From owner-freebsd-doc@FreeBSD.ORG Tue May 10 05:11:12 2005 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73A9716A4EE for ; Tue, 10 May 2005 05:11:12 +0000 (GMT) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A70A43D39 for ; Tue, 10 May 2005 05:11:12 +0000 (GMT) (envelope-from brett@brettschroeder.name) Received: from anapurna.brettschroeder.name (c-24-20-125-129.hsd1.or.comcast.net[24.20.125.129]) by comcast.net (rwcrmhc14) with ESMTP id <2005051005111101400ecdtme>; Tue, 10 May 2005 05:11:12 +0000 Received: from [192.168.0.7] (K2 [192.168.0.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (verified OK)) by Anapurna.brettschroeder.name (Postfix) with ESMTP id 233DC6149; Mon, 9 May 2005 22:11:11 -0700 (PDT) Message-ID: <42804274.4050002@brettschroeder.name> Date: Mon, 09 May 2005 22:11:16 -0700 From: Brett Schroeder User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-doc@freebsd.org X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit cc: brett@brettschroeder.name Subject: OpenSSL: Handbook says "send *private* key to CA" ?? X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-doc@freebsd.org List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 05:11:12 -0000 Hi In section 14.9.1 "Generating Certificates" of the OpenSSL security sub-chapter, the following command is used to generate a private key and certificate signing request of the public key # openssl req -new -nodes -out req.pem -keyout cert.pem Generating a 1024 bit RSA private key ................++++++ .......................................++++++ writing new private key to 'cert.pem' >>>>>>>>>> cut >>>>>>>>>>>>>>>>>>>> and then a few lines later the text says "A cert.pem file should now exist in the directory which the aforementioned command was issued. This is the certificate which may be sent to any CA for signing." >From the "openssl req" man page -keyout filename this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. It seems to me that the handbook is suggesting you send your *private* key to a Certificate Authority. This would immediately make the private key useless and compromise the security of whatever you were trying to protect. The paragraph in question should rather read something like this "A req.pem file should now exist in the directory in which the aforementioned command was issued. This is the certificate which may be sent to any CA for signing. The other file, cert.pem, is your private key and should be protected at all costs - it is, after all, your private key. If somebody else had your private key they could decrypt all your communications. This file should be owned and readable by root only." Thoughts? Brett