Keychain access - >certificate assistant -> request a certificate from a certificate authority -> save to disk -> save as .certSigningequest
Does not generate a public/private key chain, when I go to keys.
How do I solve this, thanks
Request a certificate from a certificate authority creates a Certificate Signing Request, not a public/private key chain. It will create the private key and store it in your key chain (as you named it), but the purpose of that command is to allow you to request a full X.509 certificate from an external Certificate Authority.
If you need to create just a public/private key pair, then it depends a bit on what you are planning on using it for. For example, you can create an SSH public/private key pair by using ssh-keygen.
Similarly, you can create an RSA public/private key pair using the commands from this answer from the security forum.
If, on the other hand, you're actually trying to create your own certificates, not just the public/private key pair, you can use Keychain Access to create a self-signed certificate using the Create a Certificate command. That will contain the signature of your self-signed CA and the public key.
Related
I have used PFXExportCertStoreEx API to successfully export public and private key of a RSA certificate from Windows key store.
Can the same PFXExportCertStoreEx be used to export public and private keys of DSS and ECDSA certificates from the Windows key store?
If not what other API needs to be used?
Thanks in advance.
After days of analysis and discussions, finally I was able to identify the root cause. It is related to privileges. If I run with Admin privilege, I can use PFXExportCertStoreEx to extract keys for ECDSA certificate as well from the Local Machine certificate store.
If you do not intend to use Admin privilege, just take the certificate manager or mmc and select the certificate, take All tasks > Manage Private Keys give privileges as required.
I received five files representing a certificate for a specific domain.
AAACertificateServices.crt
TrustedSecureCertificateAuthority5.crt
USERTrustRSAAAACA.crt
private.key
public.crt
I want to import this certificate using AWS Certificate Manager, but it fails with the message that the private key does not match.
I found under https://stackoverflow.com/a/14491157 the method to convert the key to PEM format, but that's probably not enough. What to do with the chain and the public.crt?
I saw there are two type of certificate which is elastic-stack-ca.p12 and elastic-certificates.p12. What are the differences between these two certificate.
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#generate-certificates
Also I noticed we have HTTP certificate
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html#encrypt-http-communication
why there are so many certificate.
If I want to send data from beats which certificate should be used? I saw it need .cer and .key
can someone help me to understand this.
You need both, and each one has a specific role.
***ca.p12 is the certificate to the new Certificate Autohirity which is created since Elastic certificated is auto assigned.
***certificate.p12 is the certificate to each single instance of your elasticsearch cluster.
I would recommend you to follow the steps here https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
Source:
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-ca
ca.p12 -> CA Mode
The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which holds the CA certificate and the private key for the CA. If you specify the --pem parameter, the command generates a zip file, which contains the certificate and private key in PEM format.
certificates.p12 -> Cert Mode
The cert mode generates X.509 certificates and private keys. By default, it produces a single certificate and key for use on a single instance.
To generate certificates and keys for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.
So, I'm trying to understand how certificates really, really work - I haven't been able to find what exactly I'm looking for on google so I'm phrasing it my way... If there's a straightforward link that you think might help me - please post it and I will delete this question.
I understand that when the client(say, a browser) makes a request to a website, it verifies the identity of the website by checking its certificate. Self signed certificates are discouraged and certificates from the Certificate Authority (and its branches) are the real deal. Now that the identity has been verified, the request is processed by the server and the response is sent to the client and now the user (a human being) can see that green lock sign on their browser next to the URL. Did I sum this up correctly? And this response is encrypted and will be decrypted by the browser/client?
In the case of SSO (single sign on) flows - when SAML assertions are "digitally signed" - what exactly does this mean? And how does the above mentioned certificates help in that?
I've just got too many concepts all mixed up in my head and was looking for clarity understanding systems and security and TLS.
First of all this is all about asymmetric cryptography. This allows to encrypt the message with one key and decrypt with another. Why is this helpful.
Secure interaction
You can send a message to your server using the public key of that server. Thus you can be sure that nobody else (except of that server) would be able to decrypt that message
Digital signing
You can encrypt a digest of a message with your private key and anyone will be able to check if that was you by decrypting your "signature" with your public key.
At what stage the certificate is involved
Both above cases have a pitfall. You cannot be really sure that the public key that the server provides you is really a key of the party you trust to. The same with signatures. You cannot be sure that the public key you have just successfully used to verify a signature is really a key of a person you expect to sign your contract.
Certificate is a bundle of a public key and the information about the holder of the key pair. This bundle is digitally signed with the private key of CA.
What is the end to end process
Let's consider https case. Your client says to a server "Hey I want to use https protocol". This is the point where asymmetric cryptography is involved. You use server's public key to encrypt a symmetric key (since the asymmetric cryptography is somewhat expensive, it is used only when symmetric key is being negotiated) that will be used for encrypting traffic.
But how can you be sure you can trust that server. Actually what server sends you is not just a key but a certificate. You take the certificate and verify that the server name specified in the cert is actually what you used in your address bar. You also verify the signature of CA using that CA's public key.
Certification chain
Public key of CA that has signed the server certificate might also require verification. Such verification is performed in the same way as explained above. The chain has to eventually stop at the certificate that you absolutely trust. Such certificates are stored at so called trust store.
So this is how ssl works. Digitally signed SAML assertions work in the very similar way. They deliver certificates which you can validate and use the public keys extracted from them for validating the signature of assertions.
Is there a way to check a certificate is signed by a given root certificate using SecureTransport API similar to OpenSSL X509_verify?
On OS X, the API to create and manipulate certificates is the Certificate, Key, and Trust Services:
Certificate, Key, and Trust Services is a C API for managing
certificates, public and private keys, symmetric keys, and trust
policies in iOS and OS X. You can use these services in your app to:
Create certificates and asymmetric keys
Add certificates and keys to
keychains, remove them from keychains, and use keys to encrypt and
decrypt data
Retrieve information about a certificate, such as the
private key associated with it, the owner, and so on
Convert
certificates to and from portable representations
Create and
manipulate trust policies and evaluate a specific certificate using a
specified set of trust policies
Add anchor certificates
See for example:
SecTrustCreateWithCertificates - Creates a trust management object based on certificates and policies.
SecTrustEvaluate - Evaluates trust for the specified certificate and policies.
SecTrustSetAnchorCertificates - Sets the anchor certificates used when evaluating a trust management object.