PaulDotCom mailing list archives
Re: CA Question
From: Dan Burrowes <danburrowes () gmail com>
Date: Tue, 26 Apr 2011 11:39:29 +0900
This may be a bit of a silly newb question, but I was wondering if it is possible to transfer a certificate that has been signed by a CA (i.e. Thawte, Verisign) to a new device.
If you're talking about SSL, then yes, it is possible. As long as the domain name (or alternately, the FQDN, depending on whether or not the cert is a "wildcard cert") that the certificate was issued to when used on RouterA is the same as the domain name that will be used for RouterB, then it will work, provided that RouterB has the private and public keys that RouterA was using. Certs only say that "this device has cert Y which the CA verifies belongs to domain Z". Someone correct me if I'm wrong, but with SSL, there is no option for hardware hashing or anything to tie the keys to particular hardware. The keys can just be transferred to another device, in which case the cert will again say "this device has cert Y which the CA verifies belongs to domain Z". This is the reason why you can create the keys on a system that is different from the system you will actually use the cert on. This is also the reason why if an attacker steals your private keys, it's "game over" -- she can impersonate you (assuming she also controls DNS), and the CA will still say "duh...yup, it's valid...nothing to see here...". Correct me if I'm wrong (again), but this is one of the things that the Perspectives[1] project helps protect against. Multiple servers from multiple locations frequently check if the cert has changed, or if the IP the cert was previously found at is the same as the current IP. --dan [1] http://www.networknotary.org/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- CA Question Gibson, Samuel (Apr 25)
- Re: CA Question Bob Hewitt (Apr 25)
- Re: CA Question James Costello (Apr 25)
- Re: CA Question Michael Dickey (Apr 25)
- Re: CA Question Craig Freyman (Apr 25)
- Re: CA Question Mike Patterson (Apr 25)
- Re: CA Question Josh More (Apr 25)
- Re: CA Question Dan Burrowes (Apr 25)
- Re: CA Question Butturini, Russell (Apr 26)
- Re: CA Question Gibson, Samuel (Apr 26)
- Re: CA Question Butturini, Russell (Apr 26)