Skip to main content

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

  • From: Erik Trauschke < >
  • To: Danek Duvall < >
  • Cc:
  • Subject: [pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring
  • Date: Fri, 13 Dec 2013 16:27:09 -0800



On 12/13/13 04:09 PM, Danek Duvall wrote:
Erik Trauschke wrote:



On 12/13/13 03:58 PM, Danek Duvall wrote:
Erik Trauschke wrote:

Okay.  Is this documented anywhere?  I dug around for a while and couldn't
find anything in the Apache docs about key formats (other than encrypted vs
not), and very little about the key formats in the openssl docs.

What documentation are you looking for?

I was looking for openssl documentation that said what format its generated
files were in.  Didn't think to look in the changelog.

I was looking for apache documentation that said what format it would
accept keys in, but the only thing I found was that some of the directives
wouldn't accept encrypted keys.

I was looking for some documentation that actually defined the two
different formats, but couldn't find anything.

Perhaps my google skills are poor.  :)

No, I think the documentation of mod_ssl is just very vague. I guess to not
confuse people too much with all that crypto stuff ;)
They only say PEM-encoded and I guess that works for most people.

As far as I've been able to suss out, PEM-encoding is just Base64, which
from the examples Yiteng posted (and from my own trials with openssl req)
seems to be used in both PKCS#8 and PKCS#1, and that the only real
difference between the two is the header line, so that both key formats are
"PEM-encoded", just with a different header.  Perhaps I'm wrong about some
part of that, but it's the best I've been able to figure out.

Yep, that's basically it.
PKCS#1 is just containing simple RSA public and private keys while PKCS#8 has more encapsulation methods for keys and certificates.

So the notion in the apache docs that it doesn't read encrypted keys is kinda misleading since even PKCS#8 supports unencrypted keys. The docs should just mention that keys need to be in PKCS#1 format.

The whole thing is messy anyway since I don't even know of an OpenSSL tool which tells you what kind of format you are working with. You just have to know what the PEM header line means.

Erik


[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

(continued)

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/13/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Danek Duvall 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Erik Trauschke 12/14/2013

[pkg-discuss] Re: Code review request for 17913496 certificates for test suite are expiring

Yiteng Zhang 12/16/2013
 
 
Close
loading
Please Confirm
Close