Re: CA Question

[Dan Burrowes <danburrowes () gmail com>]

> This may be a bit of a silly newb question, but I was wondering if it is possible to transfer a certificate that has 
> been signed by a CA (i.e. Thawte, Verisign) to a new device.

If you're talking about SSL, then yes, it is possible.

As long as the domain name (or alternately, the FQDN, depending on
whether or not the cert is a "wildcard cert") that the certificate was
issued to when used on RouterA is the same as the domain name that will
be used for RouterB, then it will work, provided that RouterB has the
private and public keys that RouterA was using.

Certs only say that "this device has cert Y which the CA verifies
belongs to domain Z".  Someone correct me if I'm wrong, but with SSL,
there is no option for hardware hashing or anything to tie the keys to
particular hardware.  The keys can just be transferred to another
device, in which case the cert will again say "this device has cert Y
which the CA verifies belongs to domain Z".  This is the reason why you
can create the keys on a system that is different from the system you
will actually use the cert on.

This is also the reason why if an attacker steals your private keys,
it's "game over" -- she can impersonate you (assuming she also controls
DNS), and the CA will still say "duh...yup, it's valid...nothing to see
here...".

Correct me if I'm wrong (again), but this is one of the things that the
Perspectives[1] project helps protect against.  Multiple servers from
multiple locations frequently check if the cert has changed, or if the
IP the cert was previously found at is the same as the current IP.

--dan

[1] http://www.networknotary.org/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com