I am trying to use openssl to get a certificate, and it seems to keep hanging. I have done a lot of research but not all of the available options seem to work on Windows.
openssl s_client -showcerts -connect google.com:443 > cert.txt
I have tried this:
openssl s_client -connect xyz:443 < quit.txt > cert.txt
Where quit.txt contains "quit\n"
from http://bytes.com/topic/php/answers/8802-automate-openssl-s_client-command-batch-php-script
That did not work. I also looked at Openssl s_clinet -connect scripting. Force quit help
I have also tried -prexit
I have also looked into this as well and can't get it working:
https://serverfault.com/questions/139728/how-to-download-ssl-certificate-from-a-website
I was doing so well! I managed to do something that I thought would be impossible and a simple thing like this bug managed to stop me for the time being :(
On windows, simply typing winpty before your openssl command will do the trick. So, for example, you could create a certificate like so:
winpty openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX
It looks like some OpenSSL distributions for Windows are expecting an additional keypress, independant of standard input. Quit.txt gets correctly piped into openssl's STDIN (the server receives QUIT command), but nothing happens until you press any key.
This problem does not exist in Cygwin's version of OpenSSL. Unfortunatly base installation of Cygwin takes about 100 MB of disk space, but you can try to extract only openssl.exe and required libraries.
This method works:
echo QUIT | c:\cygwin\bin\openssl.exe s_client -showcerts -connect google.com:443 > cert.txt
If running under mingw64 on windows you can use the winpty program to correctly wrap the terminal
Eg creating alias under bash
alias openssl='winpty openssl.exe'
Then
openssl s_client -connect blah
Should work as expected
For reasons i do not completeley understand, echoing QUIT or quit\n into the input did not work in my case. I'm using MINGW64 with OpenSSL 1.0.2d on Windows 8.1, and i'm using openssl to get certificates from servers inside a bash script. However, just running the openssl command in background and waiting a bit worked for me:
#!/bin/bash
openssl s_client -connect my.server.com:443 -showcerts > output.txt 2>/dev/null &
sleep 2
Related
This command fails on one Windows machine in git bash session, while on the other machine it work fine.
auser#pc MINGW64 /c/Developer/TEMP/openssltest
$ echo "Hi Alice!" | openssl rsautl -encrypt -inkey /c/Developer/TEMP/openssltest/pub2.pem --pubin
Can't open /c/Developer/TEMP/openssltest/pub2.pem for reading, No such file or directory
15844:error:02001003:system library:fopen:No such process:../openssl-1.1.1k/crypto/bio/bss_file.c:69:fopen('/c/Developer/TEMP/openssltest/pub2.pem','r')
15844:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1k/crypto/bio/bss_file.c:76:
unable to load Public Key
auser#pc
This command work on a machine where it fails
$ echo "Hi Alice!" | openssl rsautl -encrypt -inkey ./pub2.pem --pubin
I do not have any issues on another machine. Where to look?
I would look into:
difference in openssl version
read access: cat /c/Developer/TEMP/openssltest/pub2.pem (or cat /c/Developer/TEMP/anyOtherFile)
difference in user for the shell session (env|grep -i user)
If you are running that test with a user account which does not have the right to read that TEMP folder, you would get that error.
I am following a tutorial where they run openssl commend.
I am trying to run openssl command
openssl s_client -connect ldap.domain.com:454 -showcerts 2>/dev/null | openssl x509 -out certfile.txt
But it does not work in window cmd, I get this error message
The system cannot find the path specified
I don't understand what the problem is?
The path /dev/null is a unix-path. It doesn't exist on windows systems.
I'm trying to convert a bash script for Linux to run in Windows batch as well. Amongst several commands, there is also an OpenSSL command which reads a certificate from an https server and stores it in a variable. The bash command is:
openssl s_client -showcerts -connect $SERVER_IP:443/login </dev/null 2>/dev/null|openssl x509 -outform PEM > mycertfile.pem
I've installed OpenSSL in my Windows machine from here. I prefered the "Win64 OpenSSL v1.1.0e Light" version of OpenSSL.
How is this command transferred to Windows logic? Any ideas?
I have created a certificate authority and need to generate and sign 50+ certificates. I wanted to script this process. I don't want to have to manually enter a password 100+ times!
Here is the command I was getting hung up on:
openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM
The problem is, it wants me to create a password with these prompts:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
When I am just being asked for a password to input I can use the -passin pass:mypass command line option for openssl. But this does not seem to work for creating a password.
Also, it seems strange that a password is required when later I just end up removing it with:
openssl rsa < tempkey.pem > server_key.pem
I tried creating a simple Ruby script:
require 'open3'
Open3.popen2("openssl req -newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM -out ~/myCA/tempreq.pem -outform PEM") {|i,o,t|
i.puts "mySecretPassword"
i.puts "mySecretPassword"
}
But this does not seem to work either. I still end up with a manual prompt asking me to create a password.
As explained in this answer you can use the -passout pass:foobar option to set a password via command line. For example:
openssl req \
-newkey rsa:1024 -keyout ~/myCA/tempkey.pem -keyform PEM \
-out ~/myCA/tempreq.pem -outform PEM \
-passout pass:foobar \
-subj "/C=US/ST=Test/L=Test/O=Test/CN=localhost"
The problem is most of utilities that expects a password do require interactive terminal. So if you try to fake it (like you did with a Ruby script) it will not work. You could also try:
echo -n "pass\npass\n" | openssl req ....
While this will work with some programs, those what require interative shell will not work.
You are searching for the tool called expect. Install it on your UNIX/Linux/MacOS and see the man page:
man expect
...
Expect is a program that "talks" to other interactive programs according to a script. Following the script, Expect
knows what can be expected from a program and what the correct response should be. An interpreted language pro‐
vides branching and high-level control structures to direct the dialogue. In addition, the user can take control
and interact directly when desired, afterward returning control to the script.
...
You need to create "expect script", it really depends on your environment - what the application is asking for. If it is only a passwords, it should be simple. Here is more complex example: http://fixunix.com/openssl/159046-expect-script-doesnt-create-newreq-pem.html
I think this should work (you will maybe need to change it a bit):
#!/usr/bin/expect -f
spawn -console openssl req blah blah blah blah
expect "Enter PEM pass phrase:*" {send "password\r"}
expect "Verifying - Enter PEM pass phrase:*" {send "password\r"}
Good luck!
Instead of going to Extension Builder > Build Package…, I'd like to built a .safariextz package from the MyExtension.safariextension folder.
I know I can unpack an extension with xar -xf. I suspect the way back involves packing it with xar, but then I'll need to do the code signing thing, which may or may not involve codesign(1).
Here are Omar Ismail's instructions, omitting the need for separate shell scripts. This will all occur in a directory safari/, where we will be signing the directory safari/appname.safariextension/ to become the extension safari/appname.safariextz. The first thing is to sign the extension the official way, with Extension Builder's Build Package.
Set up Xar:
1. Download and unzip/untar
https://github.com/downloads/mackyle/xar/xar-1.6.1.tar.gz
to wherever you want the executable xar-1.6.1 (xar 1.6dev doesn't support the options we need)
2. in xar-1.6.1/
./configure
make
sudo make install
sudo ln -s /full/path/to/xar-1.6.1/src/xar /usr/local/bin/xar161
Set up your certificates:
1. in safari/
mkdir certs/
xar161 -f appname.safariextz --extract-certs certs/
2. open Keychain Access and export your Safari Developer certificate to safari/certs/certs.p12 (use a blank password for certs.p12, and then use your Mac's password to export the cert)
3. in safari/certs/
openssl pkcs12 -in certs.p12 -nodes | openssl x509 -outform der -out cert.der
(same blank password)
openssl pkcs12 -in certs.p12 -nodes | openssl rsa -out key.pem
(same blank password)
openssl dgst -sign key.pem -binary < key.pem | wc -c > size.txt
It's possible that you can get the certificates from certs/cert.p12, and not need the --extract-certs step (and hence not need the extension built the official way), but I don't know openssl well enough, and it's only for the set up that you need that step anyway.
Once everything is set up, to sign the extension:
In safari/
xar161 -czf appname.safariextz --distribution appname.safariextension/
xar161 --sign -f appname.safariextz --digestinfo-to-sign digest.dat --sig-size `cat certs/size.txt` --cert-loc certs/cert.der --cert-loc certs/cert01 --cert-loc certs/cert02
openssl rsautl -sign -inkey certs/key.pem -in digest.dat -out sig.dat
xar161 --inject-sig sig.dat -f appname.safariextz
rm -f sig.dat digest.dat
This was all on a 2006 Snow Leopard MacBook, so it's possible things may be different on a machine that's more up to date.
Looks like there is a way to patch XAR with a signature option. http://code.google.com/p/xar/issues/detail?id=76#c0