What can an attacker do if he gets a server SSL certificate?

S

SteepZero2018-01-22 13:41:06

Digital certificates

SteepZero, 2018-01-22 13:41:06

Recently, the technical specialists of the service, with whose API we integrated,
mistakenly threw us the "server certificate.cer"
(we requested certificates to connect to them according to GOST TLS)
In the certificate, I see the lines

X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

As far as I understand, from these lines it follows that the certificate is a server one and it is not suitable for connection.
Therefore, the question is: let's say I'm an attacker, then what, theoretically, can I do with this certificate in my hands?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Yudakov, 2018-01-22
@AlexanderYudakov

"cer" is the certificate. It can and should be shared with everyone. There is nothing secret there.
You can't give "pvk" and/or "pfx" to outsiders - it contains the private key.

C

CityCat4, 2018-01-22
@CityCat4

If you get a real full-fledged .p12 with a known password, or even *.crt and *.key that are not password-protected, you can impersonate the owner of the certificate and not a single dog will prove that it is not him.
But you have come across something that is distributed to everyone completely free of charge, such as a leaflet - a shared key (public certificate) in DER format. Key Usage practically does not matter, Extended Key Usage could be interesting - this is where its real applicability is usually listed.
So you can admire it. And all :)