I am trying to generate CSR(Certificate Signing Request) with the keys generated from HSM.
I am able to convert HSM RSA public key to java.security RSAPublicKey with modulus and public_exponent.
I am NOT able to convert HSM ECDSA public key to java.security EC PublicKey. I have Curve name(SECP256R1) and the EcPoint value for the public key I generated from HSM.
Can someone help on this?
Thanks!!
Related
I have a nshield HSM, my certificate and private key and public key are stored in it. When I read certificate from my HSM there isn't private key in it .I need this certificate to use in "AuthenticateAsServer". Also privateKey is not extractable from HSM, So what should I do?
Thanks in advance
I know this is probably a bad question but I am so confused. I have a tls certificate and a tls key file, tls.crt and tls.key. I think I'm supposed to convert them into a public and private key, relatively, in order to use openssl.
side note: Am I approaching this wrong? Is there some TLS application to encrypt/decrypt?
To convert the public key, I use
$ openssl x509 -pubkey tls.crt -noout > pubkey
This created a public key that I was able to encrypt a message file with by doing
$ opensssl rsautl -encrypt -inkey pubkey -pubin -in <message file> -out <encrypted output>
I have successfully encrypted the file but now I don't know how to decrypt it. I don't know how to convert my private key (tls.key) into an ssl private key. This is what stumps me. Shouldn't I be doing some tls encryption/decryption? If not, and I am supposed to be using openssl, how should I convert tls.key into a private key usable by openssl rsautl -decrypt?
tl;dr: The key file is the key file you want. No conversion should be required.
The trick here is in the following question: "What is a certificate?" The answer is that it is a signed public key that goes along with a secure private key. It (usually) gets signed by a CA ("Certificatation Authority").
The basic process is:
Entity that wants a certificate creates a private/public key pair.
Entity send the public key and some information about the Entity to the CA.
The CA performs "some level" of validation on the Entity, verifying their identity. Usually this is just some level of proof that the requestor owns the web site the certificate is to be used for.
The CA takes the provided public key and the other info provided, uses their private key to generate a signature for that data, which then can be verified by decrypting the signature using the CA's public key. That becomes your certificate.
So, you took your own public key from the certificate. The private key (tls.key) should be the key file you created in the first step - just use it on your encrypted data.
Is it possible to recover certificate thumbprint (sha1 fingerprint) only from private key that will match original certificate thumbprint?
I can not find any information about how thumbprints are generated.
Private key material:
I have a .PFX file with single certificate and it's private key. From .PFX I export only private key:
openssl rsa -inform p12 -in cert.pfx -outform der -out cert.key.der
It is not possible to get a certificate fingerprint from the private key only. The private key matches only the public key in the certificate. There can actually be multiple certificates using the same public and private key, all having different certificate fingerprints. This is not uncommon - certificate renewals often use the same key pair as the previous (expired) certificate.
What would be possible is to get the public key fingerprint, but not the certificate fingerprint.
I'm new to PKI and need to know something. I'm not even sure if my question makes sense so excuse me in advance. If we have the SSL certificate and the public and private keys, can we find which version of PKCS is used ? Like PKCS#1 RSASSA-PKCS1-V1_5 or another ?
Thank you!
Usually you should have some text/base64 encoded PEM files. In those files you can see the type by the ----BEGIN line in the private key file.
-----BEGIN RSA PRIVATE KEY----- means you have an RSA private key in PKCS#1 format.
-----BEGIN PRIVATE KEY----- means you have an RSA private key in PKCS#8 format.
For all the formats see https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem
Suppose we have two x509 certificates - client and server.
Is it possible to change some fields of client certificate (CN for example) and recalculate signature using server's public key (wich is known) in such a way that server will accept and successfuly verify client certificate?
In public key cryptography private key can encrypt and decrypt, public key encrypt only. So it seems that anyone who knows public key can recalculate signature and modify certificate?
Thanks.
In public key cryptography private key signs and decrypts and public key verifies and encrypts. You cannot perform both operation without having both keys.
Although, you are right that signing in case of RSA is essentially encryption with the private key, but since you don't posses private key you cannot re-sign certificate.