[openssl-users] problem with -aes256 and -outform der in cmmand

[Robert Moskowitz]

On 08/21/2017 11:52 AM, Salz, Rich wrote:
> ➢ OK.  And why does DER not support encryption
>
> Because it is not defined.  If you want to encrypt keys, you need to use PKCS12 which might be too much for your application.
>
If a device has secure storage, it does not need to encrypt its private 
key.  It all depends on the architecture.

Or they can implement whatever works in their device to protect the keys.

The root CA is not a problem as it is offline except to make new 
intermediate CAs.  In fact for Singapore, I hope to have the root CA be 
a mSD card with Fedora26 for a Cubieboard2.  Pop the card in, and there 
is your root CA.  And a different mSD card for the signing CA!  I can do 
this all offline.  Just put the CSR on a USB drive and insert it in one 
of the Cubie's USB ports and sign away!

I just need to document this all.  That is all.  :)

Bob