Is there a way to get a .crt and .key file with the subject alternative name set? I am configuring a proxy with an openssl .crt and .key generated by this command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout proxy.key -out proxy.crt
I then cat the .key and .crt to get a .pem and use that on the client side.
This cert works fine for securing the https connection but I get a warning that the Subject Alternative Name is not set in the certificate. In another client I use the warning is actually an error that terminates the connection.
The solution here https://security.stackexchange.com/a/91556 gives me a .csr which I rename to become the .crt I need, and when I use this with the client the https connection fails on incorrect ssl certificate.
As per #vog's answer:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
(note that this is only for OpenSSL >= 1.1.1).
Is there a way to get a .crt and .key file with the subject alternative name set?
Yes, but you cannot do it from the command line. You have to use a CONF file.
For setting the SAN via a CONF file, see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl?. Both include the SAN in the procedures.
Related
I have a laravel app running on heroku with a custom domain. I'd like the domain to have my own ssl certificate that I've purchased. From where I've purchased the domain they are requesting for CSR from heroku. I've got no idea how to do this. Tried researching and reading their documentation but I don't seem to understand how to go about it. Any assistance ill be highly appreciated!
Go to your project folder on your local machine.(or clone from github if you dont)
enter this command accordingly
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out server.key
openssl req -nodes -new -key server.key -out server.csr
follow the prompt to set password etc..
if you havent setup open ssl on your machine before this link will give you a solution
I'm experimenting with Spring Boot to create a WebApp.
In order to create a SSL certificate I issue the following command:
keytool -alias devssl -keystore devssl.p12 -genkeypair -keyalg RSA -sigalg SHA256withRSA /
-keysize 2048 -storetype PKCS12 -validity 365 -dname "CN=Frankie, OU=Frankie O=Frankie, /
L=City, S=State, C=UK" -ext SAN=DNS:localhost,DNS:blueye,IP:127.0.0.1,IP:10.1.1.2"
Which from what I can understand means that such certificate will be valid for the following addresses:
localhost
blueye
127.0.0.1
10.1.1.2
The certificate is very easy to install on Spring:
server.ssl.key-store-type=PKCS12
server.ssl.key-store=devssl.p12
server.ssl.key-store-password=password
server.ssl.key-alias=devssl
security.require-ssl=true
After I install the certificate under Trusted Root Certification Authorities in Windows it also works great.
I just can't get it to work under iOS.
I email myself the certificate.
Install it on the iPhone.
But I always get the "this connection is not private".
Any idea how to make this work on iOS?
I was pushing on this trying to get iOS to accept a self-signed certificate as the single source of truth. I got to work around it by issuing a proper personal Certificate Authority. Making iOS trust that authority. And then signing the website with a certificate validated by that authority.
I will describe the needed commands as they may save someone a couple of hours. The following is a "birds eye" of what we'll do.
AUTHORITY - this will act as the source of trust for all certificates you sign. You will have to install the Authority on every single machine/phone you'll want with custom certificates
Generate a private key for a Certificate Authority (CA)
Generate a Certificate for the Certificate Authority (CA)
Install Certificate Authority on Windows
Install Certificate Authority on iOS
CLIENT - we can issue private keys for all our projects inside our network. Those private keys will be validated by our own generated and installed authority.
Generate a private key for the client
Generate a Certificate Sign Request (CSR)
Have CA sign the CSR thus generating the client Certificate
Merge the client certificate and the CA certificate into a pkcs12 file which is read by Spring
Now for the actual commands:
Generate a private key, we'll also use an identical command to generate one for the client:
openssl genrsa -des3 -out myCA.key 2048
Generate a certificate for your Certificate Authority. You'll be asked several questions, none of them really matter, they will only serve to identify your certificate to yourself.
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.crt
You now have three files. The myCA.key (private key) and the myCA.pem and myCA.crt which are the certificate file for your certificate authority.
Install on Windows:
Click the myCA.crt file on Windows and follow screen instructions. Then click Start -> Run -> `` certmgr.msc`. It will open the Windows Certificate Manager. You will find the certificate you installed under "Intermediate Certification Authorities". You'll want to drag that file to "Trusted Root Certification Authorities".
Install on iOS:
Email the myCA.pem file to yourself. Open the email on iOS using the Apple Mail App. Follow the instructions and certificate will be installed. To uninstall you can go to Settings -> General -> Profile. After proper installation iOS requires a second step for you to trust the certificate, you must go to Settings -> General -> About -> Certificate Trust Settings and Enable Full Trust For Root Certificate.
You now have a local CA (Certificate Authority) installed on both your Windows machine and your iOS phone. Lets create a website certificate.
Generate a private key for the website.
openssl genrsa -des3 -out myWebsite.key 2048
Generate a CSR (Certificate Sign Request):
openssl req -new -key myWebSite.key -out myWebsite.csr
Now that we have the website key and the certificate sign request we need to create a config file that openssl will use to generate our website certificate. Create a file called myWebsite.ext with the following info. The only thing you must make sure is the alt names. You can have both IP's and DNS. Be sure to enter all the alternatives that your site will use.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = mywebsite
DNS.3 = mywebsite.local
IP.1 = 10.1.1.3
IP.2 = 127.0.0.1
Now we'll use the CA certificate and private key together with the CSR (Certificate Sign Request) and the config file to generate a proper certificate for the website. Since iOS 13 Apple only allows a max of 825 days on certificates so that's what we'll use.
openssl x509 -req -in myWebsite.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out myWebsite.crt -days 825 -sha256 -extfile myWebsite.ext
You'll now have the following files:
myCA.key - certificate authority private key
myCA.pem - certificate authority certificate pem format
myCA.crt - certificate authority certificate crt format
myWebsite.key - website private key
myWebsite.csr - website certificate sign request
myWebsite.ext - website config file for openssl sign request
myWebsite.crt - website certificate crt format
The only thing missing is to convert the myWebsite.crt to p12 format which we can do with the following command:
openssl pkcs12 -export -in myCA.crt -inkey myCA.key -in myWebsite.crt -inkey myWebsite.key -name myWebsite -out myWebsite.p12
Now, to make Spring Boot use this certificate just open application.properties file and make sure it has these lines:
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate, place it src/main/resources
server.ssl.key-store=classpath:myWebsite.p12
# The password used to generate the certificate
server.ssl.key-store-password=PASSWORD-USED
# The alias mapped to the certificate (the -name myWebsite on the last command)
server.ssl.key-alias=myWebsite
# force SSL
security.require-ssl=true
And there you have it. A dev or internal project with proper SSL validation. Hope this saves someone some time.
It looks like you were having trouble creating the certificates correctly, for a great guide on how to do that, check out:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
If you follow it exactly, and know what your DNS name is, and what cipher you are using, you shouldn't have any problems. I provide my configuration files for making the certificates, along with a project that helps with sockets, below:
https://github.com/eamonwhiter73/IOSObjCWebSockets
I've been trying to create a self-signed certificate for a public ip that I created in Azure to host a Node-Red instance and it seems that in Node-Red it needs PEM files to enable HTTPS.
I've have tried to create these files using OPENSSL.
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
However when I try to access it, it says that the certificate is invalid.
Are there any other ways to make a self-signed certificate ??
The error is because your browser doesn't know to trust the certificate because it is not signed by one of it's trusted Certificate Authorities.
You have 3 options
If you look closely on the page there will be a way to ignore the error and continue to load the page.
You can import the certificate (since it is self signed) into the browers list of trusted certificates (if you tick the right box in option 1 this will basically happen automatically)
Rather than use a self signed certificate (Which really shouldn't be used for anything that is attached to a public IP address these days) you should use a real certificate from LetsEncrypt. These are free and already trusted by your browser.
I just created a TLS/SSL certificate (in Windows) with the following openssl command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
After this, I tried to load it in the FileZilla server but it gives me an error that says:
Could not load certificate file: error:0906D06C:PEM
routines:PEM_read_bio:no start line(0)
I already verified that the two certificates (key and crs) don't contain any blank spaces, and don't have ^M at the end of any line. What could be the cause of this?
I would guess that you have select the certificate file (cert.pem) as a Private key file and the private key file (key.pem) as a Certificate file.
It should be:
Private key file = key.pem
Certificate file = cert.pem
Also the key have to be generated without a passphrase, otherwise you get
Could not load key file: error:0907B068:PEM
routines:PEM_READ_BIO_PRIVATEKEY:bad password read (0)
So you need to add -nodes to the openssl command-line.
Though why do you even use openssl to generate the certificate? FileZilla Server interface has Generate new certificate wizard.
I'm using signtool to apply a digital signature to various .exe/.dll files. However, viewing the signed files in Windows Explorer shows that no E-Mail address is set, much like in this screenshot (I'm by no means affiliated with "Paramount Software UK Ltd." -- this screenshots is just the first result I found via Google):
However, I also saw other screenshots showing that it's somehow possible to define an E-Mail address (even if it's a bogus one, like in this case):
Is it possible to set this E-mail address via signtool, or is it actually a property of the certificate itself (i.e. it needs to be specified when purchasing a certificate)?
The email property it's extracted from emailAddress in a subject distinguished name field of your certificate.
You can make a test using openssl to generate a selfsigned certificate (then you can generate a CSR with an emailAddress and send to the certificate authority to generate a valid end-entity certificate). To test it you can do the follow steps:
Generate self-signed certificate using the follow openssl command
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Then you will be asked to enter the follow parameters (all for a subject of the certificate):
To avoid this prompt you can directly specify the subject in the previous command using -subj as follow:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/emailAddress=myEmail#test.com"
Now you can generate a p12 (or pfx) from the generated key and cert using the follow command:
openssl pkcs12 -export -out myTestWithMail.pfx -inkey key.pem -in cert.pem
Now you have a p12 (myTestWithMail.pfx), that you can use to sign an exe or dll using the follow signtool command. For example I sign notepad++.exe (as in the examples you link in your question):
signtool.exe sign /f C:\Users\Albert\myTestWithMail.pfx /p 1234 "C:\Program Files (x86)\Notepad++\notepad++.exe"
Note that /f is for the path of your signing key, and /p is the password for your key.
Now you can see the email in the file you sign:
So finally if you need a certificate from a certificate authority you have to generate the CSR specifying emailAddress for example using openssl command:
openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/emailAddress=myEmail#test.com"
Or alternatively without specifying -subj parameter and enter the correct values for subject distinguished name when are prompted:
openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key
Hope this helps,
Short answer: Yes, the e-mail address is part of the certificate and no, you cannot specify it when signing a binary file.
Long answer: #albciff pointed out how to generate a certificate which has an email address associated with it but it seems you're out of luck in case you bought the certificate from Thawte; my colleague asked this exact question to the technical support of our certificate provider (Thawte) which replied:
When enrolling for a Code Signing certificate the email address used is not part of the validation process. Unfortunately, because the email is not part of the validation process it will not be included in the properties of the signed code.
Furthermore, tech support referred us to
this article in the 'Thawte Knowledge Center' which explains:
The e-mail address always appears as "not available" when viewing the properties of signed code. This is because the certificate validates the organization but requires no information about the e-mail address of the organization. Thus, we have validated the organization, but have not validated the e-mail. This in no way lessens the value or usefulness of your ID.
So not only is the email address part of the certificate, whether you can associate an email address with the certificate also depends on who issued the certificate.