Confirmed users, Administrators
5,526
edits
CA/Revocation Reasons: Difference between revisions
Jump to navigation
Jump to search
continued drafting text
(Incorporating feedback) |
(continued drafting text) |
||
| Line 85: | Line 85: | ||
=== Possession of Private Key === | === Possession of Private Key === | ||
Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key: | Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key: | ||
* | * Compare a hash of the public key from the private key | ||
** First check the consistency of a private key | |||
*** openssl rsa -in [privatekey] -check | |||
** Then compare the public key | |||
*** openssl publicKey -in privateKey.key -pubout -outform pem | sha256sum | |||
*** openssl x509 -in certificate].crt -pubkey |openssl publicKey -pubin -pubout -outform pem | sha256sum | |||
* Sign a message with the private key and then verify it with the public key. | |||
** openssl x509 -in [certificate] -noout -pubkey > pubkey.pem | |||
** dd if=/dev/urandom of=rnd bs=32 count=1 | |||
** openssl rsautl -sign -pkcs -inkey [privatekey] -in rnd -out sig | |||
** openssl rsautl -verify -pkcs -pubin -inkey pubkey.pem -in sig -out check | |||
** cmp rnd check | |||
** rm rnd check sig pubkey.pem | |||
*** If cmp produces no output then the signature matches. | |||
* Use a well known script/tool | |||
** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Bock's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey | |||
*** | |||
== OCSP == | == OCSP == | ||