I have a .crt file that's used for a game, I was wondering what exactly this is used for? Could you possibly view traffic that's secured using this certificate through something like Wireshark?
basically a .crt file is used as a security certificate which in your case would be used by the game to establish the connections with the game servers. It is written in ASCII format with X.509 certification. There wont be any physical significance of the .crt file for you personally and viewing traffic with Wireshark might not be possible with just the .crt file.
Thanks
Related
I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.
I'm looking for a way to get automatically a SHA-1 fingerprint of a certain website with my Arduino.
I'm using esp-8266 Arduino.
I have a program that makes an API call every few seconds to a certain website from my Arduino. Because this website is using HTTPS I'm using the WiFiClientSecureBearSSL.h library.
In order to use this library, you must provide the fingerprint SHA-1, the problem is that I need every time the website changes their fingerprint to manually change it in my code.
Is there any way to get the fingerprint automatically?
Thanks
I have a similar problem. I don't want update over OTA my ESP everytime a SSL certificate changes.
But you are not alone and a lot of users want a solution. See https://esp32.com/viewtopic.php?t=8744
Some times, you can find the certificate or fingerprint directly on the webpage, like on https://letsencrypt.org/certificates/
Some times, you have to write a script to retrieve the certificate or fingerprint.
As written in the forum, my solution is not good (security reasons), but works:
1. Set an alternative webserver with http, when the certificate fails
2. Call a request to this server to ask a new certificate/fingerprint
3. Save the new fingerprint in your ESP
I made a simple page to retrieve the SSL from other webservers over PHP:
https://projects.petrucci.ch/esp32/?page=ssl.php&url=https%3A%2F%2Fwww.stackoverflow.com
There is also a PHP code, so you can implement it on your webpage if you have a server with PHP. Just use this: openssl_x509_fingerprint($cert);
Hope to find a better solution one day (or maybe the ESP will automatically get the fingerprint in future, like every browser).
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
I've been struggling recently with using the standalone DartVM and SSL as a client. I'm of the understanding that Dart uses Mozilla NSS to manage the certificates. What I'm having a problem wit, is that on Windows, for example, there exists no binaries that I can find (other than third parties compiling the Mozilla source and uploading to mega or similar, which is pretty alarming if you ask me) released for the Windows platform. Compiling this C++ code is not a trivial task. I've not the resources to do so on my own under the Windows platform. This is why I write Dart (or other high level languages) in the first place.
Despite that, the error message I get when attempting to connect securely and being presented with a self-signed (or rather more technically correct, untrusted authority) certificate, is that the OS itself doesn't trust the certificate. On Windows, this is not the case. The certificate in question I'm using is a CA root certificate of my generating, with proper authority/signing chain, installed into Windows trusted roots manually. Both Chrome and Internet Explorer (of which use the Windows underlying certificate store) trust my certificate(s) without any warnings after having done this. So if the DartVM is not using the "OS" to validate a certificate upon handshake, then that message is very uninformative/misleading.
What can be done to overcome this outside of compiling NSS and trying to figure out just how to import my certificates by way of over-complicated and under-documented steps? Is there not a parameter that one could specify when initiating a secure connection to ignore SSL errors of this nature?
My web server forces the use of HTTPS so dropping back to plain HTTP would
not be an option for me. I also don't want to trust and much less want to pay a third party for my certificates of which are pretty much only used internally, which is why I generated a wildcard certificate under my own root CA in the first place. Paying for a wildcard certificate, for multiple domains, that aren't always necessarily exposed to the public or meant for public use is a bit astronomically priced and completely out of the question.
I've just been doing a bit of wondering and learning, and I wanted to know how this works. I'm pretty sure I understand the concept of public/private key pairs, as i've gotten it to work with ssh, but I was wondering about https sites too. Where does my machine get the key pairs. Does chrome automatically generate a new key pair every session? Is there one hidden on my machine I don't know about?
I could be getting this all wrong, but any help would be great. :)
Browsers only generate key-pairs when the user needs to request a new (typically client) certificate. This is not necessarily related to SSL/TLS, but more of a convenience facility to issue certificates. This has nothing to do with day to day use of HTTPS. (Even if you are using a client-certificate, you only generate the key-pair when that certificate needs to be issued/renewed, typically once a year.)
The keys used for encryption are symmetric keys, negotiated during the handshake, where only the server certificate is required (for authenticated negotiation). You may find more details in this similar question: Can One Public Key be Used to Encrypt and Decrypt Data during the SSL Handshake?
Yes your browser generates only symmetric keys
see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc_5.1/ss7aumst18.htm