Creating certs for others (without their private keys)

Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
others' public keys) without havign their private keys presented to the
signer?

[For having to bring private key along with the public key sort fo
defeats the whole purpse PKI.]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Uri wrote:

> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
> others' public keys) without havign their private keys presented to
> the signer?
>
> [For having to bring private key along with the public key sort fo
> defeats the whole purpse PKI.]

You are totally right.

Because of that CA's (including OpenSSL's ca command) usually work with
a certificate request which contains the public key (as well as some
other informations like the canonical name). Certificate requests can be
generated with OpenSSL's req command.

Hope it helps,
Ted
;)

> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
> others' public keys) without havign their private keys presented to the
> signer?

        Of course,
 
> [For having to bring private key along with the public key sort fo
> defeats the whole purpse PKI.]

        Exactly.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

David Schwartz wrote:

>>Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
>>others' public keys) without havign their private keys presented to the
>>signer?
>>    
>>
>
> Of course,
>  
>

But how???

Creating a certificate request ("req") with openssl seems to require
that private key is included! How do I avoid it?

How do I create a request that doesn't contain private key, and how do I
sign it? Could you give me an example please?

>>[For having to bring private key along with the public key sort fo
>>defeats the whole purpse PKI.]
>>    
>>
>
> Exactly.
>  
>
:-)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Bernhard Froehlich wrote:


But how??? Could you give an example please (of [a] creating, and [b]
signing a "req")?

Thanks!!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

> But how??? Could you give an example please (of [a] creating, and [b]
> signing a "req")?

How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Tan Eng Ten wrote:
>> But how??? Could you give an example please (of [a] creating, and [b]
>> signing a "req")?
>
>
> How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)

Or just use the Perl script that ships with OpenSSL called CA.pl
(Required at least Perl 5.6.x to be installed).

Thomas Hruska
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

On Sun, Jul 03, 2005, Uri wrote:

> But how???
>
> Creating a certificate request ("req") with openssl seems to require
> that private key is included! How do I avoid it?
>
> How do I create a request that doesn't contain private key, and how do I
> sign it? Could you give me an example please?
>

What makes you think the private key is included?

The private key needs to be *used* to sign the request but it is never included.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Tan Eng Ten wrote:

>> But how??? Could you give an example please (of [a] creating, and [b]
>> signing a "req")?
>
>
> How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)


Darn, I thought I explained the problem: openssl "req" seems to require
private key of the cert requestor, which defeats the whole idea of PKI.
Here's the excerpt of the HOWTO you're referring me to.  It is not
helpful, sorry - for the above reason (private key necessary).

The certificate request is created like this:

  openssl req -new -key privkey.pem -out cert.csr
                    ^^^^^^^^^^^^^^^^

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Dr. Stephen Henson wrote:

The fact that Windows XP machine (into which I load the created cert)
claims to now have the private key for it.

>The private key needs to be *used* to sign the request but it is never included.
>  
>
Could you recommend a verification procedure for me, please?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

In message <[hidden email]> on Mon, 04 Jul 2005 00:00:20 -0400, Uri <[hidden email]> said:

urimobile> Tan Eng Ten wrote:
urimobile>
urimobile> >> But how??? Could you give an example please (of [a]
urimobile> >> creating, and [b] signing a "req")?
urimobile> >
urimobile> > How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
urimobile>
urimobile> Darn, I thought I explained the problem: openssl "req"
urimobile> seems to require private key of the cert requestor, which
urimobile> defeats the whole idea of PKI. Here's the excerpt of the
urimobile> HOWTO you're referring me to.  It is not helpful, sorry -
urimobile> for the above reason (private key necessary).
urimobile>
urimobile> The certificate request is created like this:
urimobile>
urimobile>   openssl req -new -key privkey.pem -out cert.csr

OpenSSL, as well as *any* other software that produces CSRs, requires
that a private key be *used* to sign the CSR.  That does not mean that
the private key gets included in the CSR, just the signature.
However, the *public* key gets included in the CSR.  So you see, the
private key, is necessary, but not for the reasons you seem to
imagine.

It looks to me like you need to read up on public key cryptography and
how a X.509 PKI works.  There are books on the subjects.

Cheer,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

In message <[hidden email]> on Mon, 04 Jul 2005 00:03:50 -0400, Uri <[hidden email]> said:

urimobile> Dr. Stephen Henson wrote:
urimobile>
urimobile> >On Sun, Jul 03, 2005, Uri wrote:
urimobile> >
urimobile> >>How do I create a request that doesn't contain private
urimobile> >>key, and how do I sign it? Could you give me an example
urimobile> >>please?
urimobile> >>
urimobile> >What makes you think the private key is included?
urimobile>
urimobile> The fact that Windows XP machine (into which I load the
urimobile> created cert) claims to now have the private key for it.

Uhmmm, in a X.509 PKI, you need a key pair (private and public key) to
have it work at all.  In Windows, the computer stores them for you.
Where did you think the private keys would be stored?  In your head?
Are you willing to remember and type 1024 or more bits (in whatever
format)?  Thought not...

urimobile> >The private key needs to be *used* to sign the request but
urimobile> >it is never included.
urimobile> >
urimobile> Could you recommend a verification procedure for me,
urimobile> please?

Look at the CSR you created with a ASN.1 dumper.  OpenSSL contains
one, and you can basically use it in any output OpenSSL produces:

        openssl asn1parse -in my-csr.pem -i

Since you don't trust OpenSSL, I can also recommed dumpasn1.  However,
you need to convert your .pem file to pure binary (DER), so something
like this gives you the correct output:

        openssl base64 -d < my-csr.pem | dumpasn1 -

If you want further proof, read the standards!  For CSRs, it is
PKCS #10, which is reproduced in RFC 2986.

Cheers,
Richard

P.S.  I purposefully avoid to give you links.  I interpret your level
of trust as fairly low, so it seems to me it's better that you find
things on your own.  I encourage you to look around.  If my
interpretation is wrong, please tell me.

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

On Jul 4, 2005, at 12:00 AM, Uri wrote:
Let's say you're the CA and I'm requesting a certificate from you.  I
generate a keypair, and *I* create a certificate signing request (CSR).
  I send you the CSR (which doesn't contain my private key) and you use
it to create a signed certificate which you send back to me.

So yes, creating the CSR requires the private key, but the customer
does that, not the CA.

At least, that's my understanding; I haven't actually done this myself.

Josh

--
Joshua Juran
Metamage Software Creations - Mac Software and Consulting
http://www.metamage.com/

                * Creation at the highest state of the art *

Uri wrote: Maybe someone should just give a little introduction on
how to do it with OpenSSL?

Ok. If you do not want the CA to create secret keys for
the users, then every user has to create his/her own
key pair (using "openssl genrsa" for example). Afterwards,
a certificate request is generated and sent to the CA.
This request contains the users (or servers, if you are
doing server certificates) name and the public key, and
it is signed with the secret key of the user (using
"openssl req"). The CA makes sure that the request is ok
and really belongs to the given user/server, and a
certificate is created with the given name and publik
key from the request (using "openssl ca").
Teh certificate is sent to the user (or server administrator),
who then has both, the secret key and the certificate.

Hmmm... pretty much all right now... Cheers,
  Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [hidden email]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

> Darn, I thought I explained the problem: openssl "req" seems to require
> private key of the cert requestor, which defeats the whole idea of PKI.

No.

IT is common practice for someone making a certificate request to
prove that they have the private key.  This is known as "proof of
possession" and is a common practice.

        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Richard Levitte - VMS Whacker wrote:
Look, I'd be very obliged if you took the trouble to understand the
actual questions
before jumping the gun with answers that are less than helpful. For
example, you
didn't seem to comprehend that CA's (self-signed) cert goes to the
Windows box
(which is a client and a member of the realm of this CA), and in
addition to
that - Windows box stores the server's cert, with who it corresponds.
We are NOT talking about key pair that belongs to this Windows box (where
private key is necessary).  Now I've described it with plenty of details.

And just in case, once again. The setup is:

One server, several clients - among the clients is a Windows XP machine.
All  communications protected by IPsec, IKE authentication  done via
signed RSA public keys.
One local CA based on OpenSSL-0.9.7g.

CA's cert and server's cert were installed on Windows machine, so it
could verify server's cert.

NOW Windows box claims that it holds NOT ONLY the server's public key
(which was expected),
but ALSO the server's PRIVATE KEY. This combined with the fact that to
create "req", one has to
supply his private key, drove me to conclusion that somehow this demoCA
is less than correct
dealing with certs. [In case it matters, certs were passed to Windows in
PKCS12 format]

Also, here's an example of openssl-created "newreq.pem" on my box:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D002B0C9C6F377C7

wSqix6TJp...........................................................
.........................................................................
.................................................tuJZYOyg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBqTCC................................
.................................................
..................................FalOz
-----END CERTIFICATE REQUEST-----

Looks like it concatenates private key and the actual cert request together.
I verified that if I edit the private key off, cert signing still works
(which is good :-).
Thank you. It works. So now I'll need to dig up the exact format of
X.509 cert.

>If my interpretation is wrong, please tell me.
>  
>
I think it is - but it is pointless to discuss it further. I thank you
for the useful
ASN.1 parsing example.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

On Mon, Jul 04, 2005, Uri wrote:

If you are importing the certificate via a PKCS#12 file then its that which
will include the private key, not the request.

PKCS#12 isn't an appropriate format to just import a certificate. You need
to use PEM or DER form and an appropriate extension such as .crt.

If this certificate is to be used in an SSL server you shouldn't import it
anyway, just the root CA certificate is sufficient.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

In message <[hidden email]> on Mon, 04 Jul 2005 13:41:17 -0400, Uri <[hidden email]> said:

urimobile> Richard Levitte - VMS Whacker wrote:
urimobile>
urimobile> >>> >What makes you think the private key is included?
urimobile> >urimobile>
urimobile> >urimobile> The fact that Windows XP machine (into which I
urimobile> >urimobile> load the created cert) claims to now have the
urimobile> >urimobile> private key for it.
urimobile> >
urimobile> >Uhmmm, in a X.509 PKI, you need a key pair (private and
urimobile> >public key) to have it work at all.  In Windows, the
urimobile> >computer stores them for you.  Where did you think the
urimobile> >private keys would be stored?  In your head?  Are you
urimobile> >willing to remember and type 1024 or more bits (in
urimobile> >whatever format)?  Thought not...
urimobile> >
urimobile> Look, I'd be very obliged if you took the trouble to
urimobile> understand the actual questions before jumping the gun with
urimobile> answers that are less than helpful.

Well, considering the small amount of facts you actually gave, you
can't be surprised that I had to use my imagination to try to
understand what you had done.  Contrary to what you seem to think, it
was less than obvious.

Still, my appologies for the tone I used.  It was needlessly harsh.

urimobile> For example, you didn't seem to comprehend that CA's
urimobile> (self-signed) cert goes to the Windows box (which is a
urimobile> client and a member of the realm of this CA), and in
urimobile> addition to that - Windows box stores the server's cert,
urimobile> with who it corresponds.

It's fine for any box to store or cache certificates of any kind.
Certificates are public data, and only contain a public key.

urimobile> We are NOT talking about key pair that belongs to this
urimobile> Windows box (where private key is necessary).  Now I've
urimobile> described it with plenty of details.

Nope:

urimobile> NOW Windows box claims that it holds NOT ONLY the server's
urimobile> public key (which was expected), but ALSO the server's
urimobile> PRIVATE KEY.

This is the first time you said that *another* device's private key
ended up on your Windows box.  And still, that can't happen because of
a CSR, which is what you claimed was at fault.

However, it seems you found something:

urimobile> Also, here's an example of openssl-created "newreq.pem" on
urimobile> my box:

(I assume, BTW, that you used CA.pl here)

urimobile> -----BEGIN RSA PRIVATE KEY-----
urimobile> Proc-Type: 4,ENCRYPTED
urimobile> DEK-Info: DES-EDE3-CBC,D002B0C9C6F377C7
urimobile>
urimobile> wSqix6TJp...........................................................
urimobile> .........................................................................
urimobile> .................................................tuJZYOyg==
urimobile> -----END RSA PRIVATE KEY-----
urimobile> -----BEGIN CERTIFICATE REQUEST-----
urimobile> MIIBqTCC................................
urimobile> .................................................
urimobile> ..................................FalOz
urimobile> -----END CERTIFICATE REQUEST-----
urimobile>
urimobile> Looks like it concatenates private key and the actual cert
urimobile> request together.

Yup.  I was in disbelief, but just checked CA.pl (which I usually
don't use), and saw this really happens.  I'd call that a bug, that's
not the way it should be, in my opinion (translated: that's completely
f*cked!).

urimobile> Thank you. It works. So now I'll need to dig up the exact
urimobile> format of X.509 cert.

The quickest way to find that information is by reading RFC3280.

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Dr. Stephen Henson wrote:

>PKCS#12 isn't an appropriate format to just import a certificate. You need
>to use PEM or DER form and an appropriate extension such as .crt.
>  
>
I figured this out too late. PEM isn't accepted by Windows, but DER
(luckily!) is, so now I'm just using DER.

IPsec FAQ that guided me then, suggested that PKCS12 is the format for
transferring certs to _Windows_... Now I know better.

>If this certificate is to be used in an SSL server you shouldn't import it
>anyway, just the root CA certificate is sufficient.
>  
>
True. As IPsec peers can exchange their certs automatically.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

On Mon, Jul 04, 2005, Uri wrote:

> Dr. Stephen Henson wrote:
>
> >PKCS#12 isn't an appropriate format to just import a certificate. You need
> >to use PEM or DER form and an appropriate extension such as .crt.
> >
> >
> I figured this out too late. PEM isn't accepted by Windows, but DER
> (luckily!) is, so now I'm just using DER.
>

PEM should be accepted but its very picky about any extra data before the
-----BEGIN CERTIFICATE----- line.

> >If this certificate is to be used in an SSL server you shouldn't import it
> >anyway, just the root CA certificate is sufficient.
> >
> >
> True. As IPsec peers can exchange their certs automatically.
>

and I don't think Windows supports verification based just on server
certificate.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]