Private Key
This is one of the most frequent questions that we get. Unfortunately we cannot send you the Private Key, because it is private, and we do not store it anywhere in our system or database. The Private Key is always confidential, and it is only you who should have it. If we were to have or store your Private Key, this would compromise the “security” of your SSL Certificate.
If you used the CSR Generator on our website to generate your CSR code, then the CSR and the Private Key were both shown to you during the CSR generation process. They were also sent to your email address in case you included your email address in the CSR Generator. The message that was sent to your email address came from [email protected] and has the following subject: “Your CSR code and your Private Key”.
If you generated your CSR on your server, then your CSR code and your Private Key were both provided to you by your server. You had to copy and store them in a safe place. In some cases, some servers may show the CSR code and the Private Key, and at the same time store both these pieces of code for you on the server. In other cases, the server only provides you the CSR code and keeps the Private Key hidden on the server.
This being said, please look for the Private Key in your email address or your server. If you cannot find it, then you will have to generate a new CSR code on your server, or on the CSR Generator on our website. The CSR code will come with a Private Key.
Once a new CSR code (and Private Key) were generated, you will have to go to the SSL Certificate details page inside your SSL Dragon account, and click on the “Reissue certificate” button from the left side bar on the page. You will have to pass the domain validation again, and once you do that, the SSL Certificate will be re-issued to you based on the new CSR code that you entered. Also, the re-issued SSL Certificate will pair with the Private Key which came along with the new CSR code.
If you cannot find the “Reissue certificate” button on the SSL Certificate details page inside your SSL Dragon account, then please send us the new CSR code via a Support Ticket inside your SSL Dragon account, or directly at [email protected] and we will re-generate the SSL Certificate for you, using the new CSR code. Please do not send us your Private Key so as it is confidential. Store it in a safe place in your email or computer, so as you will need it when installing your SSL Certificate.
Copy Link
You can verify the integrity of an SSL certificate and private key pair with the OpenSSL utility and its command lines.
The process consists of four steps:
- Verify that the private key has not been altered.
- Verify the modulus value matching with Private Key and SSL certificate pair
- Successfully perform encryption with the public key from certificate and decryption with the private key
- Confirm the integrity of the file, which is signed with the private key
Verify the private key integrity
Run the following command: openssl rsa -in [key-file.key] -check -noout
Here’s an example of a corrupt private key:
Other errors resulting from an altered/forged key are listed below:
- RSA key error: p not prime
- RSA key error: n does not equal p q
- RSA key error: d e not congruent to 1
- RSA key error: dmp1 not congruent to d
- RSA key error: iqmp not inverse of q
If you encountered any of the above errors, your private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.
Here’s an example of the private key which meets the integrity:
Verify the modulus value matching with Private Key and SSL certificate pair
Note: The modulus of the private key and certificate must match exactly.
To view the certificate Modulus run the command:
openssl x509 -noout -modulus -in [certificate-file.cer]
To view the private key Modulus run the command:
openssl rsa -noout -modulus -in [key-file.key]
Encrypt with the public key from and decrypt with the private key
1. Get the public key from certificate:
openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer
2. Encrypt test.txt file content using public key
Create a new file called test.txt file (you can use Notepad) with the content “message test”. Perform the following command to create an encrypted message to cipher.txt file.
openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt
3. Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.
openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]
Ensure that you can decrypt your cipher.txt file content to your terminal. The output from the terminal must match the content on the test.txt file.
If the content does not match, the private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate. Here’s an example of a decrypted message:
4. Confirm the file integrity signed with the private key
Run the following command to sign the test.sig and test.txt file with your private key:
openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt
Now, verify the signed files with your public key extracted from step 1.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt
Make sure that the output from the terminal is exactly like in the example below:
If your private key is tampered with, you will receive the following message:
In this case, you should create a new private key and request a replacement certificate.
Source: Digicert’s Knowledge Base
Copy Link
Sometimes, the SSL Certificate which was issued to you does not match the Private Key which you are trying to use when installing that SSL Certificate on your server. That is a common user generated error.
If the system says there is a mismatch, then you need to double check the CSR and Private Key which you generated, and which came together. You need to make sure that you used that specific CSR when you configured your SSL Certificate. When the SSL Certificate is issued, you need to use the Private Key that pairs with that specific CSR.
We see customers making the mistake where they generate one CSR and Private Key, then configure the SSL Certificate with a different CSR that is server generated. In that case the server generated CSR pairs with its own Private Key which you most probably don’t have.
The Private Key which you have works only with the CSR that it came with. Also, the Private Key which you have works only with the SSL Certificate that was configured using the CSR that pairs with that Private Key.
Solution
To solve this, you need to re-configure (re-issue) your SSL Certificate using a CSR code for which you have the Private Key that it pairs with. You may want to use a CSR code that your server provides, or generate a new CSR and Private Key.
Copy Link
Starting June 1, 2023, industry standards mandate storing code signing certificate private keys on FIPS 140 Level 2, Common Criteria EAL 4+ certified hardware. This change enhances security, aligning with EV code signing standards. Certificate Authorities can no longer support browser-based key generation or laptop/server installations. Private keys must be on FIPS 140-2 Level 2 or Common Criteria EAL 4+ certified tokens/HSMs. To sign the code, access the token/HSM and use stored certificate credentials.
In line with the new guidelines, your private key should be on the token shipped by the CA or on your Hardware Security Module.
Copy Link