Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
This post was edited and submitted for review 2 months ago and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
Because of the validations done on the ssl certs, the cert cannot be a self-signed cert. I have therefore used the following commands with openssl (for windows) to create a CA, and derived crt. I have successfully done this several years ago, and I think I ran into this issue before, but I cannot remember how I solved it. Nor can I find another post that solve the issue or reminds me what the solution was.
I am using the following commands:
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl genrsa -out derived.key 2048
openssl req -new -key derived.key -out derived.csr
openssl x509 -req -in derived.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out derived.crt -days 1825 -sha256 -extfile derived.ext
[derived.ext file contents]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = %%DOMAIN%%
The CA cert (myCA.PEM file] installs fine into the trusted roots folder. The derived.crt installs fine into the personal store, and validates properly with the CA. However, the derived.crt does not show a private key and cannot be used for SSL. Can anyone tell me what step I got wrong or am missing?
I seem to have solved the issue finally. Apparently a .crt file cannot contain a private key. Using the following command, I merged the .crt and key into a .pfx file, which imported and now shows a private key:
openssl pkcs12 -export -in derived.crt -inkey derived.key -out derived.pfx
Related
To get Edge to trust the localhost development server, I created a selfsigned certificate following this tutorial. I just replaced all instances of client-1.local by localhost.
So in short, I created a trusted authority by creating a .pem-file with the commands
openssl genrsa -des3 -out rootSSL.key 2048
and then
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
and imported those into the trusted authorities store in the MMC.
Then I created a private key with
openssl req -new -sha256 -nodes -out localhost.csr -newkey rsa:2048 -keyout localhost.key -subj "/C=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=localhost/emailAddress=local#local.com"
and a certificate with
openssl x509 -req -in localhost.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out localhost.crt -days 50000 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNA:localhost"
The certificate shows up as valid when double clicking on it.
For the exception I need to import the certificate into the browsers. For Firefox I got at first the error
You do not own the private key for the certificate
So I created a PKCS12 file
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
and imported that one in Firefox under "My Certificates". That works, I host with ng serve "ssl/localhost.crt" and Firefox with the imported .p12 accepts my localhost. Now for MS Edge it still complains, my certificate is not valid.
I also tried .pfx-merging, but no change. I also read the certificates should not be installed under My Certificates but as Authorities. That sounds wrong to me but I tried it and imported both the .crt and the .p12 into Authorities and Root Authorities, because why not, but no change. I also installed the certificate through the Windows Wizard.
What am I missing for MS Edge? I sadly have no way around it.
===== Update =====
Additional information:
Edge does not give any helpful error. Here is an image of the message. It is in German but all it says is the default text "The connection is not secure. The certificate is invalid. Your credit card information might be stolen." If there is some way to get a more informative message for Edge I would be very happy. In the developer console the message is:
This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.
The certificate files and the output of openssl x509 -text localhost.crt can be viewed here (password is pass or password, if necessary) and an image of the .crt here. It is sitting in my development folder, I host the site with
ng serve --ssl true --ssl-cert \"ssl/localhost.crt\" --ssl-key \"ssl/localhost.key\"
and access the server locally through localhost:3000.
I imported the .p12 file into edge through manage certificates -> My Certificates -> Import. The result looks like this.
What am I missing for MS Edge? I
The certificate does not contain any subject alternative names, which makes it invalid for Edge and Chrome. There is an attempt to specify these information, but the attempt is wrong.
I created a selfsigned certificate following this tutorial.
Looks like this tutorial is broken.
openssl x509 -req ... -extensions "authorityKeyIdentifier ... subjectAltName=DNA:localhost"
The -extension command line option is used to give the name of an extension section in a configuration file and not the extensions itself. Additionally the subjectAltName should be DNS:... not DNA:....
To fix create an extension file my.ext which includes the extensions you want to use:
[myext]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:localhost
Then use this file as extension file with -extfile my.ext and specify the extension to use with -extensions myext:
openssl x509 -req ... -extfile my.ext -extensions myext
When I try the following:
mba:Utilities ryan$ sudo codesign -fs /Applications/Utilities/Boot\ Camp\ Assistant.app/
I get this error:
/Applications/Utilities/Boot Camp Assistant.app/: no identity found
Apparently I don't have a proper code signature, but if I sign up for the mac developer program, it would work.
How can I get a signature without enrolling in the mac developer program?
You need to create a self-signed certificate.
Open Keychain Access.
Choose Keychain Access > Certificate Assistant > Create Certificate ...
Enter a name
Set 'Certificate Type' to 'Code Signing'
Then, your command should look like this, if your certificate name is my-new-cert:
sudo codesign -fs my-new-cert /Applications/Utilities/Boot\ Camp\ Assistant.app
This works on OS X 10.10 Yosemite.
Instructions from here: http://support.apple.com/kb/PH7173
Although I can't understand why you are trying to resign the Boot Camp Assistant, you can use the codesign tool with a self-signed CA and identity.
Apple has steps to do so in their developer documentation TN2206: OS X Code Signing In Depth.
If you need to create a self-signed certificate using the openssl command line and use it for signing you can do this:
1) Create the spaghetti.software.extensions configuration file with the following content:
[ ca ]
default_ca = CA_default
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
#req_extensions = v3_req
[req_distinguished_name ]
CN = spaghetti.software.com
[ CA_default ]
x509_extensions = usr_cert
[ usr_cert ]
[ v3_ca ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
extendedKeyUsage = critical, serverAuth, clientAuth, codeSigning, emailProtection
2) Run the following commands to create the certificate and pack both the certificate and the key in a .p12 file (PKCS12):
openssl req -subj '/CN=spaghetti.software.com' -config spaghetti.software.extensions -x509 -newkey rsa:4096 -keyout selfSignedKey.pem -out selfSigned.pem -days 365
openssl pkcs12 -export -out spaghetti.software.p12 -inkey selfSignedKey.pem -in selfSigned.pem
3) Create a new .keychain file and import the spaghetti.software.p12 file into the keychain
(I believe you can do this with the command line as well if you don't want to use the Keychain Access application).
4) Then you can use the certificate to sign:
codesign -s "spaghetti.software.com" --force <binaryToSign>
You can add --keychain <MyKeyChain.keychain> if needed.
In theory it should be possible to validate the signature of a piece of data if in possesion of the public key, signature and data that was signed and the hash algorithm is known.
I have all these components in binary format. Does anybody have an idea about the easiest way to validate this signature? OpenSSL? Python? An example would be great. Can it be done without writing code?
Here's how you can do it in Ruby.
require 'openssl'
signature = File.read('/path/to/sig.der')
data = File.read('/path/to/data')
pub_key = File.read('/path/to/ecdsa_pub_key')
key = OpenSSL::PKey::EC.new(pub_key)
if key.dsa_verify_asn1(data, signature) == true
puts 'verified'
end
This code requires that the OpenSSL linked against Ruby be compiled with elliptic curve support. (Red Hat flavored distributions of Linux do not satisfy this requirement)
If you're curious: dsa_verify_asn1 uses the ECSDA_verify function in the OpenSSL API.
You can use openssl to sign a message with a ECDSA signature, and then you can use openssl to verify the signature:
To sign a message (using SHA256 hashing, given the message and the signer's EC private key):
openssl dgst -sha256 -sign ec-privatekey.pem message.txt > signature.der
Then, to verify the signature (again using SHA256 hashing, given the message, the signer's EC public key, and the signature created above):
openssl dgst -sha256 -verify ec-publickey.pem -signature signature.der message.txt
I am trying to use openSSL to set up an https connection for my application. I'm running a Neo4j 1.2.2 database, with a Trinidad 1.3.5 web server, using the Rails 3.1 and ruby 1.9.
I have a Thawte trial certificate, ca_cert.crt, their intermediate and root certificates, ca_intermediate.crt and ca_root.crt respectively, and my own private key, ca_private.pem. What openssl command do I need to run to create a keystore, which I can specify in my app's trinidad.yaml config file?
So far the "looks-closest-to-right" thing I've tried is:
pkcs12 –export –in ca_cert.crt inkey ca_private.pem –out keystore.p12 –name tomcat
and it gives me the error:
unable to load certificates
6380:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
6380:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_CINF
6380:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:751:Field=cert_info, Type=X509
6380:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:.\crypto\pem\pe
m_info.c:258:
error in pkcs12
It looks to me like openssl doesn't like the format I have the files in, though I have tried nearly every combination of the .pem, .crt, .cer, and .key extensions I can think of to no avail. I'm new to SSL entirely, so I hope I'm just doing something stupid and its an easy fix...
Here is the example I've been trying to follow: https://github.com/trinidad/trinidad/wiki/ssl-end-to-end-example
From this answer it seems that Thawte certificates are formatted as PKCS#7, while openssl pkcs12 -export command expects PEM. Certificate in PKCS#7 can be converted using modified version of command from previously linked answer.
$ openssl pkcs7 -in ca_cert.crt -print_certs | openssl x509 -outform PEM > ca_cert.pem
Then executing command, that you provided, creates PKCS#12 keystore.
$ openssl pkcs12 –export –in ca_cert.pem -inkey ca_private.pem –out keystore.p12 –name tomcat
I have a code-signing certificate (SPC) file from GoDaddy. The file was generated from an existing private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvcG2SEalg9pvkTvtMI8cZg07tVA0RuK7LeGlFdk1smXgqrsH
.... snipped ....
MURwR0FXgNAuFNQ0yBNFNW2+o9uBceLuCSUalgi4pQw1uBmP5QkUYA==
-----END RSA PRIVATE KEY-----
I generated a certificate signing request and sent this to GoDaddy:
-----BEGIN CERTIFICATE REQUEST-----
MIICiDCCAXACAQAwQzFBMD8GCSqGSIb3DQEJARYyYXBwbGVAdGVrNC1uZXdtZWRp
.... snipped ....
nJwd9pSDPuYaNHl33N1BJkXFusG7ta0D6UjisA==
-----END CERTIFICATE REQUEST-----
GoDaddy then returned me an SPC file. My research shows that typically you'd have a SPC/PVK pair but obviously my private key isn't of PVK type.
I've tried several methods (pvkimprt, pvk2pfx, openssl, keytool) but can't seem to convert my key to PVK type or my SPC to a PKCS12 type independently without both the certificate (SPC) and private key being in a single key-store.
The command that I appear to need to do this in one step is:
openssl pkcs12 -in cert_from_godaddy.spc -inkey private.key -export -out full_code_signing_chain.pkcs12
However, running that I just get:
Loading 'screen' into random state - done
No certificate matches private key
But, the certificate (SPC) is for the private key. What am I doing wrong?!
Background: I'm trying to generate a .p12 file sign an Adobe AIR application
To be honest I can not understand at all what you are trying to do.
You got back the SPC file which is just the #PKCS7 der encoding with your certificate.
You also have your private key.
All you need to do is import the certificate to the pkcs12 keystore to have the signed certificate with your private key.
Here is how I created a .p12 file from GoDaddy's .spc file:
1. Right click myCert.spc, Install Certificate (to install the .spc into Windows)
2. Double click myCert.spc (to open it in certmgr), export to a .cer file.
3. Import that .cer file into Firefox.
4. From with Firefox: backup what you just imported to create a .p12 file.
Then you can use that .p12 file to sign your code.
To create a P12 truststore from a private key and a SPC file do the following steps with OpenSSL:
(Optional): Extract the private key from an old P12 truststore:
openssl pkcs12 -in old.p12 -nocerts -out privateKey.pem
Extract the certificate chain from the SPC file:
openssl pkcs7 -inform DER -outform PEM -in godaddy.spc -print_certs > certificates.pem
Create the new P12 truststore:
openssl pkcs12 -export -out new.p12 -inkey privateKey.pem -in certificates.pem