I'm trying to set up an SSL from Namecheap and I need both the public cert and the private key but Windows seems only to give the public key. I even tried using the export option later on and found nothing akin to a secret key (show below):
Any insight would be appreciated greatly.
Related
tl;dr
Does a certificate contain both private key and public key?
If so, how can I export a private key to .pem from a certificate on Mac? When you export a certificate in KeyChain Access, it give you only one .pem file and it is not a private key.
If not, how can I get one? Because I clearly I have it somewhere in the computer that enables corporate services.
I only have a scattered ideas on how certificate works so pardon me for just laying out things I know and have.
I have a certificate issued by my company (I will call it Orange for reference).
Orange certificate is needed to make an API call.
From the example for the API call, I need to provide public key from Orange and private key. Both of them are .pem.
I honestly don't know if Orange certificate in KeyChain Access is supposed to contain both public and private key but I assume so because a certificate works with two keys that work together and Certificate Export Wizard on Windows gives you option whether you want to export private key when you try to export a certificate.
The problem is when I export my Orange certificate from KeyChain Access, it gives no such option. I only get one .pem file (or .cer or .p7b depending on what format I chose) and it doesn't look like a private key.
-----BEGIN CERTIFICATE-----
...many characters...
-----END CERTIFICATE-----
I can see Keys section in Keychain Access. But the certificate's name is not Orange..
I know that some things in a signing key (like the validity period) can't be changed. Can the owner name change? If yes, how can I do it using keytool?
Interesting question. I've done a bit of digging, and it seems like it isn't possible. See this detailed answer on the security stack exchange. While you (and I) often think of certificate as just a public key, the certificate is the public key combined with the owner (Distinguished-Name) information, and the certificate hash is a hash of this information. So if you change the Owner information, you change the certificate, and so change the certificate hash. This is true for both APK Signing V1 and V2.
I am having troubles with exporting certificate's private key on WinRT 8.1 using new Cryptography API.
With help of MS Cryptography and Certificate sample I am able to list certificates from system certstore and get selected certificate's keypair using
CryptographicKey keyPair = await PersistedKeyProvider.OpenKeyPairFromCertificateAsync(cert, HashAlgorithmNames.Sha1, CryptographicPadding.RsaPkcs1V15);
But then, when I try to export the private key using
IBuffer pkey = keyPair.Export(CryptographicPrivateKeyBlobType.Pkcs8RawPrivateKeyInfo);
a NotSupportedException is thrown, no matter what blob type I use as the parameter.
The certificate I work with was imported from pfx by Windows Importer with Strong protection disabled and marked as Exportable, however it still seems that the Cryptography API has some problems accesing the private key (which I need for signing via SecureBlackBox library).
Does anyone know how to solve this issue and obtain the certificate's private key?
I'm developing an application to manage file and email encryption using (primarily) PKI. I have a Public Keyring with a list of contacts and their Public Keys.
Referring back to the olden days when I used PGP, I recall a requirement to sign public keys with your Private Key.
Is this a necessity on PKI and if so, what does this signing achieve? Is it bad practice to simply hold a list/database of people's names (and email) and their Public Key? Surely if their public key is - in any way - tampered with the encryption would fail and as you choose who you're sending or sharing the encrypted data with, even if a 'successful tamper' went unnoticed, the encrypted data wouldn't end up in the wrong hands anyway?
The whole thing about signing a public key with a private key is useful when you have a dedicated key-pair that you use only for signing, and then other key-pairs that you use for encrypting. This dedicated key-pair is your "trusted" key-pair that is somehow known to be legitimately attached to you (often by having it signed by a certificate authority or by having many trusted people sign that they have verified it's connection to you.)
You use this "trusted" private key to sign your not-quite-as-trusted public key. This way, people can un-sign/decrypt your new public-key with your trusted public-key. This is only mathematically possible if it was signed by your trusted private-key.
This process helps people to be sure that this new public-key actually belongs to you.
I´m trying to sign some text or XML node using my certificates, installed on Internet Explorer or from filesystem (or some method!)...but I want to ask the user for his certificate password when signing.
If i´m not wrong, I think that I need that password to access the private key and with that key, sign my data....is ok?
Nothing that I read helps me in the part of asking the password or getting the private key.
Some examples or help will be great.
With X509Certificate2 x509 = new X509Certificate2(#"c:\Test.pfx", "test") you can import certificate with the private key information from the PFX file. The private key can be received by x509.PrivateKey.
You can find many examples how to sign XML file. For example http://developers.de/blogs/rolf_nebhuth/archive/2009/05/13/signing-xml-documents.aspx or http://www.west-wind.com/weblog/posts/257599.aspx.