a new free smime service, but...
Ralph Seichter
abbot at monksofcool.net
Wed Oct 23 22:56:39 CEST 2019
* Steffen Nurpmeso:
> I think it is common that S/MIME and SSL certificates are delivered
> via PKCS12, including the private key. You then seem to extract the
> individual things [...]
Nope, that is the wrong way round. The correct sequence to obtain an
S/MIME certificate is as follows:
1. User X creates a private key *locally*. This private key must never
be handed to anybody else.
2. User X creates a certificate signing request (CSR) and sends it to a
certificate authority (CA).
3. The CA uses the CSR to create a signed certificate, and sends that
certificate back to user X.
4. User X can then optionally combine private key and signed certificate
in a .p12 file to ease importing the data *locally* in his MUA (it is
usually more convenient to deal with a single file that combines both
private key and certificate).
If the process is altered in any way in which a third party gets hold of
user X's private key, security is broken, no matter if the private key
is password protected or not.
-Ralph
More information about the Gnupg-users
mailing list