Confirm, administrator
5,526
edits
Changes
continued drafting text
=== Possession of Private Key ===
Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key:
* TO DOCompare a hash of the public key from the private key** First check the consistency of a private key*** openssl rsa -in [privatekey] -check** Then compare the public key*** openssl publicKey -in privateKey.key -pubout -outform pem | sha256sum*** openssl x509 -in certificate].crt -pubkey |openssl publicKey -pubin -pubout -outform pem | sha256sum* Sign a message with the private key and then verify it with the public key. ** openssl x509 -in [certificate] -noout -pubkey > pubkey.pem** dd if=/dev/urandom of=rnd bs=32 count=1** openssl rsautl -sign -pkcs -inkey [privatekey] -in rnd -out sig** openssl rsautl -verify -pkcs -pubin -inkey pubkey.pem -in sig -out check** cmp rnd check** rm rnd check sig pubkey.pem*** If cmp produces no output then the signature matches.* Use a well known script/tool** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Bock's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey***
== OCSP ==
