I need the APN key to configure Firebase Cloud Messaging (FCM) for an App. I asked this key and I've received something like this text by email:
auth:
key_identifier: "J54F12867G"
encryption_key: |
-----BEGIN PRIVATE KEY-----
Mfsd9c8asdc8as9dca9sd8causdncnasldcnadLKNKJNkjnkjnLKJNLNLJNLNjln
jbhjkhbghvjhvfgchcHFCGHFCVyunlNunbuYByut56769706VHGVUYTVtyvytvtr
kjhbkjhbYbybUY7lkajsdnclkjnHkJHBkJHBs89098765lkjnlkjnjkhbjah788s
asda7kKJ
-----END PRIVATE KEY-----
But, I know that FCM requires a .p8 file. How should I do to convert that text into a .p8 file? Maybe a .p8 file is just a text file with that inside? Thanks.
Related
I am new to certificates and keystores.
What is the importance & working of keystores, and certificates for SAML SSO (in context of Spring boot SAML SSO)?
I see .jks, .pem, .cer, .der, etc. in use. What are these?
What is the importance & working of KeyStore, and certificates for SAML SSO (in context of Spring boot SAML SSO)?
These are used for Security implications for signing SAML assertions,
SAML protocol request and response.
Certificates in SAML SSO will be used to digitally sign the SAML
assertion/request/response and KeyStore is the persistent storage to
store the keys/certificates.
An assertion signed by the asserting party supports assertion
integrity, authentication of the asserting party to a SAML relying
party, and, if the signature is based on the SAML authority’s
public-private key pair, non-repudiation of origin.
A SAML protocol request or response message signed by the message
originator supports message integrity, authentication of message
origin to a destination, and, if the signature is based on the
originator's public-private key pair, non-repudiation of origin.
Certificates are also used for secure channel establishment
(SSL/TLS).
What are the .jks, .pem, .cer, .der, etc.?
.jks is extension to JAVA's proprietary KeyStore (JKS) format. JKS is
the database format for both the private key, and the associated
certificate or certificate chain. Till JAVA 8, by default, as
specified in the java.security file, keytool uses JKS as the format
of the key and certificate databases (KeyStore and TrustStores).
Since JAVA 9 the default KeyStore format has been changed to
PKCS12(extension .pkcs).
.pem, .cer, .der are the certificate/key types/extensions:
.PEM : The PEM extension is used for different types of X.509v3 files
which contain ASCII (Base64) armored data prefixed with a “—– BEGIN
…” line.
.DER : The DER extension is used for binary DER encoded certificates.
These files may also bear the CER or the CRT extension. Proper
English usage would be “I have a DER encoded certificate” not “I have
a DER certificate”.
.CRT : The CRT extension is used for certificates. The certificates
may be encoded as binary DER or as ASCII PEM. The CER and CRT
extensions are nearly synonymous. Most common among *nix systems.
CER : alternate form of .crt (Microsoft Convention) You can use MS to
convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded
.cer) The .cer file extension is also recognized by IE as a command
to run a MS cryptoAPI command (specifically rundll32.exe
cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing
and/or viewing certificate contents.
.KEY : The KEY extension is used both for public and private PKCS#8
keys. The keys may be encoded as binary DER or as ASCII PEM.
I want to create private for ssl certificate which is in CER format. I have CER format certificate and PKCS #7 certificate with that.
are private key available on-server only or do we get them with certificate separately?
i am working with Apache on windows
Based on your description you have only the certificate. This certificate contains the public key. You cannot create a private key from it because of how Public Key Cryptography works.
If you could create the private key from any certificate you could essentially authenticate yourself as an arbitrary server on the internet and man in the middle attacks would be easy. Thus, it is good that you cannot get a private key from a certificate.
I wanted to implement Google's OAuth 2.0 Sever to Server process in Erlang/Elixir, but am having a bit of difficutly.
Primarily, I can't seem to find the public key that Google is using to verify my signature (at least this is what I think the problem is.
I've downloaded the JSON file that google provides which includes a "private_key" as well as a URL where I can find the "client_x509_certs". When I go to that link I even see an x509 certificate that has an identifier that corresponds to my private key. So how come I can't verify my signatures?
I mean first off, in order to make erlang happy I had to convert the private key to the RSA format using this command:
openssl rsa -in key.pem -out rsa.key
I was then able to sign things using Erlang's public_key.sign.
{ :ok, key } = File.read("./private_key")
[ key | _ ] = :public_key.pem_decode(key)
key = :public_key.pem_entry_decode(key)
sig = :public_key.sign("halloween", :sha256, key)
However, after extracting the RSA public key from the x509 certificates provided in the UR; I can't verify any of my signatures.
:public_key.verify("halloween", :sha256, sig, public_key)
Am I not getting my public key from the right place?
I've got an OpenSSL generated X.509 certificate in PEM format and it's associated key file. This certificate is required for authentication when connecting to a prototype server. This works fine on Linux. I've been using the Microsoft SChannel API to drive SSL/TLS connections on Windows platforms but I want to use the same test certificate. I can right-click on the certificate file and import it into my certificate store but I believe that the private key is not imported with it (even though I've concatenated them into the same file).
When I go to run the SChannel code, I get a 'SEC_E_NO_CREDENTIALS' error when I init the security context (via InitializeSecurityContext). I suspect this means that the private key is missing.
Does anyone know how to test the presence or absence of a private key in a certificate which is located in the Personal (or 'My') certificate store, accessed via 'certmgr.msc'?. Is it possible to import a new key file for a certificate in the store?
Any insight or advice would be much appreciated.
To test if private key is installed for the certificate, double click the certificate icon in certmgr.msc. If it has private key, it will show a message in the property page that you have private key, otherwise it will not give any reference the the private key.
To import the certificate with its private key, you can do the following:
Pack the certificate and its private key into a PKCS #12 file or PFX file using openssl pkcs12. Here's an example.
Import this PKCS #12 or PFX file into the certificate store.
Note that you may see errors when importing the pfx file, such as 'This file is invalid for use as the following: Personal Information Exchange'. This error was caused by the certificate lacking to appropriate X.509 v3 extensions (such as the usage fields (digital signature, etc))
I've recently inherited a project with minimal documentation that performs digital signatures of documents and I've received a change request that has left me a little baffled.
The application is Java based, and makes use of Java Keystores (JKS) and uses the private key of the alias specified as a command line operation to digitally sign an input document. This all appears fairly straightforward to me, however the change request has left me confused.
The client has requested the ability to use "Windows" keystores (more specifically, the Windows-MY keystore which relates to personal certificates as far as I can tell). Now, my initial assumption is that what the client is requesting is simply not possible as this key store will only ever contain certificates, which can not be used for signing documents in any capacity. Am I incorrect, or will the Windows-MY keystore only ever contain a public certificate? I don't believe a private key would ever be embedded within one of these certificates.
Unfortunately there are a some communication difficulties so I'd like to make sure my reasoning is correct before proceeding any further.
Here's some more evidence to support my case (communication from the client):
Creating Windows Key Store (Exporting from Java Keystore ) steps are here -
generate RSA key
keytool -genkey -alias mykey -keyalg RSA -keystore my.jks -keysize 2048
Export Certificate from the above keystore:
keytool -export -alias mykey -file mykey.crt -keystore my.jks
Enter keystore password: temp123
Certificate stored in file <mykey.crt>
Install the above certificate in windows keystore.
a. Double click on “mykey.crt” and click on Install certificate
b. Select “Place all certificates in the following store” radio button and click “Browse” button to Added it in windows Certificate store.
c. Check this certificate in WindowsMy store.
Unless I'm wrong, keytool will only ever generate a certificate type rather than an actual public/private key pair?
Any assistance or even affirmation would be greatly appreciated, apologies for the lack of clarity in the question but unfortunately this is all I have to work with at the moment.
Java or Windows specific answers would be helpful but even just confirmation of the basic principles would be appreciated.
Thanks in advance
Maybe you want to take a look at Oracle's documentation [1] on the SunMSCAPI provider, that can be used to access certificates and keys stored in the Windows-MY (Personal) and Windows-ROOT (Trusted Root Certification Authorities) stores.
There is a little code snippet as well, which seems to match your needs quite reasonably:
KeyStore ks = KeyStore.getInstance("Windows-MY");
// Note: When a security manager is installed,
// the following call requires SecurityPermission
// "authProvider.SunMSCAPI".
ks.load(null, null);
byte[] data = ...
String alias = "myRSA";
PrivateKey privKey = (PrivateKey) ks.getKey(alias, null);
Certificate cert = ks.getCertificate(alias);
Provider p = ks.getProvider();
Signature sig = Signature.getInstance("SHA1withRSA", p);
sig.initSign(privKey);
sig.update(data);
byte[] signature = sig.sign();
System.out.println("\tGenerated signature...");
sig.initVerify(cert);
sig.update(data);
if (sig.verify(signature)) {
System.out.println("\tSignature verified!");
}
Summarizing: The Windows-My store holds certificates as well as private keys, both can be read from Java using the SunMSCAPI provider and can be used to sign digital documents.
If simply wanting to use a keytool created (java) keystore's certificate w/ its private key so that you can import it into a windows, then would you just export it to PKCS12 format (PFX). (i.e.; when exporting, use paramter -storetype=pkcs12)