[Info-vax] Some of what I'm reading...
John E. Malmberg
wb8tyw at qsl.net_work
Sun May 20 23:57:06 EDT 2018
On 5/20/2018 7:36 PM, Arne Vajhøj wrote:
> On 5/20/2018 8:19 PM, Stephen Hoffman wrote:
>>
>> OpenVMS has no concept of protecting keys and private certificates.
>> It's all tossed over to the user to deal with. Or to not deal with,
>> as the case may be. Apache has its own certificate store, and so does
>> the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so too
>> does OpenVMS, as do some apps. DECnet has its own password storage,
>> as do various apps. Etc. Everybody has implemented their own
>> schemes. Some are better than others.
>
> PKCS#12 is a standard (RFC7292).
>
> And I believe that both OpenSSL and Java can use PKCS#12 stores.
But as Hoff pointed out:
1. No set of OS vendor supplied CA certificates for general use by all
applications.
2. No location for user supplied CA certificates for use by all
applications.
With Linux distros, there is a vendor supplied certificate package, and
that package contains a script that does:
a: Merges the vendor and user defined certificate into a single
directory that OpenSSL and other applications can just reference.
b: Looks for additional scripts that are optionally supplied by
applications that need other formats than the above, for example a Java
keystore, and then updates that keystore.
Private keys are generally restricted to an a specific application so
while there are some conventions, many application keep them in their
data directories, but suitably protected.
Regards,
-John
wb8tyw at qsl.net_work
More information about the Info-vax
mailing list