Re: makecert: why only test certificates?
From: Martin M (anonymous_at_discussions.microsoft.com)
Date: 06/16/04
- Next message: Ace: "Re: IIS and RSA"
- Previous message: Bernard: "Re: 403 Error when accessing SUS"
- In reply to: Jerry Pisk: "Re: makecert: why only test certificates?"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: makecert: why only test certificates?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jun 2004 23:54:33 -0700
Sorry, this is NOT true. You can create certificates
signed with a root certificate using makecert. This
certificate may be an installed one or one which you have
a .pvk and .crt file of.
Only if you use the -r option you get a (self signed) root
certificate.
But this is not the point.
The security of all certificates depends upon the fact
that the number of keys is extremly large so you can't
crack the keys by trying. I wonder why Microsoft states
that the certificates created by makecert are for testing
only. Is the number of keys limited if you use makecert?
Martin M
>-----Original Message-----
>You do not have CA, you are one. You have a somewhat
trusted root
>certificate. You still need a program to generate
certificates (signed by
>your root certificate), you just wouldn't use makecert
(it can only create
>root certificates and it can't be really customized, you
can't set all the
>various options such as key usage).
>
>Jerry
>
>"Karl Levinson [x y] mvp" <levinson_k@despammed.com>
wrote in message
>news:ucQKZRZUEHA.2028@TK2MSFTNGP11.phx.gbl...
>> Well, if you had a CA, you would just use the CA to
generate the certs,
>> and
>> you wouldn't need makecert. If you didn't have a CA,
you would get one
>> from
>> someone with a CA, and again they wouldn't use makecert.
>>
>> I would define not having a CA as a technical reason
and not a legal
>> reason.
>> CA is free with Windows 2000 server. The requirement
for CA is not
>> because
>> of Microsoft licensing, but because you need someone
somewhere to validate
>> the cert as trusted.
>>
>> With makecert, there is no built-in way to store or
securely exchange the
>> secret components of the cert between the host server
and the CA while
>> generating it, which theoretically compromises the
security of the cert.
>> The CA handles this, certificate expiration, etc. No
single utility like
>> makecert can do all these things that are necessary to
make a reasonably
>> secure cert.
>>
>>
>> "Martin M" <martin.m14@aon.at> wrote in message
>> news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl...
>>> I wonder why microsoft states that makecert creates
only
>>> test certificates. Is this just for legal reasons (i.e.
>>> because I am not a trusted CA) or is this for technical
>>> reasons?
>>> As I understand a certificate needs a number which is
the
>>> product of two very large primes (about 100 digits).
It is
>>> most important that the primes are randomly selected:
If
>>> the primes are randomly selected, it is (more or less)
>>> impossible to find the primes if only the product
(which
>>> is part of the public key) is known.
>>> If makecert would use e.g. a table of only 1000 primes,
>>> this would be more than sufficient for testing, but
would
>>> not give any security because everybody could try these
>>> 1000 primes and crack the certificate.
>>
>>
>
>
>.
>
- Next message: Ace: "Re: IIS and RSA"
- Previous message: Bernard: "Re: 403 Error when accessing SUS"
- In reply to: Jerry Pisk: "Re: makecert: why only test certificates?"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: makecert: why only test certificates?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
