Generating non-exportable private keys with OpenSSL ?

Generating non-exportable private keys with OpenSSL ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Generating non-exportable private keys with OpenSSL ? marquinos 05-26-2008
Posted by on May 26, 2008, 5:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

I need some help from you, please...

I need to generate certificates with OpenSSL, but I need the private
keys be non-exportable. How can I do it?

By default, when I generate my certificates whith a RSA private key,
for example, and I import them to the browser, it always asks me if I
want to mark its key as exportable, but It wouldn't happen, this
checkbox would be inactive.

With Microsoft certreq/certutil , I can generate a certificate doing
this, but I don't want to use them, I prefer OpenSSL because its more
powerful characteristics.

Here's my example batch script (in Windows):

------------- 8< CUT HERE 8< -------------
\openssl\bin\openssl genrsa -out \myCA\clients\keys\client-priv.pem
2048

\openssl\bin\openssl req -new -key \myCA\clients\keys\client-priv.pem -
subj "/DC=myentreprise/OU=com/CN=My Entreprise SL" -out \myCA\clients
\csr\req-client-cert.pem

echo basicConstraints=critical,CA:FALSE > \myCA\config2.txt
echo extendedKeyUsage=clientAuth >> \myCA\config2.txt

\openssl\bin\openssl x509 -CA \myCA\cacert.pem -CAkey \myCA\cakey.pem -
req -in \myCA\clients\csr\req-client-cert.pem -set_serial 3 -days 15 -
extfile \myCA\config2.txt -sha1 -out \aequifxCA\clients\certs\client-
cert.pem

\openssl\bin\openssl pkcs12 -export -in \myCA\clients\certs\client-
cert.pem -inkey \myCA\clients\keys\client-priv.pem -certfile \aequifxCA
\cacert.pem -out \myCA\clients\browser\client-cert-pkcs12.p12

------------- 8< CUT HERE 8< -------------

Thanks in advance,

Marcos Martinez

Similar ThreadsPosted
How do I export only private keys in PGP? August 6, 2005, 7:45 am
SSL certs - all private keys in one hand? June 2, 2006, 8:51 am
help understanding public/private keys certs September 3, 2007, 4:57 am
SSRT2310 rev.3 HP-UX OpenSSL July 5, 2004, 3:28 pm
howto: openssl and sslserver June 11, 2006, 12:15 pm
private key webmail May 17, 2005, 11:58 am
private post December 12, 2005, 12:47 pm
SSRT3521 rev.2 HP-UX OpenSSL CBC timing attack in SSL and TLS July 5, 2004, 3:32 pm
openssl genrsa does not work in CGI mode March 28, 2005, 1:51 am
DES Encryption: libdes vs SSLeay (OpenSSL) March 6, 2006, 3:27 pm

The site map in XML format XML site map

Contact Us | Privacy Policy