Distributing a private key
Posted on 2014-02-19
I've been given a task I am not very knowledgeable about and hope you can provide some insight.
User's OS: Windows (Win7 & Win8; both 32 and 64 bit)
I have an application (VB6) that runs locally on users' systems. There are approximately 30 users on different systems in different locations. The distribution of the app is highly controlled and protected.
The app sends XML strings directly to a Receiver's site using HTTPS.post.
The task is to embed a signature in the HTTPS header so the Receiver can verify the message came from our company (any one of the 30 users). The Receiver is not interested in using Public/Private keys and our transmission to them does not go thru a server at any point.
Using makecert, I've created a local X509 certificate with a private key and have completed the work to generate the SHA1 hash to create the signature.
Here is where I am stuck - because I am very new to certificates, I don't understand how to get that private key to the app users.
My thought was to distribute the .cer file with the app setup (the code looks for the certificate in a specific directory) - then also snail mail the .cer to the Receiver.
Will this work?
Doesn't the private key have to be the same on all systems (for the signature to be the same?)
Am I way off base?