Extract public key and update with cert chain - ssl-certificate

I have keystore of type JKS .
It has a public and private key pair.The certificate chain is missing in the public key.It is not self signed.how can i extract the public key alone and add the cert chain and update the keystore with the chained public key .
I do not have the password for the private key.i have the password for the keystore.i have the intermediate and root certs to be added in the public key chain.
Can anyone suggest how to extract the public key and update it back with the chain on the keystore?

Related

Read Certificate from hsm and bind its private key to it and save in X509Store

I have a nshield HSM, my certificate and private key and public key are stored in it. When I read certificate from my HSM there isn't private key in it .I need this certificate to use in "AuthenticateAsServer". Also privateKey is not extractable from HSM, So what should I do?
Thanks in advance

Get SSL certificate files from private key

I want to get crt & a chain file from a private key. the file I have is starting with
-----BEGIN RSA PRIVATE KEY-----
& an extension of .key file.
tried multiple ways to convert it using OpenSSL command but not getting it properly.
It is impossible to get certificate and chain from the private key. While one can get the public key from the private key file, the public key is part of the certificate. In addition to the public key it also contains subject, expiration, issuer and issuers signature - the last two needed to build and verify the trust chain.
Just having a private key does not provide the certificate associated with that key.
The certificate contains a lot of information that the mere private key does not, including validity dates, subject and signer DNs, SANs, usages, along with the cryptographic signature itself.

Can you generate a private key for an existing certificate?

I was given a certificate from BaltimoreCyberTrustRoot but I wasn't given a key, Would I be able to generate a key for an existing certificate?
Obviously no you cannot generate a private key out of an existing certificate otherwise you would be able to impersonate basically any given HTTPS website (How? the certificate is public, you download it and magically create the associated private key and you have then a validated website for that certificate name...)
Normally generating a certificate works like this:
you generate a public/private key and the public key is used to compute a CSR or Certificate Signing Request which has the public key and some meta data
you give the CSR to the CA
the CA gives you back a certificate based on the content of the CSR, and signed by their own private key (so that by using the CA certificate - which has the corresponding CA public key - you can validate that this generated certificate was indeed signed/issued by this specific CA).
So you have the private key.
If you are on a case where the CA or the intermediate generates everything for you (which is bad security wise it means they have the private key and hence can impersonate YOU), then you have to ask them to send you both the certificate and the private key!

Use of Public key in the certificate signing request ( CSR )

Public and private-key pair will be generated during the creation of CSR on our server. We will send the CSR and public key to CA by holding private key with us. CA will validate our public key before signing it with private key of CA's root certificate. We are having our own CA team to certify the CSR requests. My queries are as follows:
Will CSR itself includes public key or do we need to provide public key separately to CA ?
Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?
Will CA sign over only over CSR (or) on the combined set of CSR + public key.?
Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.
When we are presenting server certificate to client, will that cert includes public key of server.?
Should we install the server's public key in the truststore of clients for encryption purpose?
Thanks for the help, in advance.
Will CSR itself includes public key or do we need to provide public key separately to CA ?
The public key is inside the CSR
Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?
The CSR is signed by your key. The public key is not enough but the private is needed for signing.
Will CA sign over only over CSR (or) on the combined set of CSR + public key.?
The CA will extract the information from the CSR including the public key and sign it. It will not sign the CSR itself.
Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.
Only the root needs to be stored at the client as trust anchor. The intermediate certs should be send by the server together with the servers certificate inside the SSL handshake.
When we are presenting server certificate to client, will that cert includes public key of server.?
Yes, a certificate is the public key and additional information like subject (hostname).
Should we install the server's public key in the truststore of clients for encryption purpose?
No. The client will get the certificate during the SSL handshake. You only want to know about the servers certificate or public key before doing the handshake if you use certificate pinning.

Falsificate X509 signature

Suppose we have two x509 certificates - client and server.
Is it possible to change some fields of client certificate (CN for example) and recalculate signature using server's public key (wich is known) in such a way that server will accept and successfuly verify client certificate?
In public key cryptography private key can encrypt and decrypt, public key encrypt only. So it seems that anyone who knows public key can recalculate signature and modify certificate?
Thanks.
In public key cryptography private key signs and decrypts and public key verifies and encrypts. You cannot perform both operation without having both keys.
Although, you are right that signing in case of RSA is essentially encryption with the private key, but since you don't posses private key you cannot re-sign certificate.