122
edits
Changes
→Possession of Private Key: Add <code> blocks around inline code snippets
* Request revocation using [https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ACME] and the certificate's private key
** Different [https://letsencrypt.org/docs/client-options/ ACME implementations] have different means to accomplish this. For example:
** <code>certbot revoke --cert-path /PATH/TO/certificate.pem --key-path /PATH/TO/privateKey.pem --reason keyCompromise</code>
* Use one of these scripts/tools:
** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey
* Compare a hash of the public key from the private key
** First check the consistency of a private key
*** <code>openssl rsa -in privatekey -check</code>
** Then compare the public key
*** <code>openssl publicKey -in privateKey -pubout -outform pem | sha256sum</code>*** <code>openssl x509 -in certificate.crt -pubkey |openssl publicKey -pubin -pubout -outform pem | sha256sum</code>
* Sign a message with the private key and then verify it with the public key.
** <code>openssl x509 -in certificate.crt -noout -pubkey > publicKey.pem</code>** <code>dd if=/dev/urandom of=random bs=32 count=1</code>** <code>openssl rsautl -sign -pkcs -inkey privateKey -in random -out signed</code>** <code>openssl rsautl -verify -pkcs -pubin -inkey publicKey.pem -in signed -out check</code>** <code>cmp random check</code>** <code>rm random check signed publicKey.pem</code>
*** If cmp produces no output then the signature matches.
