I have a private/public key that was generated by Putty in the following format:
SSH2 PUBLIC KEY rsa-key
However, I am trying to get it to work with Docebo API using the JWT Grant Type, which requires a different format (according to this post).
How would I convert my key(s) to work with that format? Is there a way within Putty?
I figured out the steps to take to get the proper format of key using OpenSSL:
openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer
openssl x509 -in publickey.cer -out publickey.pem
Related
I am trying to generate a self signed certificate for secured grpc communication. Below is what I have tried and connection between services work flawlessly in localhost.
However, the moment I deploy one of the services to production(Google Cloud Run) connection stops working. How can I make the certificate to support connection whether in localhost or in production.
Below is the certificate generation script I have tried.
generator.sh
# Clean Up
rm *.crt
echo "Generating certificates ..."
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CL/ST=RM/L=Santiago/O=Test/OU=Test/CN=ca"
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=CL/ST=RM/L=Santiago/O=Test/OU=Server/CN=localhost"
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl rsa -passin pass:1111 -in server.key -out server.key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/C=CL/ST=RM/L=Santiago/O=Test/OU=Client/CN=localhost"
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl rsa -passin pass:1111 -in client.key -out client.key
How can I make connection between services work all the time whether in localhost or in production which in my own case is Google Cloud Run (*.run.app)?
Thank you.
Your title says "multiple Common Names in certificate" but your body effectively says (twice) "work both for localhost and other host(s)". Those are entirely different. The X.509 certificate structure is quite flexible and it is technically possible to create one with multiple CommonName attributes in Subject, but if used for SSL/TLS (including HTTPS) only one of them will actually be considered when determining certificate validity; see rfc2818 and rfc6125.
There are two ways to have a certificate usable for multiple server names, which can actually be multiple names for one server (common in virtual hosting) or different servers (your case):
use a wildcard name. If you make all your machines have names which vary only in the first DNS label, such as the pattern you posted *.run.app, you can use one CommonName containing that wildcard. If your 'localhost' is actually your own computer or VM, you can use /etc/hosts or a local DNS like dnsmasq or unbound to assign it a name matching this pattern such as myownmachine.run.app and that will work with this certificate.
use the Subject Alternative Name/SAN extension which can contain multiple values each of which is either a DNS name or wildcard or an IP address (you probably don't want the latter, but it's available). All certs from real (public) CAs have used SAN since about 2010. For SAN in OpenSSL, see to start
Add SAN with private CA
Requested Extensions in CSR not being reflected in CRT
Self signed SSL certificate: Subject Alternative Name (SAN) gets lost when signing
https://security.stackexchange.com/questions/204036/specify-subject-alt-names-in-openssl
https://security.stackexchange.com/questions/190905/subject-alternative-name-in-certificate-signing-request-
https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
I am currently developing a mini-program for Vodapay and I need to generate the RSA key pairs to be able to sign my requests to the Vodapay backend.
Is there a recommended method or suggested tools I should use in order to generate my public-private key-pair for my VodaPay mini-program?
I managed to figure this out, the keys need to be generated through open SSL and they need to be stored as a .pem file
The bash commands required to get the keys are as follows, it will create the keys
Create RSA 2048 Keysopenssl genrsa -out rsa_2048_key.pem 2048
Export Public Keyopenssl rsa -in rsa_2048_key.pem -out rsa_public_key.pem -pubout
Export Private Key with PKCS#8 Encodeopenssl pkcs8 -topk8 -in rsa_2048_key.pem -out rsa_private_key.pem -nocrypt
I am looking for ruby code to mimic below openssl smime encryption. I looked up other related topics but mostly were around signing. In snippet below cert.pem is a PEM-encoded X.509 certificate containing the PEM public key. token.txt file is the file to be encrypted.
openssl smime -encrypt -out encrypted.p7m -in token.txt cert.pem
Figured it.
token_plain_text = File.read("/path/to/token.txt")
cert = X509::Certificate.new("/path/to/cert.pem")
encrypted_object = OpenSSL::PKCS7.encrypt([cert], token_plain_text)
Got the encrypted string by outputting above object to string.
encrypted_str = encrypted_object.to_str
This has me confused:
Convert pfx to PEM:
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Do this dumps out a single plain text file.
Now how do I convert this plain text pem back to pfx?
The only commands I see to convert to pfx require the cer and private keys in separate files:
Convert CER and Private Key to PFX:
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
Although I concur this is not really programming and arguably offtopic, numerous similar Qs about commandline tools (openssl, keytool, certutil etc) for (crypto) keys and certs are apparently accepted by the community (upvoted) -- but none I've seen directly addresses this point.
The different options on openssl pkcs12 -export allow you to provide the pieces in different files, but that is not required. If you do have the privatekey and chain of certs in one PEM file, as output by default by pkcs12 [not -export], you can let everything be read from that one file:
openssl pkcs12 -export -in file -out p12
# or ONLY IF the privatekey is first in the file
openssl pkcs12 -export <file -out p12
and you can even combine the pieces 'on the fly' as long as you put privatekey first:
cat privkey.pem mycert.pem chain.pem | openssl pkcs12 -export -out p12
You can use the command below to convert PEM (.pem, .crt, .cer) to PFX:
openssl pkcs12 -export -out **<your_new_file_name>**.pfx -inkey **<private_key_of_your_existing_certificate>**.key -in **<your_existing_certificate_file>**.crt
This will be very generic for all above mentioned files.
Im trying to use openssl on my mac to generate a csr. the problem is that I cant find the private key after it is generated. I think its being created in some other directory. but I cant find it. These are the commands that I use and the error message that I get:
user$ openssl genrsa 2048 -out myKey.pem
Generating RSA private key, 2048 bit long modulus
........................+++
...................................+++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
--------
-----END RSA PRIVATE KEY-----
user$ openssl req -sha256 -new -key myKey.pem -out csr.pem
Error opening Private Key myKey.pem
921:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098- 47.1/src/crypto/bio/bss_file.c:356:fopen('myKey.pem','r')
921:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/bio/bss_file.c:358:
unable to load Private Key
How do I solve this problem? Thanks.
From docs:
numbits
the size of the private key to generate in bits. This must be the last option specified.
Your -out argument is ignored. This works:
openssl genrsa -out myKey.pem 2048
or
openssl genrsa 2048 > myKey.pem