because someone elsewrote a GUI for this task doesn't mean that they understoodwhat needed to be done. You need to be sure you understandwhat you're doing, not just blindly mimicking anotherpackage.)If you're authenticating a request with a SPKAC (signed public key and challenge), instead of a self-signed cert, you needto include a challenge string in the SPKAC. The purpose ofthe challenge string is to prevent a SPKAC being reused byan imposter, and it is usually specified by the CA when itprovides a template for the certificate request, althoughit could also be specified in a way that requires the usert!
o enter the information manually.The private key should also be encrypted, but that'susually referred to as a "passphrase" or "password".A "challenge password" sounds a lot like somebody hearing"challenge" and assuming it must refer to the private key,not the SPKAC.(Aside: do self-signed certs used as requests also includechallenge strings as an "attribute"?)> question is, after you have generated> the private key, how do you store it in a token? Then,> how do you protect the token with a password? Token? Again this is a bit confusing - when I read"token" I think of a physical device like a smart card.Somehow I doubt that's what you mean. ;-)One standard format for private keys is PKCS8 (see pkcs8(1)).The keys may be kept as standalone files, or stored in adatabase or other type of 'keystore'.> openssl genrsa -out outfile.pem 1024openssl genrsa 1024 | openssl pkcs!
8 -topk8 [-v2 bf] -out outfile.pembut between the pipe and the
passphrase I found it easierto use the C API directly.__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do You Yahoo!?
Send FREE video emails in Yahoo! Mail.
