I want to sign a file with my private key via openssl on windows but it gives me this error
dgst: Can only sign or verify one file.
error in dgst
The command that I'm using is this
OpenSSL> dgst -sha256 -sign C:\Users\admin\Downloads\2\private.key -out ava.sha256 ava.txt
A friend of mine got it working under ubuntu with those commands
openssl dgst -sign private.key -sha256 message.txt > message.sign
Related
Using the instructions over here to define the SAN field inside the a openssl certificate, I am using the following commands to generate my own self-signed certificate:
openssl genrsa -out domain.org.key
openssl req -newkey rsa:2048 -nodes -keyout domain.org.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.domain.org" -out domain.org.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:domain.org,DNS:www.domain.org") -days 365 -in domain.org.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.org.crt
However, I am getting the following error:
Syntax error: "(" unexpected
I don't see anything specifically wrong with the bash syntax used, could anyone help?
That error-message doesn't look like Bash to me; rather, Bash error-messages look like this:
bash: syntax error near unexpected token `('
I recommend double-checking that you're running these commands in Bash, and not a different shell. (Process substitution isn't specified by POSIX, so not all shells support it.)
If it turns out that Bash is not available, you can use a temporary file:
printf "subjectAltName=DNS:domain.org,DNS:www.domain.org" > tmp-ext-file
openssl x509 -req -extfile tmp-ext-file -days 365 -in domain.org.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.org.crt
or standard input:
printf "subjectAltName=DNS:domain.org,DNS:www.domain.org" \
| openssl x509 -req -extfile /dev/stdin -days 365 -in domain.org.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.org.crt
I have an article page with AMP (on an subdomain).
Now I have made a few changes in an article.
How can I reload this cached AMP (sub-)page?
Normal Version: https://www.example.com/this-is-a-article-999
AMP-Version: https://amp.example.com/this-is-a-article-999
i do following steps:
1. I have installed openssl on my server
2. Then I generated the two keys
openssl genrsa 2048 > private-key.pem
openssl rsa -in private-key.pem -pubout >public-key.pem
3. I copied the public key to the subdomain (= AMP page) and renamed it to "apikey.pub"
So the public key is accessible over the browser:
https://amp.example.com/apikey.pub
4. Then I have created the update-cache request as follow:
get a timestamp with "date +%s"
echo -n >url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689' cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin
5. I used the public key to verify the signature:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
I get the followind Error:
==> Verification Failure (!!!)
On step 3, the placement of the public key is wrong. The correct one would be: https://amp.example.com/.well-known/amphtml/apikey.pub
The issue with the verification seems to be on step 4, as there are 2 commands being invoked on single line and generating invalid output.
The solution is to break it in 2 parts:
echo -n >url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689'
cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin
or to add an & between the 2 commands:
echo -n > url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689' & cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin
The full sequence becomes something like this:
openssl genrsa 2048 > private-key.pem
openssl rsa -in private-key.pem -pubout > public-key.pem
echo -n > url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689'
cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
and the output is the following:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
Verified OK
Another couple of things is that after generating the signature, it must be appended to the URL on the amp_url_signature parameter, using a web-safe variant of Base64.
At last, make sure to check the parameters section of the documentation and generating the URLs according to the AMP Cache URL Format.
Is there a way to run the following shell commands only on ruby?
I searched for weeks but I'm afraid it's not very well documented. I've tried a few methods from Ruby 'openssl' but I get different results.
%x[openssl pkcs8 -inform DER -in key.key -passin pass:passcode -out key.pem]
%x[openssl x509 -inform DER -in certificate.cer -noout -serial > serial.txt]
%x[openssl dgst -sha256 -out sign.bin -sign key.pem serial.txt]
%x[openssl enc -in sign.bin -a -A -out stamp.txt]
I am trying to convert a p12 to a pem from a shell script without any user input.
I can have the password as a variable within the script.
so when I call:
openssl pkcs12 -in *.p12 -out cert.pem -nodes
The terminal prints "Enter Import Password:" and waits for input.
I tried to pipe the password in with:
echo $PASS | openssl pkcs12 -in *.p12 -out cert.pem -nodes
as well as trying to use a flag with the openssl command but can't figure out how to do this.
This one liner worked for me-
openssl pkcs12 -in certificate.p12 -password pass:<your_password> -nodes | openssl x509 -noout -enddate
I would like some help with the openssl command. I need to automate the retrieval of the subject= line in a pkcs12 certificate for a script I'm working on.
I've used openssl to view the contents of the Identity/Certificate:
openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx
But I am prompted three times for the password. I used -passin to eliminate one of the password prompts, but I am still being prompted for the PEM pass phrase and verification entry.
I need to figure out a way to pass ${password} to the other two password challenges or have the scrip issue a ctl-c. The piece of info I need is outputted to the stdout before the second password prompt.
Any help would be appreciated!
Obviously I gutted the certificate output for this post.... but you should get the idea of what I'm seeing:
bash-3.2# openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx -passin pass:${password}
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: ****
friendlyName: ****
subject=****
issuer=****
-----BEGIN CERTIFICATE-----
::HASH REMOVED::
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: ****
Bag Attributes
localKeyID: ****
friendlyName: ****
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info:
::HASH REMOVED::
-----END RSA PRIVATE KEY-----
bash-3.2#
Try this:
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject
Or this for the common name (ruby to strip trailing whitespace):
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject \
| awk -F'[=/]' '{print $6}'`.strip`
Copying answer here in order to remove this question from the "Unanswered" filter:
openssl pkcs12 -nokeys -in /Users/[User]/Desktop/ID.pfx -passin pass:${password}
You could also use -passin and -passout which would not prompt you again for manual input. Here is a sample code:
openssl pkcs12 -in seldpush_dev.p12 -passin pass:$password -passout pass:$password | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -subject -noout
Basically, use -keyword to fetch that value. In your case, -subject.
This is a few years late; I'm not familiar with openssl, & etc; but since I see no reference to "-nokeys" I'll give what works for me.
echo -e "$password\n$passphrase\n$passphrase\n" \
| openssl pkcs12 -in /Users/[user]/Desktop/ID.pfx -passin stdin -passout stdin
from manpage
stdin read the password from standard input.