I'm building a service using MTLS for authentication with AWS ACM PCA as private Certificate Authority.
The certificate is stored in a password protected PKCS#12 file together with the private key in.
The private key is also used for signing data.
At the moment I'm creating key pairs programatically but want to switch into using KMS.
However, it seem like it's not possible to get the private key from KMS.
How am I supposed to allow for both client authentication and signing if I can't add the private key to the PKCS#12 key store?
You can use kms.generateDataKeyPair to create and export a public key and private key which can then be used locally.
Related
I want to create an RSA private key which is not exportable (even by the developer of app) inside iOS keychain.
Is there any way to do that?
Not possible with RSA.
You can create keys which can't be exported, but only in the Secure Enclave, and it only supports p256 key pairs. You can't import existing keys into the Secure Enclave. While it is possible to export a key from it, the key is encrypted such that only that exact Secure Enclave can import it again later.
In Hyperledger Fabric v1.0, a user can be registered and enrolled in the blockchain network through the MSP (member services provider). The user is given a public key (in the certificate) and a private key after registration and enrollment. The way I understood it, the private key is used by the invoker to sign the transaction, while the public key is used by the peers to verify the signer.
Can I use the same private and public key to encrypt (using the public key) and decrypt (using the private key)?
If yes, what Node.js library do I need to use these keys generated by MSP for encryption and decryption? I tried using the crypto package but it does not work. It produces the following error:
Error: error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype
I tried using the crypto package in an RSA public/private key pair generated by OpenSSL (and not MSP) and the encryption/decryption worked.
Hyperledger Fabric 1.0.* does not support RSA keys for signing. Signing keys must be ECDSA keys as this is the only type that is currently supported. For details please see the documentation.
I'm trying to understand what the certificate is. I'm talking about the .cer file.
In the description it sounds like it is a public key but if it is, than why do I need Certificate Signing Request (CSR) when creating it?
Everywhere I can find "what is a developer certificate for" and so on, but there is no information what the certificate — as an entity — is.
So my questions are:
What is .cer file? (Not .p12)
What is the difference between certificate and public key?
1) The .cer is an commonly used extension for certificates.
Certficates are digitaly signed and encoded documents. To my understanding certificates are documents which contain data (strings etc.) and are encoded. Simply put it is a container for sensitive data.
For details read: DER vs CRT vs CRM vs PEM
2) The public key simply put is a value (String for example). This value is stored in a certificate .cer file.
For better understanding this video might help: Private and public key
The difference is that a certificate can contain a public key but a public key cannot contain a certificate.
A certificate certify who you are, its a kind of identity card or passport or whatever. A public key is something used to secure something, somehow like a real key closes a safety box not to let everyone have look inside.
Then you may have the need to certify that a public key is the one it claims. A certificate is (normally) obtained from another trusted authority (like your passport is delivered by a legal entity). If not how would you trust a public key I'll give to you? It can be a hacked public key, but if you have a certificate that belongs to it, then (if you trust the authority) you'll know it's really mine and not a forged one.
You may read Public Key Certificate on Wikipedia for example.
.cer files are certificates in some well defined format.
I have a pretty basic understanding of PKI/SSL/TLS but not a lot of experience with it. I have several iOS devices connecting through a VPN to an internal server. The server is reachable, but we receive an SSL error. I understand I need to add the CA's cert to the iOS devices - but I'm confused as to if I add the CA's public or private cert?
According to this blog It's private, but I want to verify first.
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Any advice or further documentation would be greatly appreciated.
There's no such thing as a private certificate.
In an asymmetric encryption you have two keys - the public key and the private key. As the names suggest, the private key is kept private and the public key is distributed. A certificate is a separate object that serves to tie a public key to a "security principal" - i.e. a person, server, certification authority or whatever.
So your VPN server has a certificate. This certificate states that the given public key X belongs to your server. When you contact the server, it gives you its certificate and public key, then can prove it has the corresponding private key by you giving it a randomly generated number to sign/decrypt.
However, how do you know the server isn't lying when it gives you the certficate? Because the certificate is signed by a third party - a certificate authority. The CA's signed the server's certificate with its private key to confirm that what it says is true. You can verify this signature with the CA's public key. But how do you know that the CA's public key actually belongs to the CA?
As you can see, this can go on for a while, creating a chain of certificates or chain of trust. Eventually you have to have some certificates that you just trust without any third parties - the root certificates. iOS comes with a set of these that Apple trusts, but does not include the root of the chain for your VPN server. That is the certificate that you are being asked to install.
If I had a private certificate file and a string on the iPhone, how do I use them to generate a signed string that can be verified by a server with the matching public key? What library should I use on the iPhone?
I would take a look at Certificate, Key, and Trust Services Reference on Apple's website. You can import the PKCS #12–formatted blob with SecPKCS12Import and sign the data with SecKeyRawSign.