On 08/21/2017 11:52 AM, Salz, Rich wrote:
➢ OK. And why does DER not support encryption
Because it is not defined. If you want to encrypt keys, you need to use PKCS12 which might be too much for your application.
If a device has secure storage, it does not need to encrypt its private
key. It all depends on the architecture.
Or they can implement whatever works in their device to protect the keys.
The root CA is not a problem as it is offline except to make new
intermediate CAs. In fact for Singapore, I hope to have the root CA be
a mSD card with Fedora26 for a Cubieboard2. Pop the card in, and there
is your root CA. And a different mSD card for the signing CA! I can do
this all offline. Just put the CSR on a USB drive and insert it in one
of the Cubie's USB ports and sign away!
I just need to document this all. That is all. :)
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users