[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] generating private/public keys and client certificate for the handle API via openssl

DSA keys are fine too, although there are reasons to prefer RSA keys (or ECDSA keys, which are not yet supported in Handle).  See for example http://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys .  As that article explains, there's no "cryptanalytic urgency" to stop using DSA keys, but for a new effort you should probably prefer RSA.

If I'm not mistaken, pkcs8 is the private key format.  That can be left alone on the client side.  They just need to use OpenSSL to extract from their certificate a public key PEM file to send to you.  The same OpenSSL commands for extracting the public key should work whether it is DSA or RSA.

If they start with an X509 certificate:

openssl x509 -pubkey -noout -in clientcert.crt > publickey.pem

If they start with a PKCS12 bundle of certificate and private key:

openssl pkcs12 -nokeys -in clientcert.p12 | openssl x509 -pubkey -noout > publickey.pem

Robert

> On 2016-04-05, at 10:24, Robert Verkerk <robert.verkerk@surfsara.nl> wrote:
> 
> Hi Robert,
> 
> Thanks for the reply.
> 
> I was busy with DSA keys and trying to get them from a public key to a pkcs8 format to binary using hdl-convert-key. But I was stuck at the pkcs8 format.
> 
> So we “just” need to generate a RSA private/public key and go from there? Any special considerations for the RSA key?
> 
> Greetings,
> 
> Robert verkerk
> 
> 
>> On 05 Apr 2016, at 15:50, Robert R Tupelo-Schneck <schneck@cnri.reston.va.us> wrote:
>> 
>> They can send you an RSA public key in PEM format, which OpenSSL can do.  Then you can use hdl-convert-key from the Handle.Net distribution to convert the PEM-formatted key into Handle format.  You can either use "hdl-convert-key input.pem -o output.bin" or "hdl-convert-key < input.pem > output.bin".
>> 
>> Robert
>> 
>>> On Apr 5, 2016, at 4:23 AM, Robert Verkerk <robert.verkerk@surfsara.nl> wrote:
>>> 
>>> Hi,
>>> 
>>> We provide/host prefixes and handles for several customers. We have implemented handle version 8.1.0. This enables the handle API with client certificates.
>>> We know how to generate a private/public key-pair and the client certificate for the handle API via the handle tools and a very small bit using openSSL.
>>> 
>>> If we are to allow customers to generate it they will need to download the handle tools. Or we need to do it for them. This is not something they want.
>>> 
>>> Is there a way to use only openSSL at the customer site to generate all necessary bits for the private/public key-pair and the client certificate?
>>> This so they only have to provide us with the public key that we upload in the proper admin handle with the proper index. The rest stays private at the customer site.
>>> 
>>> 
>>> -- 
>>> Greetings,
>>> 
>>> Robert Verkerk
>>> systeem programmeur
>>> Data Services
>>> 
>>> Robert Verkerk
>>> | Dataservices | SURFsara
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Handle-Info mailing list
>>> Handle-Info@cnri.reston.va.us
>>> http://www.handle.net/mailman/listinfo/handle-info
>> 
> 
> 
> 
> 
> 
> 

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info