Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2013 17:02:03 -0700
From:      Charles Swiger <cswiger@mac.com>
To:        nightrecon@hotmail.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <CFCDA89C-896D-4A9A-A517-1F84FFAAB7A8@mac.com>
In-Reply-To: <kl9goj$6vq$1@ger.gmane.org>
References:  <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO+wt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <CAHieY7QNqfvwyB4_ZM-df72qTnY06vi7sk1gcvpSAfcwAifC8A@mail.gmail.com> <kl441k$6sg$1@ger.gmane.org> <CAHieY7ROZtpcmapzgrDb=EANaZZJkLjmZjf-3WuV-SrULdUG0Q@mail.gmail.com> <kl47p4$f23$1@ger.gmane.org> <51763692.8010805@qeng-ho.org> <kl9goj$6vq$1@ger.gmane.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi--

On Apr 24, 2013, at 1:53 PM, Michael Powell <nightrecon@hotmail.com> =
wrote:
> This is along the lines of what I was thinking. I am my own CA and can=20=

> generate certs that no one else has the private keys to.

So can someone who does not run their own CA...?

> The problem with buying certs from a provider is the gov't has access
> to the private keys on demand.

Um, how does that work when they don't have your private keys?

People generate a CSR which they send to a public CA like =
Verisign/Entrust/et al
for signing.  That CSR contains the RSA public key, and a matching =
signature
created by the private key to authenticate the CSR request, but it does =
not
contain the private key itself.

Consider:

   openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
   openssl req -in req.pem -text -verify -noout
   ls -l key.pem req.pem

...or even go through the explicit process of seeing the different data =
available:

   openssl rsa -in key.pem -pubout -out pubkey.pem
   openssl rsa -in key.pem -text -noout
   openssl rsa -pubin -in pubkey.pem -text -noout

[ A CSR is about half of the size of the private+public key file; and =
the public key
by itself is a quarter the size of the private+public key file.  And =
even possessing
key.pem doesn't disclose the private key, since there's a password =
needed.  Unless
you make an effort to export the key without a password, that is. ]

Regards,
--=20
-Chuck




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CFCDA89C-896D-4A9A-A517-1F84FFAAB7A8>