a new free smime service, but...
steffen at sdaoden.eu
Thu Oct 24 00:51:40 CEST 2019
Steffen Nurpmeso wrote in <20191023224323.KAODd%steffen at sdaoden.eu>:
||> I think it is common that S/MIME and SSL certificates are
||> delivered via PKCS12, including the private key. You then seem to
||> extract the individual things like
||I think this is a severe security breach. The private key should never
||leave your computer.
||> $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes
||> $ # Alternatively
||> $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys
||> $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes
||>|keys are generated on the subscriber's device and only the public key
||>|goes to the CA to be certified.
|With StartSSL it was like that, the browser generated the signing
|request i hope. But i do not know.
|And, the above i inherited in the manual of the software
|i maintain. I have not seen this in the wild on my own.
This is actually only half true. The original manual only
contains the first of the three.
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Gnupg-users