OpenSSL: Handbook says "send *private* key to CA" ??
Brett Schroeder
brett at brettschroeder.name
Tue May 10 05:11:12 UTC 2005
Hi
In section 14.9.1 "Generating Certificates" of the OpenSSL security
sub-chapter, the following command is used to generate a private key and
certificate signing request of the public key
# openssl req -new -nodes -out req.pem -keyout cert.pem
Generating a 1024 bit RSA private key
................++++++
.......................................++++++
writing new private key to 'cert.pem'
>>>>>>>>>> cut >>>>>>>>>>>>>>>>>>>>
and then a few lines later the text says
"A cert.pem file should now exist in the directory which the
aforementioned command was issued. This is the certificate which may be
sent to any CA for signing."
>From the "openssl req" man page
-keyout filename
this gives the filename to write the newly created private
key to.
If this option is not specified then the filename present in the
configuration file is used.
It seems to me that the handbook is suggesting you send your *private*
key to a Certificate Authority. This would immediately make the private
key useless and compromise the security of whatever you were trying to
protect.
The paragraph in question should rather read something like this
"A req.pem file should now exist in the directory in which the
aforementioned command was issued. This is the certificate which may be
sent to any CA for signing. The other file, cert.pem, is your private
key and should be protected at all costs - it is, after all, your
private key. If somebody else had your private key they could decrypt
all your communications. This file should be owned and readable by root
only."
Thoughts?
Brett
More information about the freebsd-doc
mailing list