Confirmed users, Administrators
5,526
edits
CA/Revocation Reasons: Difference between revisions
Jump to navigation
Jump to search
continued drafting text
(continued drafting text) |
(continued drafting text) |
||
| Line 85: | Line 85: | ||
=== Possession of Private Key === | === Possession of Private Key === | ||
Currently there is not a standard way to demonstrate possession of a certificate's private key, so here are a few ways that CAs may confirm possession of the private key: | Currently there is not a standard way to demonstrate possession of a certificate's private key, so here are a few ways that CAs may confirm possession of the private key: | ||
* Request revocation using [https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ACME] and the certificate's private key | |||
** Different [https://letsencrypt.org/docs/client-options/ ACME implementations] have different means to accomplish this. For example: | |||
** certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/privkey.pem --reason keyCompromise | |||
* Use one of these scripts/tools: | |||
** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey | |||
** [https://www.sslshopper.com/certificate-key-matcher.html Certificate Key Matcher] | |||
* Compare a hash of the public key from the private key | * Compare a hash of the public key from the private key | ||
** First check the consistency of a private key | ** First check the consistency of a private key | ||
| Line 99: | Line 105: | ||
** rm random check signed publicKey.pem | ** rm random check signed publicKey.pem | ||
*** If cmp produces no output then the signature matches. | *** If cmp produces no output then the signature matches. | ||
== OCSP == | == OCSP == | ||