2

I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?

And if it is possible, what scenario would it be applied?

Thanks for your time.

Ebikeneser
  • 2,582
  • 13
  • 57
  • 111
  • I've never seen an x509 cert with multiple passwords, but it wouldn't be hard to write a wrapper around a _blob_ that could be decrypted with multiple pass phrases, and have as output an x509 certificate... it might be a nice way to give each server admin their own password for TLS-protected web sites, so any one could start the server, but loss of the pass phrase means only that one pass phrase would need to be changed. Not sure it's worth it. What are you thinking of? – sarnold Apr 29 '11 at 08:35
  • Great input @sarnold, just so happens it was for multiple server admin's to have their own passwords, the wrapper idea is good, and I may try it for proof of concept. Perhaps you could give me a little bit more advice on how to get it started? Would be much appreciated. – Ebikeneser Apr 29 '11 at 09:12

2 Answers2

2

Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:

gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]

Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:

cat key_file_* | gpg --import

Then encrypt the cert with all the keys:

gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert

Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:

gpg encrypted_cert

PGP could also do the job, and probably with only slight modifications to the commands here.

Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.

sarnold
  • 102,305
  • 22
  • 181
  • 238
1

It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670