Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Message to the EDITOR!' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Message to the EDITOR!
Authored by: Syncopator1 on Jan 24, '03 11:26:19AM

The original posting in this thread says:

> This is fairly straightforward.
> Get a hold of the certificate you want to add in either PEM or DER format.

Straightforward? Exactly how does one "get a hold" of such a certificate? And what are "PEM" and "DER" formats?

It would be *greatly* appreciated if, in your editor's notes, you could elaborate on items like this. (My frustration is with the original poster, not with you. It's infuriating that these guys assume that readers will know what that terminology means.)

Not everyone who reads this site is a programmer. Some of us are Power Users in the more traditional sense -- willing to dig into these nooks and crannies, but not necessarily trained nor experienced enough to know all of the cryptic jargon. PLEASE either discourage these presumptuous messages or at least be sure to clarify them with your comments. Thank you. :-)

[ Reply to This | # ]
My response...
Authored by: robg on Jan 24, '03 12:50:40PM

Here's a slightly trimmed summary (edited just to correct references to this thread) response I just emailed back...

The problem is that, despite my best efforts, I simply can't know everything about every topic. I am also not a programmer. I also can't assume a level of knowledge of the typical user -- sure, maybe I should have dug into this one a bit, but then where do I draw the line at stuff that needs further clarification? Drag and drop? Pasting icons? Explaining "cd"? But that's the beauty of the Geeklog system -- if you don't understand something, you can post a comment requesting clarification -- that's why the comment system is in place, to let everyone with differing abilities interact.

I'd love to be able to spend the time to completely edit, correct, clarify, expand, and explain every hint, but the reality is that that's just not possible if I actually want to get hints online, hold onto my day job, and spend time with the family. So I've chosen to use a system that lets the readers help clarify, correct, and expand on posted hints ...

Relative to this post in particular, I have no idea what these things are, where to look for them, or how to get them. But I also have no interest in the topic, so when I read it on the site (and I do read the site after posting the hints), I just skip it ... but if you do have interest, please, by all means, either use the author's email link (click on their name then click on Send Email) to send them questions in private, or just post your question as a comment. More than likely, someone that does know will respond and you'll have the answer you seek.


[ Reply to This | # ]
Message to the EDITOR!
Authored by: VEGx on Jan 24, '03 01:17:12PM

So can anyone explain it?

[ Reply to This | # ]
Authored by: Bottacco on Jan 27, '03 07:37:03AM

Rob, I know you are a very busy man, but the other guys reading this article could have looked it up. I didn't know anything about all this terms before reading this article, but I has taken me less than a minute to find the answer and I am not a native English speaker. Internet is great... if you use it. So, come on guys, fire up those browsers and make those search engines crunch some databases.

Ok, here is an straightforward explanation for PEM, DER and other formats:

Certificate And Key Formats

PEM - Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It is the default format for OpenSSL. It stores data Base64 encoded DER format, surrounded by ascii headers, so is suitable for text mode transfers between systems.

DER - Can contain all of private keys, public keys and certificates. It stored according to the ASN1 DER format. It is headerless - PEM is text header wrapped DER. It is the default format for most browsers.

PKCS#12 - Also known as PFX files. Can contain all of private keys, public keys and certificates. It stores in a binary format. See <> for more information on the format, and its support in OpenSSL


I hope this helps.


[ Reply to This | # ]
Authored by: below on Jan 27, '03 08:14:00AM

Hopefully this evening I will post a step-by-step guide of importing a self-made certificate. Right now it does not seem to work with my own, but I am working on it.

Hang on!


[ Reply to This | # ]
Message to the EDITOR!
Authored by: Cormacolinde on Jan 28, '03 03:51:53PM

This is the kind of hint that targets some people with a specific need. If you don't know what a private certificate is, then you don't need to understand the hint. People targeted by this actually KNOW what that is and will understand the hint.

The point is that you have no reason to actually want a private certificate, or you would have one to use and know about it.

It's like someone without a car who sees an ad for tires and doesn't understand the tire size information. If he asks which tire size he needs, you'll simply tell him that it doesn't matter, because he doesn't have a car.

Same thing here, it doesn't matter that you don't understand what importing certs is about, because you don't have one to import.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: lsloan on Jan 30, '03 10:25:20AM

Okay, so you're trying to say that if a reader doesn't understand a hint, they probably don't need to use that hint, right? I respectfully disagree.

There are good reasons why somebody who is basically clueless about self-signed certificates, PEM, and DER formats would want or need to add certificates to their keychain. For example, where I work, secure websites that are under development use self-signed certificates created locally. When we invite users to test these websites, we don't know which OS or web browser they will be using. Until a few people pointed out how to do this, people who used Safari couldn't test those websites.

I don't fault either the original poster of this hint or the editor for not knowing how much detail should have been given. However, I do think that the first person to respond to the hint should have remained calm and politely asked for more information.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: professor on Apr 05, '03 11:38:06AM

If you are going to start adding CA Certs to you keychain, then you must have received instructions as to where to download the (PEM or DER formatted) Certificate, and you bloody well should know how to check the MD5 fingerprint of the Certificate, etc.

If you don't know what the words in the above paragraph mean (or, at least, if you have not received explicit, detailed step-by-step instructions), then you shouldn't be adding CA Certs to you keychain.

It takes only a minute or two to do a Google search to find out what all of the above means. This is not an undue burden on the reader(s) of this hint.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: mikemcc on Jul 14, '03 04:29:12PM

As a developer and administrator of internal applications, I am too cheap to spring for a Verisign or Thawte certificate. I therefore assume the responsibility of establishing the trust relationship that the certificate implies.

I use a self-signed CA to sign the certs which protect many of the internal applications at my company. Working with the Windows administrators, it was relatively easy to push out the CA certificate to Windows desktops, which are now completely happy with internal SSL enabled apps.

Hopefully my soon-to-be-purchased OS X server will permit similar remote administration gains for the Mac users at my company. Until then, I will perform this certification manually, on an as-needed basis, using local admin accounts on the target hosts.

It would be a complete waste of time to explain the inner workings of public key cryptography to the information architects, designers, and production artists who use Mac OS X to access secure intranet sites at my company. The information imparted would not help them to do their primary jobs, the jargon-filled conversation would annoy them, and I would still need to perform the commands myself, just so that I could test and verify correct behavior. It will be quicker, less painful, and more professional for me to handle that issue myself.

[ Reply to This | # ]