I'm new to PKI and need to know something. I'm not even sure if my question makes sense so excuse me in advance. If we have the SSL certificate and the public and private keys, can we find which version of PKCS is used ? Like PKCS#1 RSASSA-PKCS1-V1_5 or another ?
Thank you!
Usually you should have some text/base64 encoded PEM files. In those files you can see the type by the ----BEGIN line in the private key file.
-----BEGIN RSA PRIVATE KEY----- means you have an RSA private key in PKCS#1 format.
-----BEGIN PRIVATE KEY----- means you have an RSA private key in PKCS#8 format.
For all the formats see https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem
Related
I have an encrypted private RSA key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,B92E0E3A7B... // <--- IV here.
...
-----END RSA PRIVATE KEY-----
I need to decrypt it via a passphrase, basically I need the equivalent of
openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>
on the browser side with an Angular based client, using webcrypto and pkijs.
So for anyone who will in the future maybe face the same issue like I did:
PKI.js is providing an examples folder in their repo:
OpenSSLPrivateKeyEncryption
In there you will find a method called decrypt.
With the code I were able to decrypt my AES-CBC Private key.
I want to get crt & a chain file from a private key. the file I have is starting with
-----BEGIN RSA PRIVATE KEY-----
& an extension of .key file.
tried multiple ways to convert it using OpenSSL command but not getting it properly.
It is impossible to get certificate and chain from the private key. While one can get the public key from the private key file, the public key is part of the certificate. In addition to the public key it also contains subject, expiration, issuer and issuers signature - the last two needed to build and verify the trust chain.
Just having a private key does not provide the certificate associated with that key.
The certificate contains a lot of information that the mere private key does not, including validity dates, subject and signer DNs, SANs, usages, along with the cryptographic signature itself.
I am working on CentOS 7. I have three blocks in text :
CSR:
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Public key:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Private key:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Also, I have archieve with:
mydomain.crt
mydomain.ca-bundle
and
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
As I understand I need to convert CSR,Private Key, Public Key to right format files ?
Than, add :
CSR and Private Key to /etc/nginx.conf
And set it via .conf by names ?
But could anyone help me convert CSR,Private Key and Public Key to right formats ?
Thank you !
You can discard the CSR or keep it for your reference. A CSR (Certificate Signing Request) is a document asking for a certificate, you already have the certificate, so the request is now only of historical interest.
You should put the private key text, including that header and footer, but no blank lines, into a file, let's call that privkey.pem. The private key is very important, you web server software needs to be able to read it in order to function, but nobody else should ever see this file and you should not keep copies of it where they may be stolen.
You also need the mydomain.crt file, and the mydomain.ca-bundle, you should concatenate them together, you can do this (carefully) with a text editor and save the result as fullchain.pem, or if you're comfortable on a Unix command line you can write
cat mydomain.crt mydomain.ca-bundle > fullchain.pem
In your nginx.conf you should find or create a server block, and set parameters as follows, but with the correct full path names.
ssl_certificate /full/path/to/fullchain.pem
ssl_certificate_key /full/path/to/privkey.pem
I have been given a x.509 certifcate and a private key.
The certificate looks like:
-----BEGIN CERTIFICATE-----
MIICdzCCAeCgAwIBAgIGAOH4vsPYMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wODEwMzExMjQyNDBaFw0wOTEw
MzExMjQyNDBaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
LOTS OF LETTERS
SO MANY LETTERS
r8AmrDQ9VfrocQIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
K9gtkPlKRDCaBDQ2xukycq4bv+EhEQPzPY+VeWGYzizl91K8knpI3VLLiJD0CNkb
UvSoj/wZv0zWf13oMgMyUbrFygpHVmA2uYwi6kFKXy/D2vGXUsrEgFqP6xFvgUA3
JDIblstGT383+IY=
-----END CERTIFICATE-----
and the private key looks like
-----BEGIN PRIVATE KEY-----
Lots of letters here as well
-----END PRIVATE KEY-----
I believe I need this certificate because I must use a plugin called Elastic Fox in order to properly connect to our AWS account. I am confused on how to add this certificate to firefox / how to use the certificate and private key.
I attempted to save both the certificate and private key in one .pem file and import that to FF via: Edit > Preferences > Advanced > View Certificates > Your Certificates > Import, but I was told to enter some password that I do not know/have:
I attempted to save just the private key portion as a .key file in ~/.ssh/id_rsa , but that did not work.
Can someone ELI5 to me how to add this certificate properly and what to do with the private key? Ubuntu 12.04
I have a JKS keystore in client application and I have been given one PEM file containing both private key and certificate to use for SOAP signature. PEM file looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
First question is how to import correctly this PEM to JKS?
Second question: given private key isn't password protected, it's possible to add a password to it before importing it to JKS keystore?
Thanks!
If you prefer a GUI solution I would take Portecle. This simple key store management tool allows to create a JKS and then import cert and private key.
I am not sure if you can import cert and key from the same combined PEM file as you have it but may be the command "Import Key pair" of Portecle works with such a file.
If not you can simply split the PEM file directly after the -----END RSA PRIVATE KEY----- line into two PEM files and import them separately.
After importing, when you save the JKS Portecle will ask you for a password.