Home WiFi Router with pfSense or m0n0wall?
Charles Swiger
cswiger at mac.com
Thu Apr 25 01:02:28 UTC 2013
Hi--
On Apr 24, 2013, at 1:53 PM, Michael Powell <nightrecon at hotmail.com> wrote:
> This is along the lines of what I was thinking. I am my own CA and can
> generate certs that no one else has the private keys to.
So can someone who does not run their own CA...?
> The problem with buying certs from a provider is the gov't has access
> to the private keys on demand.
Um, how does that work when they don't have your private keys?
People generate a CSR which they send to a public CA like Verisign/Entrust/et al
for signing. That CSR contains the RSA public key, and a matching signature
created by the private key to authenticate the CSR request, but it does not
contain the private key itself.
Consider:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
openssl req -in req.pem -text -verify -noout
ls -l key.pem req.pem
...or even go through the explicit process of seeing the different data available:
openssl rsa -in key.pem -pubout -out pubkey.pem
openssl rsa -in key.pem -text -noout
openssl rsa -pubin -in pubkey.pem -text -noout
[ A CSR is about half of the size of the private+public key file; and the public key
by itself is a quarter the size of the private+public key file. And even possessing
key.pem doesn't disclose the private key, since there's a password needed. Unless
you make an effort to export the key without a password, that is. ]
Regards,
--
-Chuck
More information about the freebsd-questions
mailing list