[thelist] Certificate Theft ramifications

Keith cache at dowebscentral.com
Wed Mar 6 09:56:01 CST 2002


> If someone was able to steal an ecommerce website's certificate
> request (certreq,txt) and certificate (cert.txt), what sort of things
> could potentially be exploited.
>

Hi joshua

Without the certificate key I think both are worthless files containing
gibberish. The key file is required for using the certificate, and the
key cannot be reconstructed from either the cert or the request.
Been down that road recently when we lost a key. Had to generate
a new key/request pair and have a new cert issued to match. That's
why Cert Authorities like Verisign and GeoTrust think nothing of
shipping them in emails instead of making the owner recieve them
through a secure server.

keith




More information about the thelist mailing list