I am trying to use openSSL to set up an https connection for my application. I'm running a Neo4j 1.2.2 database, with a Trinidad 1.3.5 web server, using the Rails 3.1 and ruby 1.9.
I have a Thawte trial certificate, ca_cert.crt, their intermediate and root certificates, ca_intermediate.crt and ca_root.crt respectively, and my own private key, ca_private.pem. What openssl command do I need to run to create a keystore, which I can specify in my app's trinidad.yaml config file?
So far the "looks-closest-to-right" thing I've tried is:
pkcs12 –export –in ca_cert.crt inkey ca_private.pem –out keystore.p12 –name tomcat
and it gives me the error:
unable to load certificates
6380:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
6380:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_CINF
6380:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:751:Field=cert_info, Type=X509
6380:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:.\crypto\pem\pe
m_info.c:258:
error in pkcs12
It looks to me like openssl doesn't like the format I have the files in, though I have tried nearly every combination of the .pem, .crt, .cer, and .key extensions I can think of to no avail. I'm new to SSL entirely, so I hope I'm just doing something stupid and its an easy fix...
Here is the example I've been trying to follow: https://github.com/trinidad/trinidad/wiki/ssl-end-to-end-example
From this answer it seems that Thawte certificates are formatted as PKCS#7, while openssl pkcs12 -export command expects PEM. Certificate in PKCS#7 can be converted using modified version of command from previously linked answer.
$ openssl pkcs7 -in ca_cert.crt -print_certs | openssl x509 -outform PEM > ca_cert.pem
Then executing command, that you provided, creates PKCS#12 keystore.
$ openssl pkcs12 –export –in ca_cert.pem -inkey ca_private.pem –out keystore.p12 –name tomcat
Related
I'm trying to boot an efi loader signed with my custom keys. I've already enrolled its public key in mokmanager, still it is getting blocked in uefi when secure boot is turned on. It looks like the efi is not signed properly.
[root#hp-fedora]/tmp/test# ls
DB.auth DB.crt DB.key KEK.cer KEK.esl mkkeys.sh noPK.auth PK.auth PK.crt PK.key refind_x64.efi.signed
DB.cer DB.esl KEK.auth KEK.crt KEK.key myGUID.txt noPK.esl PK.cer PK.esl refind_x64.efi
[root#hp-fedora]/tmp/test# openssl x509 -in DB.crt -out DB.cer -outform DER
[root#hp-fedora]/tmp/test# sbsign --key DB.key --cert DB.crt --output refind_x64.efi.signed refind_x64.efi
Signing Unsigned original image
[root#hp-fedora]/tmp/test# pesign --show-signature --in=refind_x64.efi.signed
---------------------------------------------
certificate address is 0x7f338a625f88
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is mykeys DB
No signer email address.
Signing time: Thu Aug 11, 2022
There were certs or crls included.
---------------------------------------------
[root#hp-fedora]/tmp/test# pesigcheck -i refind_x64.efi.signed -n 0 -c DB.cer
Searching db DB.cer
Searching db DB.cer
Certificate type not approved for application.
pesigcheck: "refind_x64.efi.signed" is invalid.
To get Edge to trust the localhost development server, I created a selfsigned certificate following this tutorial. I just replaced all instances of client-1.local by localhost.
So in short, I created a trusted authority by creating a .pem-file with the commands
openssl genrsa -des3 -out rootSSL.key 2048
and then
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
and imported those into the trusted authorities store in the MMC.
Then I created a private key with
openssl req -new -sha256 -nodes -out localhost.csr -newkey rsa:2048 -keyout localhost.key -subj "/C=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=localhost/emailAddress=local#local.com"
and a certificate with
openssl x509 -req -in localhost.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out localhost.crt -days 50000 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNA:localhost"
The certificate shows up as valid when double clicking on it.
For the exception I need to import the certificate into the browsers. For Firefox I got at first the error
You do not own the private key for the certificate
So I created a PKCS12 file
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
and imported that one in Firefox under "My Certificates". That works, I host with ng serve "ssl/localhost.crt" and Firefox with the imported .p12 accepts my localhost. Now for MS Edge it still complains, my certificate is not valid.
I also tried .pfx-merging, but no change. I also read the certificates should not be installed under My Certificates but as Authorities. That sounds wrong to me but I tried it and imported both the .crt and the .p12 into Authorities and Root Authorities, because why not, but no change. I also installed the certificate through the Windows Wizard.
What am I missing for MS Edge? I sadly have no way around it.
===== Update =====
Additional information:
Edge does not give any helpful error. Here is an image of the message. It is in German but all it says is the default text "The connection is not secure. The certificate is invalid. Your credit card information might be stolen." If there is some way to get a more informative message for Edge I would be very happy. In the developer console the message is:
This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.
The certificate files and the output of openssl x509 -text localhost.crt can be viewed here (password is pass or password, if necessary) and an image of the .crt here. It is sitting in my development folder, I host the site with
ng serve --ssl true --ssl-cert \"ssl/localhost.crt\" --ssl-key \"ssl/localhost.key\"
and access the server locally through localhost:3000.
I imported the .p12 file into edge through manage certificates -> My Certificates -> Import. The result looks like this.
What am I missing for MS Edge? I
The certificate does not contain any subject alternative names, which makes it invalid for Edge and Chrome. There is an attempt to specify these information, but the attempt is wrong.
I created a selfsigned certificate following this tutorial.
Looks like this tutorial is broken.
openssl x509 -req ... -extensions "authorityKeyIdentifier ... subjectAltName=DNA:localhost"
The -extension command line option is used to give the name of an extension section in a configuration file and not the extensions itself. Additionally the subjectAltName should be DNS:... not DNA:....
To fix create an extension file my.ext which includes the extensions you want to use:
[myext]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:localhost
Then use this file as extension file with -extfile my.ext and specify the extension to use with -extensions myext:
openssl x509 -req ... -extfile my.ext -extensions myext
I want to manually add .mobileprovision to the keychain access without using xCode because I didn't develop the app with xCode. Any suggestions?
I found a YouTube video by Kotobee to be immensely helpful.
You will need an OpenSSL. All necessary info is within this video.
My personal notes from this video:
Step 1: Need Open SSL folder
Step 2:
Process of making the KEYS
https://youtu.be/yCvbbIfMnxI?t=6m
https://youtu.be/yCvbbIfMnxI?t=8m4s
1ST KEY
certificate signing request file (CSR)
open SSL file in COMMAND PROMPT (cmd)
openssl genrsa -out [keyname].key 2048
// optional change [keyname]
(NOTE: if issues locating openssl.cfg type at command prmpt
set OPENSSL_conf-d:\OpenSSL-Win64\bin\openssl.cfg
nothing will show on command prmpt, but continue)
2ND KEY
making the CertificateSigningRequest.certSigningRequest KEY
//// video timestamp around 13:00 //////
openssl req -new -key [keyname].key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourEmail#whatever.com, CN= companyName, C=US"
C=US is about the country of origin. So you may need to change this if not US.
NOTE: SEEMS LIKE ONCE YOU HAVE THE KEY FROM OPENSSL, don't need to do this process again. Not positive though, but so far seems true.
3RD KEY
https://youtu.be/yCvbbIfMnxI?t=14m52s
log into developer.apple.com account
3 steps:
STEP A:
Certificates
there's a DIFFERENCE between DEVELOPMENT & PRODUCTION/DISTRIBUTION
Click the PLUS sign in upper right corner of web page.
You can likely reUPLOAD the SAME key created under name:
CertificateSigningRequest.certSigningRequest
dev site will return "Your certificate is ready" to download
file name will be
ios_distribution.cer for DISTRIBUTION KEY
ios_development.cer for DEVELOPMENT KEY
/// NOTE: SO FAR LOOKS LIKE YOU CAN USE SAME KEY ONCE MADE!
Put your .cer file into the OpenSSL bin folder
STEP B:
Make your APP ID via the developer.apple.com site
https://youtu.be/yCvbbIfMnxI?t=16m58s
THIS SECTION appears to need to change per app, especially for DISTRIBUTION
could just use the wildcard key and be done with it for DEVELOPMENT
STEP C: Create .mobileprovision file
(note: this will include your registered devices)
Make an APP ID
click on Identifiers > App IDs >
Explicit App: Dev Prov Profile
App Bundle: id="com.domain.app"
Enabled: Push Notifications (can exclude this line)
Download new .mobileprovision file from developer.apple.com into
D:\OpenSSL-Win64\bin
Make sure latest CertificateSigningRequest.certSigningRequest file in
D:\OpenSSL-Win64\bin
Along with .key file in D:\OpenSSL-Win64\bin
STEP D: Create .pem file
In Command Prompt type:
openssl x509 -in [developer_certificate].cer -inform DER -out [app_pem_file].pem -outform PEM
ios_distribution.cer OR ios_development.cer
rename the [app_pem_file].pem file if you like -- make it similar (my thought)
to bundle app ID name or Explicit App name
OR
make it same as the .key name (if recreating & not using a previous one)
this creates the .PEM file
STEP E: Create .p12 file (final task)
In Command Prompt type:
openssl pkcs12 -export -inkey [keyname].key -in [app_pem_file].pem -out [app_p12].p12
As I said, all this information is on the video. You don't need my personal notes to get the key. :)
When I try the following:
mba:Utilities ryan$ sudo codesign -fs /Applications/Utilities/Boot\ Camp\ Assistant.app/
I get this error:
/Applications/Utilities/Boot Camp Assistant.app/: no identity found
Apparently I don't have a proper code signature, but if I sign up for the mac developer program, it would work.
How can I get a signature without enrolling in the mac developer program?
You need to create a self-signed certificate.
Open Keychain Access.
Choose Keychain Access > Certificate Assistant > Create Certificate ...
Enter a name
Set 'Certificate Type' to 'Code Signing'
Then, your command should look like this, if your certificate name is my-new-cert:
sudo codesign -fs my-new-cert /Applications/Utilities/Boot\ Camp\ Assistant.app
This works on OS X 10.10 Yosemite.
Instructions from here: http://support.apple.com/kb/PH7173
Although I can't understand why you are trying to resign the Boot Camp Assistant, you can use the codesign tool with a self-signed CA and identity.
Apple has steps to do so in their developer documentation TN2206: OS X Code Signing In Depth.
If you need to create a self-signed certificate using the openssl command line and use it for signing you can do this:
1) Create the spaghetti.software.extensions configuration file with the following content:
[ ca ]
default_ca = CA_default
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
#req_extensions = v3_req
[req_distinguished_name ]
CN = spaghetti.software.com
[ CA_default ]
x509_extensions = usr_cert
[ usr_cert ]
[ v3_ca ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
extendedKeyUsage = critical, serverAuth, clientAuth, codeSigning, emailProtection
2) Run the following commands to create the certificate and pack both the certificate and the key in a .p12 file (PKCS12):
openssl req -subj '/CN=spaghetti.software.com' -config spaghetti.software.extensions -x509 -newkey rsa:4096 -keyout selfSignedKey.pem -out selfSigned.pem -days 365
openssl pkcs12 -export -out spaghetti.software.p12 -inkey selfSignedKey.pem -in selfSigned.pem
3) Create a new .keychain file and import the spaghetti.software.p12 file into the keychain
(I believe you can do this with the command line as well if you don't want to use the Keychain Access application).
4) Then you can use the certificate to sign:
codesign -s "spaghetti.software.com" --force <binaryToSign>
You can add --keychain <MyKeyChain.keychain> if needed.
I have a code-signing certificate (SPC) file from GoDaddy. The file was generated from an existing private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvcG2SEalg9pvkTvtMI8cZg07tVA0RuK7LeGlFdk1smXgqrsH
.... snipped ....
MURwR0FXgNAuFNQ0yBNFNW2+o9uBceLuCSUalgi4pQw1uBmP5QkUYA==
-----END RSA PRIVATE KEY-----
I generated a certificate signing request and sent this to GoDaddy:
-----BEGIN CERTIFICATE REQUEST-----
MIICiDCCAXACAQAwQzFBMD8GCSqGSIb3DQEJARYyYXBwbGVAdGVrNC1uZXdtZWRp
.... snipped ....
nJwd9pSDPuYaNHl33N1BJkXFusG7ta0D6UjisA==
-----END CERTIFICATE REQUEST-----
GoDaddy then returned me an SPC file. My research shows that typically you'd have a SPC/PVK pair but obviously my private key isn't of PVK type.
I've tried several methods (pvkimprt, pvk2pfx, openssl, keytool) but can't seem to convert my key to PVK type or my SPC to a PKCS12 type independently without both the certificate (SPC) and private key being in a single key-store.
The command that I appear to need to do this in one step is:
openssl pkcs12 -in cert_from_godaddy.spc -inkey private.key -export -out full_code_signing_chain.pkcs12
However, running that I just get:
Loading 'screen' into random state - done
No certificate matches private key
But, the certificate (SPC) is for the private key. What am I doing wrong?!
Background: I'm trying to generate a .p12 file sign an Adobe AIR application
To be honest I can not understand at all what you are trying to do.
You got back the SPC file which is just the #PKCS7 der encoding with your certificate.
You also have your private key.
All you need to do is import the certificate to the pkcs12 keystore to have the signed certificate with your private key.
Here is how I created a .p12 file from GoDaddy's .spc file:
1. Right click myCert.spc, Install Certificate (to install the .spc into Windows)
2. Double click myCert.spc (to open it in certmgr), export to a .cer file.
3. Import that .cer file into Firefox.
4. From with Firefox: backup what you just imported to create a .p12 file.
Then you can use that .p12 file to sign your code.
To create a P12 truststore from a private key and a SPC file do the following steps with OpenSSL:
(Optional): Extract the private key from an old P12 truststore:
openssl pkcs12 -in old.p12 -nocerts -out privateKey.pem
Extract the certificate chain from the SPC file:
openssl pkcs7 -inform DER -outform PEM -in godaddy.spc -print_certs > certificates.pem
Create the new P12 truststore:
openssl pkcs12 -export -out new.p12 -inkey privateKey.pem -in certificates.pem