Date: Wed, 24 Apr 2013 17:02:03 -0700 From: Charles Swiger <cswiger@mac.com> To: nightrecon@hotmail.com Cc: freebsd-questions@freebsd.org Subject: Re: Home WiFi Router with pfSense or m0n0wall? Message-ID: <CFCDA89C-896D-4A9A-A517-1F84FFAAB7A8@mac.com> In-Reply-To: <kl9goj$6vq$1@ger.gmane.org> References: <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO%2Bwt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <CAHieY7QNqfvwyB4_ZM-df72qTnY06vi7sk1gcvpSAfcwAifC8A@mail.gmail.com> <kl441k$6sg$1@ger.gmane.org> <CAHieY7ROZtpcmapzgrDb=EANaZZJkLjmZjf-3WuV-SrULdUG0Q@mail.gmail.com> <kl47p4$f23$1@ger.gmane.org> <51763692.8010805@qeng-ho.org> <kl9goj$6vq$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Apr 24, 2013, at 1:53 PM, Michael Powell <nightrecon@hotmail.com> = wrote: > This is along the lines of what I was thinking. I am my own CA and can=20= > generate certs that no one else has the private keys to. So can someone who does not run their own CA...? > The problem with buying certs from a provider is the gov't has access > to the private keys on demand. Um, how does that work when they don't have your private keys? People generate a CSR which they send to a public CA like = Verisign/Entrust/et al for signing. That CSR contains the RSA public key, and a matching = signature created by the private key to authenticate the CSR request, but it does = not contain the private key itself. Consider: openssl req -newkey rsa:2048 -keyout key.pem -out req.pem openssl req -in req.pem -text -verify -noout ls -l key.pem req.pem ...or even go through the explicit process of seeing the different data = available: openssl rsa -in key.pem -pubout -out pubkey.pem openssl rsa -in key.pem -text -noout openssl rsa -pubin -in pubkey.pem -text -noout [ A CSR is about half of the size of the private+public key file; and = the public key by itself is a quarter the size of the private+public key file. And = even possessing key.pem doesn't disclose the private key, since there's a password = needed. Unless you make an effort to export the key without a password, that is. ] Regards, --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CFCDA89C-896D-4A9A-A517-1F84FFAAB7A8>