PROOF OF POSSESSION OF A PRIVATE KEY



Note! Never send your private key as a proof of possession via revocation form!

When revocation reason is a key compromise, you may proof control of your private key by sending a signature of a hash taken from your certificate to Telia. Proof of possession applies only to key compromise. Do not send a signature of a hash in case of other revocation reasons.

Please note that when reason is a key compromise and proof of possession is done, all certificate using this key are revoked. Ensure beforehand that key is not used in certificates, which should not be revoked.

Proof of possession of a private key at Telia Certificate Service is done by taking a signature of a hash. The signature will be delivered to Telia using field 'Other details of revocation' at the revocations form. Below is a guide on how to obtain a signature of a hash.

You will need a software package called OpenSSL. It is installed as default in Linux and MacOS operating systems.

  1. Find out where the private key for the certificate being revoked is located. The key is located on the server, where the certificate is present and in use


  2. This step applies only to certificates used in Windows. At Windows Server, you need to export your private key and certificate into a pfx package. The export is done via Server Certificate application at IIS Manager tool by right-clicking line displaying your certificate at Server Certificate application and selecting Export. The pfx file must be broken into a private key and a certificate by using an OpenSSL-equipped computer and command openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes. The password set by you during the export is required. Replace keyStore.pfx with name of your pfx file. File keystore.pem contains both your private key and your certificate. They must be copy-pasted into separate files using a text editor for signature hashing


  3. Run following commands on a computer, where the private key and the certificate are present. A signature of a hash will be written to a file called signature.hash

    • Creation of a hash from a private key called secp384r1.key:
      echo "PoP verification" | openssl dgst -sha256 -sign secp384r1.key |base64 > signature.hash
    • Check for a match for a certificate called ec_public.pem against a hash present at a file called signature.hash:
      echo "PoP verification" | openssl dgst -sha256 -verify <(openssl x509 -pubkey -noout -in ec_public.pem) -signature <(base64 -d signature.hash)


  4. Send the signature of the hash to Telia by pasting it into field Other details for revocation