On Sun, Sep 09, 2012 at 08:36:30AM -0500, Tom Browder wrote: > So the client cert. does contain the private key? Then its password > is all that is protecting it? No, the key is normally (but not always) kept separately. > Mark, in your experience, what is the best way to distribute client > certificates? 1. End user creates private key and CSR. 2. End user sends CSR to the CA (you). 3. The CA (you) examines the CSR and if the CA (you) thinks it is all correct and the client is who they say they are, etc., creates a signed certificate from the CSR and sends it back to the user. By doing this no private key goes over the network and the CA never knows the end user's passphrase. HTH, Pete -- Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Attachment:
pgp6gcvZfkPL3.pgp
Description: PGP signature
|