How can I set system.properties of JMeter for mutual authentication? I have to set trustore and keystore but I have 3 pem file: ca.pem , cert.pem , privkey.pem. Is there a way to easily convert pem file in jks?
You can convert your PEM certificates into a .p12 keystore using OpenSSL tool like:
openssl pkcs12 -export -out jmeterkeystore.p12 -inkey privkey.pem -in cert.pem -CAfile ca.pem
Once done you can point JMeter to use the generated jmeterkeystore.p12 by adding the next lines to JMeter's system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/jmeterkeystore.p12
javax.net.ssl.keyStorePassword=your_keystore_password_here
Once you do this and restart JMeter you will be able to access the endpoints which require client certificates.
Another way to convert PEM files into a .JKS or .P12 keystore is using a GUI-based tool like KeyStore Explorer
Related
I'm experimenting with Spring Boot to create a WebApp.
In order to create a SSL certificate I issue the following command:
keytool -alias devssl -keystore devssl.p12 -genkeypair -keyalg RSA -sigalg SHA256withRSA /
-keysize 2048 -storetype PKCS12 -validity 365 -dname "CN=Frankie, OU=Frankie O=Frankie, /
L=City, S=State, C=UK" -ext SAN=DNS:localhost,DNS:blueye,IP:127.0.0.1,IP:10.1.1.2"
Which from what I can understand means that such certificate will be valid for the following addresses:
localhost
blueye
127.0.0.1
10.1.1.2
The certificate is very easy to install on Spring:
server.ssl.key-store-type=PKCS12
server.ssl.key-store=devssl.p12
server.ssl.key-store-password=password
server.ssl.key-alias=devssl
security.require-ssl=true
After I install the certificate under Trusted Root Certification Authorities in Windows it also works great.
I just can't get it to work under iOS.
I email myself the certificate.
Install it on the iPhone.
But I always get the "this connection is not private".
Any idea how to make this work on iOS?
I was pushing on this trying to get iOS to accept a self-signed certificate as the single source of truth. I got to work around it by issuing a proper personal Certificate Authority. Making iOS trust that authority. And then signing the website with a certificate validated by that authority.
I will describe the needed commands as they may save someone a couple of hours. The following is a "birds eye" of what we'll do.
AUTHORITY - this will act as the source of trust for all certificates you sign. You will have to install the Authority on every single machine/phone you'll want with custom certificates
Generate a private key for a Certificate Authority (CA)
Generate a Certificate for the Certificate Authority (CA)
Install Certificate Authority on Windows
Install Certificate Authority on iOS
CLIENT - we can issue private keys for all our projects inside our network. Those private keys will be validated by our own generated and installed authority.
Generate a private key for the client
Generate a Certificate Sign Request (CSR)
Have CA sign the CSR thus generating the client Certificate
Merge the client certificate and the CA certificate into a pkcs12 file which is read by Spring
Now for the actual commands:
Generate a private key, we'll also use an identical command to generate one for the client:
openssl genrsa -des3 -out myCA.key 2048
Generate a certificate for your Certificate Authority. You'll be asked several questions, none of them really matter, they will only serve to identify your certificate to yourself.
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.crt
You now have three files. The myCA.key (private key) and the myCA.pem and myCA.crt which are the certificate file for your certificate authority.
Install on Windows:
Click the myCA.crt file on Windows and follow screen instructions. Then click Start -> Run -> `` certmgr.msc`. It will open the Windows Certificate Manager. You will find the certificate you installed under "Intermediate Certification Authorities". You'll want to drag that file to "Trusted Root Certification Authorities".
Install on iOS:
Email the myCA.pem file to yourself. Open the email on iOS using the Apple Mail App. Follow the instructions and certificate will be installed. To uninstall you can go to Settings -> General -> Profile. After proper installation iOS requires a second step for you to trust the certificate, you must go to Settings -> General -> About -> Certificate Trust Settings and Enable Full Trust For Root Certificate.
You now have a local CA (Certificate Authority) installed on both your Windows machine and your iOS phone. Lets create a website certificate.
Generate a private key for the website.
openssl genrsa -des3 -out myWebsite.key 2048
Generate a CSR (Certificate Sign Request):
openssl req -new -key myWebSite.key -out myWebsite.csr
Now that we have the website key and the certificate sign request we need to create a config file that openssl will use to generate our website certificate. Create a file called myWebsite.ext with the following info. The only thing you must make sure is the alt names. You can have both IP's and DNS. Be sure to enter all the alternatives that your site will use.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = mywebsite
DNS.3 = mywebsite.local
IP.1 = 10.1.1.3
IP.2 = 127.0.0.1
Now we'll use the CA certificate and private key together with the CSR (Certificate Sign Request) and the config file to generate a proper certificate for the website. Since iOS 13 Apple only allows a max of 825 days on certificates so that's what we'll use.
openssl x509 -req -in myWebsite.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out myWebsite.crt -days 825 -sha256 -extfile myWebsite.ext
You'll now have the following files:
myCA.key - certificate authority private key
myCA.pem - certificate authority certificate pem format
myCA.crt - certificate authority certificate crt format
myWebsite.key - website private key
myWebsite.csr - website certificate sign request
myWebsite.ext - website config file for openssl sign request
myWebsite.crt - website certificate crt format
The only thing missing is to convert the myWebsite.crt to p12 format which we can do with the following command:
openssl pkcs12 -export -in myCA.crt -inkey myCA.key -in myWebsite.crt -inkey myWebsite.key -name myWebsite -out myWebsite.p12
Now, to make Spring Boot use this certificate just open application.properties file and make sure it has these lines:
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate, place it src/main/resources
server.ssl.key-store=classpath:myWebsite.p12
# The password used to generate the certificate
server.ssl.key-store-password=PASSWORD-USED
# The alias mapped to the certificate (the -name myWebsite on the last command)
server.ssl.key-alias=myWebsite
# force SSL
security.require-ssl=true
And there you have it. A dev or internal project with proper SSL validation. Hope this saves someone some time.
It looks like you were having trouble creating the certificates correctly, for a great guide on how to do that, check out:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
If you follow it exactly, and know what your DNS name is, and what cipher you are using, you shouldn't have any problems. I provide my configuration files for making the certificates, along with a project that helps with sockets, below:
https://github.com/eamonwhiter73/IOSObjCWebSockets
I am new to JMeter, just started. I have a secure application and I downloaded the .pem file. I am confused(steps converting .pem to .cer or pk12) about how to use this for accessing the application. When I tried to convert .pem to pfx it is giving error saying either private key does not match or format is different. Can anyone help with a clear list of steps to follow to use JMeter for load testing the application?
Thanks in advance.
JMeter can only work with Java Keystores (either in JKS or PKCS12 formats) so you need to convert your .pem file into a Java Keystore.
You can do this either using OpenSSL command-line utility like:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem
Or if you prefer you can use a GUI-based took like Keystore Explorer
Once done you can configure JMeter to use this keystore by adding the next lines to system.properties file (lives in "bin" folder of your JMeter installation)
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/keystore.p12
javax.net.ssl.keyStorePassword=your_keystore_password_here
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
I have some questions about ssl in spring boot.
I have files certifications and private key with extension .crt and .key. how can I get from them right format for settings in spring boot like this
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat
To convert a certificate file and private key to PKCS#12(.p12) format, use the below command:
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Please go through the below links for your reference on dealing with https in spring boot.
Enable HTTPS in Spring Boot
Configure HTTP to HTTPS Redirection in Spring Boot
I found solution. I got keystore use this comand:
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out keystore.p12 -name <alias>
And added keystore into application.properies
#ssl
server.port=8443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
**server.ssl.key-store=keystore/keystore.p12**
server.ssl.key-store-password=password
server.ssl.key-alias=alias
It is correct config. When I use classpath:keystore.p12 it did not work. Maybe it cause that I work with spring boot 2. Then I created external folder and put inside keystore. Now it is working.
An alternative: if you don't have (or don't like?) OpenSSL, https://keystore-explorer.org/ (unlike keytool) can read privatekey+certs into any type of Java keystore (PKCS12, JCEKS, JKS, and more, but PKCS12 is usually best) with the "Import Key Pair" icon or menu item.
Before questioning here. I've searched a lot about my problem. And problem is still exists. Below is the references of posts, which I've already read.
How to create .pfx file from certificate and private key?
Convert a CERT/PEM certificate to a PFX certificate
How to get .pem file from .key and .crt files?
How to generate a .pfx file from a .cer file?
Overview
I'm working on:
Windows 10 64bit
IIS (Version 10.0.16299.15)
I've installed Win32 OpenSSL v1.1.0g
These are the files that I have available:
server.cer
server.key
What I've tried?
I have also tried various things from trawling through posts but my lack of experience in this area is really impeding my efforts.
Below commands I have tried in Terminal to create my server.key and server.cer file.
set RANDFILE=c:\certificate\.md
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe genrsa -out server.key 2048`
c:\OpenSSL-Win32\bin\openssl.exe req -new -key server.key -out server.cer -config C:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe pkcs12 -export -in server.cer -inkey server.key -out server.pfx
Output
Error: unable to load certificates
What I want?
How to create .pfx file from certificate and private key? Let me know what I'm doing wrong in my code.
Although, the question is answered, I would like to add a simpler solution.
There is no need to use any 3rd party tools (including OpenSSL) on Windows. You can use built-in certutil.exe tool. Place both files in the same folder and give the same name to files (e.g. server.cer and server.key) and run the following command:
certutil -mergepfx path\server.cer
Certutil will expect to find a key file in the same folder with .key file extension.
The req command creates a certificate request by default, not a certificate. If you add the -x509 argument, it will self-sign the request using the provided key, and output a certificate instead. You should then be able to create the .pfx successfully.
I just created a TLS/SSL certificate (in Windows) with the following openssl command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
After this, I tried to load it in the FileZilla server but it gives me an error that says:
Could not load certificate file: error:0906D06C:PEM
routines:PEM_read_bio:no start line(0)
I already verified that the two certificates (key and crs) don't contain any blank spaces, and don't have ^M at the end of any line. What could be the cause of this?
I would guess that you have select the certificate file (cert.pem) as a Private key file and the private key file (key.pem) as a Certificate file.
It should be:
Private key file = key.pem
Certificate file = cert.pem
Also the key have to be generated without a passphrase, otherwise you get
Could not load key file: error:0907B068:PEM
routines:PEM_READ_BIO_PRIVATEKEY:bad password read (0)
So you need to add -nodes to the openssl command-line.
Though why do you even use openssl to generate the certificate? FileZilla Server interface has Generate new certificate wizard.