Is it possible to recover certificate thumbprint (sha1 fingerprint) only from private key that will match original certificate thumbprint?
I can not find any information about how thumbprints are generated.
Private key material:
I have a .PFX file with single certificate and it's private key. From .PFX I export only private key:
openssl rsa -inform p12 -in cert.pfx -outform der -out cert.key.der
It is not possible to get a certificate fingerprint from the private key only. The private key matches only the public key in the certificate. There can actually be multiple certificates using the same public and private key, all having different certificate fingerprints. This is not uncommon - certificate renewals often use the same key pair as the previous (expired) certificate.
What would be possible is to get the public key fingerprint, but not the certificate fingerprint.
Related
I know this is probably a bad question but I am so confused. I have a tls certificate and a tls key file, tls.crt and tls.key. I think I'm supposed to convert them into a public and private key, relatively, in order to use openssl.
side note: Am I approaching this wrong? Is there some TLS application to encrypt/decrypt?
To convert the public key, I use
$ openssl x509 -pubkey tls.crt -noout > pubkey
This created a public key that I was able to encrypt a message file with by doing
$ opensssl rsautl -encrypt -inkey pubkey -pubin -in <message file> -out <encrypted output>
I have successfully encrypted the file but now I don't know how to decrypt it. I don't know how to convert my private key (tls.key) into an ssl private key. This is what stumps me. Shouldn't I be doing some tls encryption/decryption? If not, and I am supposed to be using openssl, how should I convert tls.key into a private key usable by openssl rsautl -decrypt?
tl;dr: The key file is the key file you want. No conversion should be required.
The trick here is in the following question: "What is a certificate?" The answer is that it is a signed public key that goes along with a secure private key. It (usually) gets signed by a CA ("Certificatation Authority").
The basic process is:
Entity that wants a certificate creates a private/public key pair.
Entity send the public key and some information about the Entity to the CA.
The CA performs "some level" of validation on the Entity, verifying their identity. Usually this is just some level of proof that the requestor owns the web site the certificate is to be used for.
The CA takes the provided public key and the other info provided, uses their private key to generate a signature for that data, which then can be verified by decrypting the signature using the CA's public key. That becomes your certificate.
So, you took your own public key from the certificate. The private key (tls.key) should be the key file you created in the first step - just use it on your encrypted data.
I'm trying to install an SSL Certificate on my website, I bought the certificate online but they didn't give me a private key file, I got a pem file instead. Is their any way I can generate the private key file from the pem file?
I'm using a Mac and tried OpenSSL to generate the key file:
openssl rsa -in myfile.pem -out private.key
But this gave me the following error:
unable to load Private Key
4781944428:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY
Any help is greatly appreciated!
Usually the private key is generated on your web server through the web server software or else using openssl.
When you buy a certificate online from a certificate authority, you generate a certificate request, and send it to the authority. The cert request doesn't have the private key, only a signature from the private key, so that's why you can't extract it from the pem file they sent you back.
You need to look at the software you used to generate the certificate request. If you didn't do this, and the company you bought the cert didn't require it, they may be a hosting provider who has the private keys.
I have read an article on how to create a local SSL certificate. The steps are basically as below:
1. create a key pair
openssl genrsa -des3 -out applicant.key 2048
2. create a certificate signing request
openssl req -new -sha256 -nodes -out applicant.csr -key applicant.key -config someCert.csr.cnf
3. create a cert for the applicant using the ca.key(private key) and cacert.pem (CA certificate)
openssl x509 -req -in applicant.csr -CA cacert.pem -CAkey ca.key -CAcreateserial -out applicant.crt -days 500 -sha256 -extfile localdomain.v3.ext
I got a few question regarding the steps.
a) When we create the key in step 1, is it a key pair or just private key?
b) When creating a certificate signing request in step 2, do we need a public key or private key?
c) When create a cert from CA, why do we need both ca private key and ca certificate? I believe the ca private key is used for digital signature, but what's the purpose of CA certificate?
When we create the key in step 1, is it a key pair or just private key?
applicant.key contains both the public and private elements. You can see them with openssl rsa -text -nout -in applicant.key, or in a more basic form with dumpasn1 or similar.
When creating a certificate signing request in step 2, do we need a public key or private key?
Both. You need the public key as that is going to be certified by the CA. You need the private key as you sign the CSR with this to provide Proof of Possession of the public key.
When create a cert from CA, why do we need both its private key and ca certificate?
Again, both. You need the private key in order to sign the certificate. You also need the CA certificate so that the CA can extract information used during the signing process from it.
As a minimum, this is the Subject field of the CA certificate which is used as the Issuer field of the signed certificate.
Another example is the AuthorityKeyIdentifier extension in the CA certificate, whose value is used as the SubjectKeyIdentfier extension in the applicant's certificate.
However, CAs are at liberty to use whatever they need. For example, Microsoft CAs will check the expiry date on the CA certificate and not issue an applicant a certificate that expires past this date (it truncates the validity of the certificate). In order to do that, it needs access to the CA certificate.
According to the answer to this server-fault question almost all certificate file formats can contain private key alongside public key, as such how can I identify whether a certificate contains private key?
This is important because I do not want to unknowingly send the private key to the remote client.
Following the structure of the link:
.csr. Only public keys in pem or der format
.pem. keys and/or certificates. Look for -----BEGIN PRIVATE KEY---- or -----BEGIN RSA PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----
.key keys in pem format
.pkcs12 .pfx .p12 keys and/or certificates. List keys with openssl pkcs12 -info -nocerts -in keystore.p12
.jks keys and/or certificates. Java specific format.
.der pem content without base64 encoding. Look for KEY in openssl x509 -inform DER -in cert.der
.cert .cer .crt keys and/or certificates. Content can be pem or der
.p7b. Only certificates
.crl. No keys
I'm a newbie in computer security and I have a basic question whose answer I've not been able to find out.
I have a private key whose validity period has expired. Using that key I'd previously generated a .csr and sent it to a CA and they'd given me a certificate that's still valid.
My question is, can I (using keytool or whatever...) modify the private key's expiration date in order to use it with my certificate (.cer). Could I regenerate a private key to be used with this certificate?
Thank you,
No.
The validity period is in the certificate, not the private key. Certificates cannot be modified, and the only entities that can generate valid certificates are the certificate authorities.
You will have to pay for a new certificate. Certificate expiration is a safety measure, but also a way to get recurring customers.
keytool -genkeypair does more than generating a key pair: it generates a pair of public and private key, and wraps the public key into a self-signed X.509 certificate generated on the spot with the various options given (-dname, -validity, ...). It puts them together into the alias you choose (a private key entry will associate a private key and a certificate, or a certificate chain of length 1, to be precise).
Those options affect this self-signed X.509 certificate, not the key pair itself.
Normally, if you don't want to use a self-signed certificate, you produce a CSR based on this public key and the characteristics of this self-signed X.509 certificate (the structure of a CSR is in fact very similar to that of a self-signed certificate, but it doesn't have issuer or validity dates). That CSR is then used by your CA to issue an X.509 certificate (this time, signed by that CA).
You are meant to import it again into that alias, to be able to use the certificate with its private key. If your self-signed certificate (or an older certificate matching this private key) has expired, re-import the certificate that is still valid.
In fact, if there are intermediate certificates, you should not only import that certificate, but the certificate chain (see this question and this question).
If your .cer file is in DER format (binary) and not PEM format (base64-encoding of the DER format), you can convert it into PEM using openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.crt and use the result to build the chain and import it.