Changes between Version 15 and Version 16 of QuickStart

Timestamp:

05/20/09 17:39:33 (16 months ago)

Author:

DomQ

Comment:

Proof-read the end of the procedure

QuickStart

@@ -199 +199 @@
 }}}
 
-This creates a signed certificate as file `cert.pem`. Remove the final
-"-x509" if you want a certificate signing request only. In that case,
-send the request to the CA, wait till you get it back, signed, and
-proceed as normal.  (Again, all of this occurs without divulging the
-private key.)
+This creates a signed certificate as file `cert.pem` (again, without divulging the private key).  You can verify that it is indeed self-signed (the private key is not required for this): exit OpenSSL and type
+{{{
+$ openssl verify -CAfile cert.pem cert.pem
+cert.pem: OK
+}}}
+
+If instead you remove the "-x509" flag in the `req` OpenSSL command, you get a certificate signing request.  Send it to the CA, wait till you get it back, signed, and
+proceed.
 
 Now we can store the certificate side by side with the key on the
 token, as a piece of public (but read-only) data. It is important to
-save the certificate under the same ID as the key. You can get a list
+save the certificate under the same ID as the key, so that applications wanting to use that certificate on your behalf can find the private key as well. You can get a list
 of all keys and their details (including the ID) with:
 {{{
@@ -223 +226 @@
 }}}
 
-So lets store the key:
-{{{
-$ pkcs15-init --store-certificate req.pem --auth-id 01 --id 45 --format pem 
+So lets store the certificate that we created:
+{{{
+$ pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 --format pem 
 Security officer PIN required.
 Please enter Security officer PIN: 
@@ -233 +236 @@
 certificate of the CA that signed your key, or some intermediate certificates
 in the chain to the root CA) simply put those into pem files, and add them
-to id 46, 47 and so on. 
+to id 46, 47 and so on.  You don't need the private key for these obviously.
 
 = Now what? =