Cannot configure OpenSSL on Windows properly - windows

I want to use KDSoap, which uses Qt, which uses OpenSSL, to consume a web service, that requires a secure connection, established by using a key stored in a USB HSM (SmartCard + Reader basically, called an Athena IDProtect Key v2.0).
I've installed 64bit OpenSSL from Shining Light Productions. Qt 5.8 can load it (I've checked with QSslSocket).
Problem
The problem is that even though it seems that Qt's network backend should load the OpenSSL config file, it does not. In fact, I think OpenSSL is to blame here and not Qt because of the tests I've done with the provided openssl tool.
First of all, the config is read because any syntax error in the config makes the openssl tool complain about it next time I run it.
Second of all, with a clean config, this works:
C:\Users\brokenthorn>openssl engine dynamic -t -pre SO_PATH:C:\OpenSSL-Win64\bin\capi.dll -pre LOAD -post list_certs
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\OpenSSL-Win64\bin\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
Certificate 0
<No Friendly Name>
Subject: C = RO, L = Mun. Constanta, O = SC MINI-FARM SRL, CN = Valentina Calin, serialNumber = 2006051670CV93, name = Valentina Calin, GN = Valentina, SN = Calin
Issuer: C = RO, O = certSIGN, OU = certSIGN Qualified CA Class 3 G2, CN = certSIGN Qualified CA Class 3 G2
Certificate 1
<No Friendly Name>
Subject: CN = DESKTOP-IF670KN\\brokenthorn
Issuer: CN = DESKTOP-IF670KN\\brokenthorn
[Success]: list_certs
But if I try to load the engine by ID, after having defined it in the config file, I get an error where it says it cannot find the DLL file, except it adds .dll.dll to the specified ID:
OpenSSL> engine -t -pre ID:capi -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: ID:capi
[Failure]: LOAD
4684:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:.\crypto\dso\dso_win32.c:179:filename(capi.dll.dll)
4684:error:25070067:DSO support routines:DSO_load:could not load the shared library:.\crypto\dso\dso_lib.c:233:
4684:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:.\crypto\engine\eng_dyn.c:467:
[ unavailable ]
Now, I've tried creating a copy of capi.dll and named it capi.dll.dll and the above command starts working:
OpenSSL> engine -t -pre ID:capi -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: ID:capi
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
My openssl.cfg is standard except the last part, where've I added the engine directives that should make OpenSSL load the CryptoAPI engine by default, which I need if I'm ever going to be able to open a secure socket using the key stored on the HSM. I'll paste the full config here for a full reference, in case something bad sticks out:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
#
# Custom configuration for definition of CAPI engine
#
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
capi = capi_config
[capi_config]
ID = capi
SO_PATH = C:\OpenSSL-Win64\bin\capi.dll
LIST_ADD = 1
LOAD = 1
Now, OpenSSL should load the capi engine by default on library initialisation, which happens in every app that links with this OpenSSL (and does not call special routines that unload or disable loading of the default config file), including the openssl command line tool.
I don't know how yet, but eventually I should also make it the default crypto provider.
Anyways, after adding the above config and also before that, of course, I get this:
OpenSSL> engine -t
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
This shouldn't happen. The dynamic engine should have morphed into the capi engine... like the OpenSSL docs say.
Also the CSP for the HSM works. I can list the loaded CSPs like so:
C:\Users\brokenthorn>openssl engine dynamic -t -pre SO_PATH:C:\OpenSSL-Win64\bin\capi.dll -pre LOAD -post list_csps
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\OpenSSL-Win64\bin\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
Available CSPs:
0. Athena ASECard Crypto CSP, type 1
1. Microsoft Base Cryptographic Provider v1.0, type 1
2. Microsoft Base DSS and Diffie-Hellman Cryptographic Provider, type 13
3. Microsoft Base DSS Cryptographic Provider, type 3
4. Microsoft Base Smart Card Crypto Provider, type 1
5. Microsoft DH SChannel Cryptographic Provider, type 18
6. Microsoft Enhanced Cryptographic Provider v1.0, type 1
7. Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, type 13
8. Microsoft Enhanced RSA and AES Cryptographic Provider, type 24
9. Microsoft RSA SChannel Cryptographic Provider, type 12
10. Microsoft Strong Cryptographic Provider, type 1
11. OpenSC CSP, type 1
[Success]: list_csps
CSP index 0 is my HSM's CSP. I've also sent a few simple commands using the openssl tool, to the HSM, to confirm that it actually works and it does as it should (it's a vendor supplied CSP provider for CAPI).
Any suggestions?

Related

Self signed certificate not working in Firefox

For quite some time, I am trying to generate a self signed cert for viewing website locally in "real" https mode. It would be very important that this works across all OSes and also all Browsers (at least FF, Chrome and Safari).
Until now I created the cert using this guide: https://medium.com/#tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
Certs using this way work fine in all systems, except with Android (version 8 or greater), so in this case I cannot use some functions correctly (for example the Service Worker) when testing locally.
Now I have stumbled upon this guide, especially the answer here: https://stackoverflow.com/a/57684211/1794480
I have adapted the conf file a bit, and now the generated cert works in Android, but NOT in Firefox. The Error in FF I get is: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT. I also found an explanation for this error here: https://stackoverflow.com/a/59739121/1794480
Seems like basicConstraints = critical, CA:TRUE is the cuplrit here. However, the problem now is that this exact setting seems to be responsible for making this work on Android. (also see here: https://android.stackexchange.com/questions/237141/how-to-get-android-11-to-trust-a-user-root-ca-without-a-private-key/238859#238859)
Now, the big question is: is it possible to make this work for ALL systems, in this case including Firefox?
Here is the command I use: openssl req -config ./openssl.cnf -new -x509 -days 398 -out myServer.crt and here is the openssl.cnf:
[ req ]
default_bits = 2048
default_keyfile = myServer.key
default_md = sha256
default_days = 398
encrypt_key = yes
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
commonName = myServer
emailAddress = info#myServer.de
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign, dataEncipherment
subjectAltName = #alt_names
extendedKeyUsage = serverAuth
[ req_ext ]
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = sub1.myServer
DNS.2 = sub2.myServer
Any help is greatly appreciated!

OpenSSL Subca and SAN Website Certificate

currently in my work, we have a PKI made with Microsoft Certificate Authority Role.
Root CA: Out of domain and turned off.
Sub CA: Domain connected, provides CRL (using IIS) and sign certificates for domain computers.
My idea is to reproduce the environment with Linux and Openssl. At least my first objective is for the internal webs.
I followed this tutorial https://jamielinux.com/docs/openssl-certificate-authority/ and everything works fine.
I create the Root CA and self-sign it.
I create the Subca, I sign it with the Root and verify that the certification chain is correct -> OK
The problem is when I try to create a website certificate with SAN (Subject Alternative Name) field. This is the way I create the csr and key files.
openssl req -nodes -new -newkey rsa:4096 \
-keyout test3.psc.local.key \
-out test3.psc.local.csr \
-addext "subjectAltName = DNS:test3.psc.local" \
-subj "/C=ES/ST=Barcelona/L=Barcelona/O=GRG-CA/OU=GRG-CA/emailAddress=your#email.dot/CN=test3.psc.local/"
If I check the CSR with OpenSSL command openssl x509 -noout -text -in test3.psc.local.csr the SAN field exist and has the value that I set in generation command (test3.psc.local).
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = ES, ST = Barcelona, L = Barcelona, O = GRG-CA, OU = GRG-CA, emailAddress = your#email.dot, CN = test3.psc.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:dc:17:8c:c1:90:26:16:67:4e:16:b3:0c:9b:2b:
3d:ec:8e:94:47:b9:8c:b8:14:ac:be:09:b8:bb:f5:
d8:f2:79:26:a6:9d:2f:73:5b:48:64:cb:3a:c2:f6:
bd:6d:7f:fd:7e:f2:... bla bla bla
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test3.psc.local
Signature Algorithm: sha256WithRSAEncryption
b5:f0:7f:ba:ab:dc:f6:ee:37:c5:fa:14:27:6b:09:a8:b8:08:
0b:4f:ed:2a:44:72:cd:8d:50:47:79:7d:69:e3:73:cc:14:89:
b6:69:ff:61:bb:79:0a:41:12:32:c7:d1:6f:1d:a4:e4:cb:ef:
16:56:35:fd:44:0a:0c:70:fc:45:1f:7d:c2:d7:4c:ca:bd:66:
6d:e6:41:74:56:2c:... bla bla bla
When I try to sign the certificate with OpenSSL Subca I execute with this command.
openssl ca -config intermediate/sub-ca-openssl.cnf \
-extensions server_cert \
-days 375 -notext -md sha512 \
-in /root/ca/test3.psc.local.csr \
-out /root/ca/test3.psc.local.crt
But the SAN field isn't present, so Firefox, Chrome and others dont trust in certificate. Only IE11 trust.
Using configuration from intermediate/sub-ca-openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4099 (0x1003)
Validity
Not Before: Oct 12 20:58:53 2022 GMT
Not After : Oct 22 20:58:53 2023 GMT
Subject:
countryName = ES
stateOrProvinceName = Barcelona
localityName = Barcelona
organizationName = GRG-CA
organizationalUnitName = GRG-CA
commonName = test3.psc.local
emailAddress = your#email.dot
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
BC:11:0C:2E:08:FA:7D:91:16:1E:AC:0E:12:DA:80:69:64:F7:F1:58
X509v3 Authority Key Identifier:
keyid:7D:B8:7B:9E:59:4F:70:7B:F8:2C:1F:2B:0C:A2:E9:90:3C:D1:7A:71
DirName:/C=ES/ST=Barcelona/L=Barcelona/O=GRG-CA/OU=GRG-CA/CN=GRG Root CA
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.dominio.com/intermediate.crl
Certificate is to be certified until Oct 22 20:58:53 2023 GMT (375 days)
Sign the certificate? [y/n]:
Content of SUB CA config:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/subordinate-ca-database.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 365
default_md = sha512
name_opt = ca_default
cert_opt = ca_default
default_days = 5840
preserve = no
policy = subca_policy
[ subca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha512
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = ES
stateOrProvinceName_default = Barcelona
localityName_default = Barcelona
0.organizationName_default = GRG-CA
organizationalUnitName_default = GRG-CA
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://pki.dominio.com/intermediate.crl
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ crl_info ]
URI.0 = http://pki.dominio.com/sub-ca.crl
URI.1 = https://www.dominio.com/pki/sub-ca.crl
I've read that I need a SAN.conf with alternate names in SUBCA server for sign... and change all Alternate Names for every CSR (website) that I want to sign... but in Microsoft Subca I dont need to tell that fields when I sign the CSR (only on generation, same command as I write before).
There is a way to do that?
From the man page for OpenSSL's CA command:
copy_extensions
determines how extensions in certificate requests should be handled.
If set to none or this option is not present then extensions are
ignored and not copied to the certificate. If set to copy then any
extensions present in the request that are not already present are
copied to the certificate. If set to copyall then all extensions in
the request are copied to the certificate: if the extension is already
present in the certificate it is deleted first. See the WARNINGS
section before using this option.
The main use of this option is to allow a certificate request to
supply values for certain extensions such as subjectAltName.
Also, you should understand that using OpenSSL as a CA isn't the best idea. There is no logging, no multi-person control etc. - basically no security. Read the WARNINGS section of the same man page.

Swagger schema for aws lambda

I am using AWS version 4 signing process for creating signature for AWS lambda service with API ListFunctions.I am getting correct URL which on postman worked.But when running that python file I am getting 403 status error which tells "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.".Can anyone help me solve the issue?thanks in advance!!
python file :
# Copyright 2010-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# This file is licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License. A copy of the
# License is located at
#
# http://aws.amazon.com/apache2.0/
#
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
# OF ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
#
# ABOUT THIS PYTHON SAMPLE: This sample is part of the AWS General Reference
# Signing AWS API Requests top available at
# https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
#
# AWS Version 4 signing example
# EC2 API (DescribeRegions)
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
# This version makes a GET request and passes the signature
# in the Authorization header.
import sys, os, base64, datetime, hashlib, hmac
import requests # pip install requests
# ************* REQUEST VALUES *************
method = 'GET'
service = 'lambda'
host = 'lambda.us-east-1.amazonaws.com'
region = 'us-east-1'
endpoint = 'https://lambda.us-east-1.amazonaws.com/2015-03-31/functions'
request_parameters = 'Action=ListFunctions&Version=2015-03-31'
# Key derivation functions. See:
# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-python
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
def getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, 'aws4_request')
return kSigning
# Read AWS access key from env. variables or configuration file. Best practice is NOT
# to embed credentials in code.
access_key = ""
secret_key = ""
if access_key is None or secret_key is None:
print('No access key is available.')
sys.exit()
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope
# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
# Step 1 is to define the verb (GET, POST, etc.)--already done.
# Step 2: Create canonical URI--the part of the URI from domain to query
# string (use '/' if no path)
canonical_uri = '/'
# Step 3: Create the canonical query string. In this example (a GET request),
# request parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
# For this example, the query string is pre-formatted in the request_parameters variable.
canonical_querystring = request_parameters
# Step 4: Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
# low to high. Note that there is a trailing \n.
canonical_headers = 'host:' + host + '\n' + 'x-amz-date:' + amzdate + '\n'
# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
# signed_headers lists those that you want to be included in the
# hash of the request. "Host" and "x-amz-date" are always required.
signed_headers = 'host;x-amz-date'
# Step 6: Create payload hash (hash of the request body content). For GET
# requests, the payload is an empty string ("").
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
# Step 7: Combine elements to create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
# ************* TASK 2: CREATE THE STRING TO SIGN*************
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'
string_to_sign = algorithm + '\n' + amzdate + '\n' + credential_scope + '\n' + hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, datestamp, region, service)
# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()
# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# The signing information can be either in a query string value or in
# a header named Authorization. This code shows how to use a header.
# Create authorization header and add to request headers
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature
# The request can include any headers, but MUST include "host", "x-amz-date",
# and (for this scenario) "Authorization". "host" and "x-amz-date" must
# be included in the canonical_headers and signed_headers, as noted
# earlier. Order here is not significant.
# Python note: The 'host' header is added automatically by the Python 'requests' library.
headers = {'x-amz-date':amzdate, 'Authorization':authorization_header}
print(headers)
# ************* SEND THE REQUEST *************
request_url = endpoint + '?' + canonical_querystring
print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
print('Request URL = ' + request_url)
r = requests.get(request_url, headers=headers)
print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print('Response code: %d\n' % r.status_code)
print(r.text)
The problem is you didn't set up AWS Secret Access Key properly.
Solution:
Go to IAM section of your AWS account and select user or create one.
Assign specific roles needed for the project.
Navigate to Security credentials tab in your user account.
Select existing key or create new one and find AWS Secret Access Key.
You can setup AWS Secret Access Key as environmental varialbe in your system or in code.

WARNING: can't open config file: ./bin/openssl.cnf

makecert
and press enter then this error occurs.
I tried with solutions provided but that not worked for me.
ex: set OPENSSL_CONF=c:/OpenSSL_Win64/bin/openssl.cnf
<pre>WARNING: can't open config file: ./bin/openssl.cnf
Unable to load config info from ./bin/openssl.cnf
WARNING: can't open config file: ./bin/openssl.cnf
Error opening Private Key privkey.pem
5344:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
bss_file.c:398:fopen('privkey.pem','rb')
5344:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:40
0:
unable to load Private Key
WARNING: can't open config file: ./bin/openssl.cnf
Loading 'screen' into random state - done
server.csr: No such file or directory
Could Not Find C:\xampp\apache\.rnd
Could Not Find C:\xampp\apache\privkey.pem
Could Not Find C:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.</pre>
Explaining your problem
This error occurs mainly on Windows computers when you are using OpenSSL package or the Windows installer!
The reason is that OpenSSL failed to locate the openssl.cnf file!
Step-by-Step instructions
I will recommend that you do the following (windows only):
Open your command prompt as Administrator (few OpenSSL commands opens in random state), thus when OpenSSL tries to write stuff on your disk it fails.
Try this easy and fast method: Open the Run dialog box with , type cmd and hit
Now before you run any OpenSSL command type the following:
set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg
A sample path is: C:\OpenSSL-Win32\bin\openssl.cfg. For Windows (x64-bit) use C:\OpenSSL-Win64\bin\openssl.cfg!
After you did this now you are good to go with your OpenSSL stuff. Try openssl version and the error is gone.
Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.
Solve your problem
Your problem could be:
You set the environment variable into the folder OpenSSL_Win64. It should be maybe in OpenSSL-Win64!
You forgot maybe to run the command prompt as a Administrator!
You set the environment variable to the file openssl.cnf but it must be openssl.cfg!
Helpful sites
Read also:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf on Windows 7 (another detailed instructions for your problem)
How To Add/Edit Environment Variables in Windows 7 (helpful if you want set the environment variables forever on your Windows!)
Manually creating an openssl.cnf file in the correct location can solve the problem.
Here is a file template (edit as needed):
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
When install the application penSSL_Win64, will be located in C:\Program Files\OpenSSL-Win64 so , you need to set to this path with a console command and write:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg

Why is this Ruby SSL-enabled server/client test working?

I'm working through creating an SSL-enabled server in Ruby, along with a corresponding Ruby client to use with the server. In order to test, I created my own Root CA certificate with the following commands.
$:~/devel/ssl-test/ssl/CA$ openssl genrsa -out TestCA.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
...........................+++
e is 65537 (0x10001)
$:~/devel/ssl-test/ssl/CA$ openssl req -new -key TestCA.key -out TestCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$:~/devel/ssl-test/ssl/CA$ openssl x509 -req -days 365 -in TestCA.csr -out TestCA.crt -signkey TestCA.key
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting Private key
I then generated an SSL certificate for my server:
$:~/devel/ssl-test/ssl/keys$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
............................................+++
e is 65537 (0x10001)
$:~/devel/ssl-test/ssl/keys$ cd ../csrs/
$:~/devel/ssl-test/ssl/csrs$ openssl req -new -key ../keys/server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:my.secure.test
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$:~/devel/ssl-test/ssl/csrs$ cd ../certs/
$:~/devel/ssl-test/ssl/certs$ openssl ca -in ../csrs/server.csr -cert ../CA/TestCA.crt -keyfile ../CA/TestCA.key -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
$:~/devel/ssl-test/ssl/certs$ mkdir -p demoCA/newcerts
$:~/devel/ssl-test/ssl/certs$ touch demoCA/index.txt
$:~/devel/ssl-test/ssl/certs$ echo "01" > demoCA/serial
$:~/devel/ssl-test/ssl/certs$ openssl ca -in ../csrs/server.csr -cert ../CA/TestCA.crt -keyfile ../CA/TestCA.key -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 25 16:25:05 2011 GMT
Not After : Oct 24 16:25:05 2012 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = my.secure.test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
48:50:B5:04:11:02:F1:40:97:58:BF:5F:8B:27:50:10:C0:3F:EE:D9
X509v3 Authority Key Identifier:
DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
serial:81:44:16:06:5C:EB:5E:71
Certificate is to be certified until Oct 24 16:25:05 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
After that, I created a simplistic SSL-enabled server to use the SSL certificate I just created.
require 'socket'
require 'openssl'
require 'thread'
server = TCPServer.new(1337)
context = OpenSSL::SSL::SSLContext.new
context.cert = OpenSSL::X509::Certificate.new(File.open('ssl/certs/server.crt'))
context.key = OpenSSL::PKey::RSA.new(File.open('ssl/keys/server.key'))
secure = OpenSSL::SSL::SSLServer.new(server, context)
puts 'Listening securely on port 1337...'
loop do
Thread.new(secure.accept) do |conn|
begin
while request = conn.gets
$stdout.puts '=> ' + request
response = "You said: #{request}"
$stdout.puts '<= ' + response
conn.puts response
end
rescue
$stderr.puts $!
end
end
end
When started, it seems to work fine...
$:~/devel/ssl-test$ ruby server.rb
Listening securely on port 1337...
I then created a non-SSL capable client just to ensure it was denied connectivity.
require 'socket'
require 'thread'
client = TCPSocket.new('127.0.0.1', 1337)
Thread.new do
begin
while response = client.gets
$stdout.puts response
end
rescue
$stderr.puts "Error from client: #{$!}"
end
end
while request = $stdin.gets
request = request.chomp
client.puts request
end
When I run this via the following:
$:~/devel/ssl-test$ ruby client.rb
hello
Error from client: Connection reset by peer
Correspondingly, I get the following from the server:
$:~/devel/ssl-test$ ruby server.rb
Listening securely on port 1337...
/usr/local/rvm/rubies/ruby-1.9.2-head/lib/ruby/1.9.1/openssl/ssl-internal.rb:164:in `accept': SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol (OpenSSL::SSL::SSLError)
from /usr/local/rvm/rubies/ruby-1.9.2-head/lib/ruby/1.9.1/openssl/ssl-internal.rb:164:in `accept'
from server.rb:16:in `block in <main>'
from server.rb:15:in `loop'
from server.rb:15:in `<main>'
This was all expected. Next, I modified the client code to use an SSL context.
require 'socket'
require 'openssl'
require 'thread'
client = TCPSocket.new('127.0.0.1', 1337)
context = OpenSSL::SSL::SSLContext.new
secure = OpenSSL::SSL::SSLSocket.new(client, context)
secure.sync_close = true
secure.connect
Thread.new do
begin
while response = secure.gets
$stdout.puts response
end
rescue
$stderr.puts "Error from client: #{$!}"
end
end
while request = $stdin.gets
request = request.chomp
secure.puts request
end
I fully expected this to fail as well during the handshake process, but it did not... I got the following result:
$:~/devel/ssl-test$ ruby client.rb
hello
You Said: hello
Why did this work? I was assuming it would fail because I didn't think the client would have any idea about the Root CA I created and signed the server SSL certificate with, and therefore wouldn't be able to verify the server's certificate. What am I missing? When I created and signed the server's certificate and it was "committed", did this somehow make it available to the OpenSSL library? I was expecting to have to somehow tell the SSL context in the client where to look for the Root CA I created for testing purposes...
As a follow-up test, I copied my client code over to a different machine that definitely knows nothing about the Root CA I created for this test, changed the IP address the client connects to, and ran the test again. This test produced the same results - the client was able to communicate with the server when I assumed it wouldn't be able to. Any ideas?
Depending on the version of Ruby you are using, the default verify mode for the SSLContext object may not be enforcing certificate verification. You can force the verify mode with:
context = OpenSSL::SSL::SSLContext.new
context.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
This should cause the client's connection attempt to fail, as expected.

Resources