Menu
▾
▴
Re: [Cmpforopenssl-devel] Need 2048-bits RSA key files and +, regardless the presence of the "--extcert FILE" option.
|
From: Miikka V. <mvi...@us...> - 2011-06-17 14:20:03
|
Hi, It would indeed be a good idea to allow an input key file. As Martin mentioned, the cmpclient tool is not much more than a proof-of-concept at this point, so these options have mainly been used for testing the library. The behaviour of '--key' flag is a bit confusing since in an IR message it specifies a file where a newly generated key will be saved and in a KUR it specifies a key to be used as input. The '--extcert' option is used for authentication with an external certificate. I will change the --key flag so that it checks if the key file already exists, and if it does the file will be used as an input for initial request. Thanks for pointing this out! best regards, Miikka Excerpts from ABULIUS, MUGUR (MUGUR)'s message of 2011-06-13 18:16:36 +0300: > Hello, > This topic concerns the client's private key and the interdependency between the options: > "-key FILE" > "-extcert FILE" > Our understanding (after reading the source code) concerning the relationship between these 2 options is the following: > * If the two options are specified then the tool uses for the initial request as client's private key the file specified by the "--key FILE" option. > * If the option "--extcert FILE" doesn't exist for the initial request then the tool generates a 1024 bits RSA key at location specified by "--key FILE" option. > In our scenarios we need ***2048*** bits RSA keys (possibly more) without using the "--extcert FILE". We think that the greatest flexibility is to allow (as an additional option) an input key file even in case the option "--extcert FILE" is not specified. > Is possible to add such option / behavior? > Which is, please, the rational of the current interdependency between these two options? > Best Regards > Mugur |