I have a nshield HSM, my certificate and private key and public key are stored in it. When I read certificate from my HSM there isn't private key in it .I need this certificate to use in "AuthenticateAsServer". Also privateKey is not extractable from HSM, So what should I do?
Thanks in advance
Related
I created CSR using my key pair. and I believe that CSR will only include my Public Key. and I sent the CSR to CA. and I got certificate from the CA.
When I look at certificate. I can see that it has serial number and some identity information.
Lets say, I create JWS(JSON Web Signature) of this serial number and identity information with my private key, and send it to CA.
How do they decrypt (or validate) it? (Because I don't believe that they have my private key.)
Oh.. I see, When I send JWS with my private key. I don't use that key for encryption. I use my private key to sign the message.
then CA will know that I signed by my private key. because they have public key. and Serial Number is not actually encrypted in JWS but signed by me.
The contents of JWS token are Base64 encoded and not encrypted
(remember encoding is different from encryption!).
I want to get crt & a chain file from a private key. the file I have is starting with
-----BEGIN RSA PRIVATE KEY-----
& an extension of .key file.
tried multiple ways to convert it using OpenSSL command but not getting it properly.
It is impossible to get certificate and chain from the private key. While one can get the public key from the private key file, the public key is part of the certificate. In addition to the public key it also contains subject, expiration, issuer and issuers signature - the last two needed to build and verify the trust chain.
Just having a private key does not provide the certificate associated with that key.
The certificate contains a lot of information that the mere private key does not, including validity dates, subject and signer DNs, SANs, usages, along with the cryptographic signature itself.
I was given a certificate from BaltimoreCyberTrustRoot but I wasn't given a key, Would I be able to generate a key for an existing certificate?
Obviously no you cannot generate a private key out of an existing certificate otherwise you would be able to impersonate basically any given HTTPS website (How? the certificate is public, you download it and magically create the associated private key and you have then a validated website for that certificate name...)
Normally generating a certificate works like this:
you generate a public/private key and the public key is used to compute a CSR or Certificate Signing Request which has the public key and some meta data
you give the CSR to the CA
the CA gives you back a certificate based on the content of the CSR, and signed by their own private key (so that by using the CA certificate - which has the corresponding CA public key - you can validate that this generated certificate was indeed signed/issued by this specific CA).
So you have the private key.
If you are on a case where the CA or the intermediate generates everything for you (which is bad security wise it means they have the private key and hence can impersonate YOU), then you have to ask them to send you both the certificate and the private key!
Suppose we have two x509 certificates - client and server.
Is it possible to change some fields of client certificate (CN for example) and recalculate signature using server's public key (wich is known) in such a way that server will accept and successfuly verify client certificate?
In public key cryptography private key can encrypt and decrypt, public key encrypt only. So it seems that anyone who knows public key can recalculate signature and modify certificate?
Thanks.
In public key cryptography private key signs and decrypts and public key verifies and encrypts. You cannot perform both operation without having both keys.
Although, you are right that signing in case of RSA is essentially encryption with the private key, but since you don't posses private key you cannot re-sign certificate.
Amazon Cloudfront is giving me errors, either my private key doesn't match my public key certificate or my public key certificate cannot be parsed as it's invalid.
Using Godaddy for my SSL certificate middle man/provider, I got a:
.pem whoose contents beings with "-----BEGIN RSA PRIVATE KEY-----"
(I'm assuming that's my private key)
Inside Godaddy I am able to download some certs for the SSL, they are:
.crt (type = Security Certificate)
.p7b (type = PKCS #7 Certificate)
Is one of the above my public key? Or is there another way I am supposed to get my public key?
I have encountered this issue before with bad CSR Request.
According to GoDaddy:
To install a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA). The CSR contains your certificate-application information, including your public key. Use your Web server software to generate the CSR, which will also create your public/private key pair used for encrypting and decrypting secure transactions.
http://support.godaddy.com/help/article/5343/generating-a-certificate-signing-request
It also states: NOTE: When generating your CSR, specify a key size of 2048 or higher.
The key size is sometimes the culprit. Hope it helps.