Nick's questions

SSL client authentication using certificates -- it's a complex topic, and I think I've learned just enough to make it even more complex.

Here is my basic understanding: A public and private key are generated by a certificate authority. This information can be saved within a "certificate" and then used by the client to authenticate.

Why is it possible to have a certificate without a private key? I know that, if exporting a cert from the windows cert store, you can export it without a private key. How is a cert without a private key used? I always thought you needed both if you were going to transfer that to another pc/device to use.

Can a private key be requested at any time if a public key and CA is already known?

Looking at the details of a certificate using the following:

openssl x509 -noout -text -purpose -in mycert.pem

I find a bunch of purpose flags (which I've discovered are set by the various extensions attached to a certificate).

One of these purpose flags is "Any Purpose". I can't seem to find ANY documentation on this flag and why or why not it is set.

Do any of you know where I can find more information on this purpose and what it means?

Thanks,