0

in the hybris of leaked ssl-private-key everybody cries for new certs and new keys.

my question: how would one generate a new and valid ssl-cert with the private key from my website? our certs are usually domain-validated, meaning that ssladmin@domain.com usually gets a ntoficiation on issued cert-requests

p.s. i'm not talking about how agencies would do this, but a hacker that possibly obtained the private key

3 Answers3

3

Web sites hand out the public certificate, that's the way TLS authentication (identity) works (excepting aNULL ciphers). If, for example, you were able to use Heartbleed to steal a site's key, the required certificate would already have been given out by the server during the handshake (for every correctly set up TLS connection).

No creation of a certificate is required. Were it required or desired, then a CSR can be generated from the key material. Then that CSR could be signed by a commercial CA, your last line of defence is the weakest verification policy of the most lenient CA. Not very comforting ;-)

Clients which implement certificate pinning should not, in theory, fall for such a bogus certificate.

You could also sign it with your own private CA, the resulting certificate would be valid in a technical sense, just not accepted by clients (which verify CA chains, and won't recognise your private one).

mr.spuratic
  • 7,977
  • 26
  • 37
1

You are correct in your assumption that it would be difficult to obtain a new cert. This doesn't stop an attacker from decrypting traffic with the private key though.

You can read more about decrypting SSL traffic with WireShark with just the private key here.

David Houde
  • 5,504
  • 1
  • 27
  • 22
1

the answer is: your dont need to; you can obtain the valid cert with the following way:

openssl s_client -connect HOST:PORT -showcerts

and use them.

kudos for this answer goes to @CodesInChaos