[thelist] Certificate Theft ramifications

Judah McAuley judah at wiredotter.com
Tue Mar 5 18:11:01 CST 2002


Likely, nothing.  Neither the cert request nor the certificate contains
the private key used to generate the request.  The only time the private
key would be included is if ou installed the certificate and then backed
it up in a PFX file format.  This is the format you would use if you
needed to move the key to a new machine, for instance.

Under this example, I'm assuming that when you say certificate
(cert.txt) that you are referring to the block of ASCII sent back to you
by Verisign/Thawte in response to your cert request.  After you have
installed this certificate, it gets matched up with your private key
used to create the cert request.  At that point both the cert request
and the cert response (provided by Verisign/Thawte) are uneeded and can
be tossed.  Just remember to back up the installed key in a portable
format (like PFX) and make sure to note any password that was used to
secure it.

Judah

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Joshua Olson
> Sent: Tuesday, March 05, 2002 4:55 PM
> To: thelist at lists.evolt.org
> Subject: [thelist] Certificate Theft ramifications
>
>
> If someone was able to steal an ecommerce website's certificate request
> (certreq,txt) and certificate (cert.txt), what sort of things could
> potentially be exploited.
>
> Thanks in advance,
>
> -joshua
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>






More information about the thelist mailing list