122
edits
CA/Revocation Reasons: Difference between revisions
→Possession of Private Key: Add <code> blocks around inline code snippets
(continued drafting text) |
(→Possession of Private Key: Add <code> blocks around inline code snippets) |
||
| Line 87: | Line 87: | ||
* Request revocation using [https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ACME] and the certificate's private key | * Request revocation using [https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ACME] and the certificate's private key | ||
** Different [https://letsencrypt.org/docs/client-options/ ACME implementations] have different means to accomplish this. For example: | ** Different [https://letsencrypt.org/docs/client-options/ ACME implementations] have different means to accomplish this. For example: | ||
** certbot revoke --cert-path /PATH/TO/certificate.pem --key-path /PATH/TO/privateKey.pem --reason keyCompromise | ** <code>certbot revoke --cert-path /PATH/TO/certificate.pem --key-path /PATH/TO/privateKey.pem --reason keyCompromise</code> | ||
* Use one of these scripts/tools: | * Use one of these scripts/tools: | ||
** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey | ** [https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Hanno Böck's script]: https://github.com/hannob/tlshelpers/blob/master/matchcertkey | ||
| Line 93: | Line 93: | ||
* Compare a hash of the public key from the private key | * Compare a hash of the public key from the private key | ||
** First check the consistency of a private key | ** First check the consistency of a private key | ||
*** openssl rsa -in privatekey -check | *** <code>openssl rsa -in privatekey -check</code> | ||
** Then compare the public key | ** Then compare the public key | ||
*** openssl publicKey -in privateKey -pubout -outform pem | sha256sum | *** <code>openssl publicKey -in privateKey -pubout -outform pem | sha256sum</code> | ||
*** openssl x509 -in certificate.crt -pubkey |openssl publicKey -pubin -pubout -outform pem | sha256sum | *** <code>openssl x509 -in certificate.crt -pubkey |openssl publicKey -pubin -pubout -outform pem | sha256sum</code> | ||
* Sign a message with the private key and then verify it with the public key. | * Sign a message with the private key and then verify it with the public key. | ||
** openssl x509 -in certificate.crt -noout -pubkey > publicKey.pem | ** <code>openssl x509 -in certificate.crt -noout -pubkey > publicKey.pem</code> | ||
** dd if=/dev/urandom of=random bs=32 count=1 | ** <code>dd if=/dev/urandom of=random bs=32 count=1</code> | ||
** openssl rsautl -sign -pkcs -inkey privateKey -in random -out signed | ** <code>openssl rsautl -sign -pkcs -inkey privateKey -in random -out signed</code> | ||
** openssl rsautl -verify -pkcs -pubin -inkey publicKey.pem -in signed -out check | ** <code>openssl rsautl -verify -pkcs -pubin -inkey publicKey.pem -in signed -out check</code> | ||
** cmp random check | ** <code>cmp random check</code> | ||
** rm random check signed publicKey.pem | ** <code>rm random check signed publicKey.pem</code> | ||
*** If cmp produces no output then the signature matches. | *** If cmp produces no output then the signature matches. | ||