Client using curl communicating with apache server over intranet and internet.
We have a problem where we have built a windows application which currently uses curl along with external ssl .crt and .key certs. (not sure we actually need both?)
This is a self signed client/server app that is our own meaning users have no need to have the certs for anything as only the client/server needs them. Additionally, we will change the certs now and then which are encrypted and packaged inside one of the executable s that is installed as part of the overall package.
The plan is to eventually move everything to libcurl which I think partially solves this problem but that is the point of my question.
The current testing method is that the encrypted certs are extracted from an exe, written to a temp directory (random) so that curl can use them, then the random dir is deleted.
One problem is that if someone really wanted those certs, they could watch files being written to disk, then later undelete the dir/files and gain access to the certs.
Not being use when we'll move to libcurl, the question is, how else could this be done so that the certs are secured?
Are both .crt and .key needed on the client?
And, when we move to libcurl, what should be keep in mind, best practice, methods, etc?