Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2013 17:02:03 -0700
From:      Charles Swiger <>
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <>
In-Reply-To: <kl9goj$6vq$>
References:  <> <kl0qu9$ovo$> <> <kl3vao$hbt$> <> <kl441k$6sg$> <> <kl47p4$f23$> <> <kl9goj$6vq$>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Apr 24, 2013, at 1:53 PM, Michael Powell <> =
> This is along the lines of what I was thinking. I am my own CA and can=20=

> generate certs that no one else has the private keys to.

So can someone who does not run their own CA...?

> The problem with buying certs from a provider is the gov't has access
> to the private keys on demand.

Um, how does that work when they don't have your private keys?

People generate a CSR which they send to a public CA like =
Verisign/Entrust/et al
for signing.  That CSR contains the RSA public key, and a matching =
created by the private key to authenticate the CSR request, but it does =
contain the private key itself.


   openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
   openssl req -in req.pem -text -verify -noout
   ls -l key.pem req.pem

...or even go through the explicit process of seeing the different data =

   openssl rsa -in key.pem -pubout -out pubkey.pem
   openssl rsa -in key.pem -text -noout
   openssl rsa -pubin -in pubkey.pem -text -noout

[ A CSR is about half of the size of the private+public key file; and =
the public key
by itself is a quarter the size of the private+public key file.  And =
even possessing
key.pem doesn't disclose the private key, since there's a password =
needed.  Unless
you make an effort to export the key without a password, that is. ]


Want to link to this message? Use this URL: <>