Site icon SSL.com

Proving Possession of a Private Key

You can use OpenSSL to show proof-of-possession (POP) of a private key by signing a test file with it. This method works for both RSA and ECC keys.

What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin.

Create a Signature with the Private Key

  1. Create a test file:

    echo ssl.com > test.txt
  2. Sign the sha256 hash of the test file, using the private key (replace privatekey.pem in the command below with the key’s actual filename):

    openssl dgst -sha256 -sign privatekey.pem -out test.sig test.txt
  3. You can now prove possession of the private key by sending test.sig and test.txt to a verifying third party, such as SSL.com. You can also check if the private key matches a certificate by following the procedure below:

Confirm that Private Key Matches Certificate

  1. Extract the public key from the certificate (replace certificate.pem in the command below with the certificate’s actual filename):

    openssl x509 -pubkey -noout -in certificate.pem > publickey.pem
  2. Verify the sha256 hash of the test file, using the public key:

    openssl dgst -sha256 -verify publickey.pem -signature test.sig test.txt
  3. If the private key matches the certificate, you’ll get the output Verified OK. If not, you’ll get a Verification Failure.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version