Changes

CA/Revocation Reasons

385 bytes added, 00:23, 15 April 2022

continued drafting text

=== Possession of Private Key ===

Currently there is not a standard way to demonstrate possession of a certificate's private key, so here are a few ways that CAs may confirm possession of the private key:

* Request revocation using [https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ACME] and the certificate's private key

** Different [https://letsencrypt.org/docs/client-options/ ACME implementations] have different means to accomplish this. For example:

** certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/privkey.pem --reason keyCompromise

* Use one of these scripts/tools:

** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey

** [https://www.sslshopper.com/certificate-key-matcher.html Certificate Key Matcher]

* Compare a hash of the public key from the private key

** First check the consistency of a private key

** rm random check signed publicKey.pem

*** If cmp produces no output then the signature matches.

* Use an existing script/tool

** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey

** [https://www.sslshopper.com/certificate-key-matcher.html Certificate Key Matcher]

== OCSP ==

Kathleen Wilson

Confirm, administrator

5,526

edits

Changes

CA/Revocation Reasons

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools