Date: Fri, 13 May 2005 19:40:46 +0100 From: Ceri Davies <ceri@submonkey.net> To: freebsd-doc@freebsd.org Cc: Ceri Davies <ceri@freebsd.org> Subject: Re: OpenSSL: Handbook says "send *private* key to CA" ?? Message-ID: <9cfae07f8f5c8f5d261e05f0d7355bdd@submonkey.net> In-Reply-To: <42804274.4050002@brettschroeder.name> References: <42804274.4050002@brettschroeder.name>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-3-263493595
Content-Type: multipart/mixed; boundary=Apple-Mail-2-263493588
--Apple-Mail-2-263493588
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
On 10 May 2005, at 06:11, Brett Schroeder wrote:
> # openssl req -new -nodes -out req.pem -keyout cert.pem
>
> and then a few lines later the text says
>
> "A cert.pem file should now exist in the directory which the
> aforementioned command was issued. This is the certificate which may be
> sent to any CA for signing."
>
>> From the "openssl req" man page
>
> -keyout filename
> this gives the filename to write the newly created private
> key to.
> If this option is not specified then the filename present
> in the
> configuration file is used.
>
> Thoughts?
[Liberal snippage in the above]
Hi Brett,
You're quite right about this; how do you find the attached diff?
Ceri
--Apple-Mail-2-263493588
Content-Transfer-Encoding: 7bit
Content-Type: application/octet-stream;
x-unix-mode=0644;
name="ca.diff"
Content-Disposition: attachment;
filename=ca.diff
Index: chapter.sgml
===================================================================
RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.270
diff -u -r1.270 chapter.sgml
--- chapter.sgml 27 Apr 2005 23:12:08 -0000 1.270
+++ chapter.sgml 13 May 2005 18:37:57 -0000
@@ -3072,10 +3072,15 @@
are available. A complete list may be obtained by viewing
the &man.openssl.1; manual page.</para>
- <para>A <filename>cert.pem</filename> file should now exist in
- the directory which the aforementioned command was issued. This
- is the certificate which may be sent to any
- <acronym>CA</acronym> for signing.</para>
+ <para>Two files should now exist in
+ the directory in which the aforementioned command was issued.
+ The certificate request, <filename>req.pem</filename>, may be
+ sent to a certificate authority who will validate the credentials
+ that you entered, sign the request and return the certificate to
+ you. The second file created will be named <filename>cert.pem</filename>
+ and is the private key for the certificate and should be
+ protected at all costs; if this falls in the hands of others it
+ can be used to impersonate you (or your server).</para>
<para>In cases where a signature from a <acronym>CA</acronym> is
not required, a self signed certificate can be created. First,
--Apple-Mail-2-263493588--
--Apple-Mail-3-263493595
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFChPS2ocfcwTS3JF8RAlesAJsGZkgQzLPoKz7dImCYFy8k6N1IzwCeLRcK
XMWqH4MI6SD7B1poTo1Yf0Q=
=waJ8
-----END PGP SIGNATURE-----
--Apple-Mail-3-263493595--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9cfae07f8f5c8f5d261e05f0d7355bdd>