From owner-freebsd-doc@FreeBSD.ORG Fri May 13 18:41:01 2005 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BAB016A4CE; Fri, 13 May 2005 18:41:01 +0000 (GMT) Received: from shrike.submonkey.net (cpc4-cdif3-6-1-cust116.cdif.cable.ntl.com [82.23.41.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id B622443D88; Fri, 13 May 2005 18:41:00 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from mini.private.submonkey.net ([192.168.10.11]) by shrike.submonkey.net with esmtps (TLSv1:RC4-SHA:128) (Exim 4.51 (FreeBSD)) id 1DWf5k-000C3w-JS; Fri, 13 May 2005 19:40:58 +0100 In-Reply-To: <42804274.4050002@brettschroeder.name> References: <42804274.4050002@brettschroeder.name> Mime-Version: 1.0 (Apple Message framework v622) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-3-263493595" Message-Id: <9cfae07f8f5c8f5d261e05f0d7355bdd@submonkey.net> From: Ceri Davies Date: Fri, 13 May 2005 19:40:46 +0100 To: freebsd-doc@freebsd.org Content-Transfer-Encoding: 7bit X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.622) cc: brett@brettschroeder.name cc: Ceri Davies Subject: Re: OpenSSL: Handbook says "send *private* key to CA" ?? X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 18:41:01 -0000 --Apple-Mail-3-263493595 Content-Type: multipart/mixed; boundary=Apple-Mail-2-263493588 --Apple-Mail-2-263493588 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On 10 May 2005, at 06:11, Brett Schroeder wrote: > # openssl req -new -nodes -out req.pem -keyout cert.pem > > and then a few lines later the text says > > "A cert.pem file should now exist in the directory which the > aforementioned command was issued. This is the certificate which may be > sent to any CA for signing." > >> From the "openssl req" man page > > -keyout filename > this gives the filename to write the newly created private > key to. > If this option is not specified then the filename present > in the > configuration file is used. > > Thoughts? [Liberal snippage in the above] Hi Brett, You're quite right about this; how do you find the attached diff? Ceri --Apple-Mail-2-263493588 Content-Transfer-Encoding: 7bit Content-Type: application/octet-stream; x-unix-mode=0644; name="ca.diff" Content-Disposition: attachment; filename=ca.diff Index: chapter.sgml =================================================================== RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.270 diff -u -r1.270 chapter.sgml --- chapter.sgml 27 Apr 2005 23:12:08 -0000 1.270 +++ chapter.sgml 13 May 2005 18:37:57 -0000 @@ -3072,10 +3072,15 @@ are available. A complete list may be obtained by viewing the &man.openssl.1; manual page. - A cert.pem file should now exist in - the directory which the aforementioned command was issued. This - is the certificate which may be sent to any - CA for signing. + Two files should now exist in + the directory in which the aforementioned command was issued. + The certificate request, req.pem, may be + sent to a certificate authority who will validate the credentials + that you entered, sign the request and return the certificate to + you. The second file created will be named cert.pem + and is the private key for the certificate and should be + protected at all costs; if this falls in the hands of others it + can be used to impersonate you (or your server). In cases where a signature from a CA is not required, a self signed certificate can be created. First, --Apple-Mail-2-263493588-- --Apple-Mail-3-263493595 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFChPS2ocfcwTS3JF8RAlesAJsGZkgQzLPoKz7dImCYFy8k6N1IzwCeLRcK XMWqH4MI6SD7B1poTo1Yf0Q= =waJ8 -----END PGP SIGNATURE----- --Apple-Mail-3-263493595--