Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Only the cert-xxxxx.pem can be download.
Can not find the create new key pair link in my account, but found it in source code, and created the new key pair.
For security reasons, AWS does not retain a copy of your private key.
http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#X509Credentials
If you have us generate your X.509
certificates, we give you a
PEM-encoded certificate file, and a
PEM-encoded private key (unencrypted,
which means you don't get a password
for it). You'll need to convert the
files to whatever format your toolkit
uses (see the toolkit's documentation
for help). Even though we provide you
the private key, we don't store it
anywhere. If you lose it, you must
switch to using a different X.509
certificate.
If you provide your own keys, you must
upload only your certificate to AWS
(you keep the private key). The
certificate must be in PEM format. AWS
accepts any syntactically and
cryptographically valid, unexpired
X.509 certificates. They don't need to
be from a formal Certificate Authority
(CA).
Related
I am currently developing an MQ application client-side, that is meant to establish connection between a machine and a distant server, and I need to implement SSL connection between them. The server was already configured with a given certificate that I was sent. The problem is : I can't understand what exactly needs to be done with the key repository part.
It looks like the MQCONNX call is expecting not only a certificate name (label), but also a key database (kdb) file, which I don't have. Thus I have several question, because it seems like I don't understand every aspect of the certificate part:
How can I get the kdb file linked to the certificate? Is it supposed to be generated by the person who made the certificate?
Where is it supposed to be stored? Can I use any folder/name?
A little background : I am working on Windows and developping with C MQ libraries. Before the SSL requirement was added, everything was working properly : I could connect to the queue manager and post messages into a given queue. Now I get error 2381 MQRC_KEY_REPOSITORY_ERROR, which will probably be gone after this key repository part is solved.
Thanks a lot for all your answers.
Cheers,
I think between them the comments to your question provide the answer. In essence your client application (or the underlying MQ C layer) needs to trust the certificate that the server is sending.
If the certificate you have was signed by a trusted certificate authority,
then your app needs to be told to trust the public key of the certificate authority. If it is self-signed, then your app needs to be told to trust the public certificate.
Either way, you will need a keystore. The keystore holds all the public keys and public keys of certificate signers that you trust.
To create the keystore, follow the "Create a client keystore" section of https://developer.ibm.com/tutorials/mq-secure-msgs-tls/
These steps will create a keystore containing the certificate that you have been sent.
You then tell your application where to find the trusted keys keystore by setting the environment variable MQSSLKEYR
// MQSSLKEYR is need so that the MQ client knows what keystore to use..
// note it is the full path, including the base file name but not the .kdb extension
// my keystore file is user.kdb in the C:\tmp subdirectory..
set MQSSLKEYR=C:\tmp\user
see - https://www.ibm.com/docs/en/ibm-mq/9.0?topic=wsulw-specifying-key-repository-location-mq-mqi-client-unix-linux-windows
and
https://www.ibm.com/support/pages/how-do-i-configure-mq-client-c-based-application-amqsputc-amqsgetc-connect-mq-server-ssl
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I'm developing a web application for use inside our internal Windows domain. I have 3 servers: apps.mycompany.com (primary), api.mycompany.com, and files.mycompany.com. Right now, everything works fine over HTTP. But I need to have these accessible over SSL/https to Windows desktop clients on the network (Chrome/Firefox/Edge) and iOS (Safari/Chrome).
I've set up self-signed certs using OpenSSL, and have configured nginx to where they respond correctly, and serve data. But, I'm constantly running into "not secure" / "invalid certificate" errors and "mixed content" (http/s) warnings that stymie my development. The errors on api and files are especially pernicious, as they just "break" things not obvious to the user.
I need a solution where everyone can simply hit https://apps.mycompany.com... and everything "just works", without user intervention (allowing insecure connections, manually adding certs, adding certificates to Trust stores, etc.)
Advice?
EDIT: I see this question was closed. Isn't setting up SSL/https an integral part of modern web development? (and yes, I had already asked my question on Server Fault).
You need to create a root certificate that would be trusted by all your clients. Then you can sign server certificates with that "root" key so that server certificates would also be trusted.
This is the example how you can issue such certs.
More challenging task is to install this root cert to all your clients. You can ask your domain administrator to help you with that. Otherwise you will have to ask all your users to install that root cert (they will also probably have to be local administrators..)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I'm using Fiddler to setup a proxy server, but when enabling "Require Proxy Authorization" under the rules menu the username/password is always 1. How do I change the username/password?
I tried changing oSession["X-AutoAuth"] = "username:password"; but it doesn't change the proxy credentials required.
Can't find anything in the documentation regarding this...
The X-AutoAuth flag concerns what credentials Fiddler sends to an upstream server when automatically replying to an authentication challenge; it has no impact on what credentials are demanded of the user.
This question was original asked and answered here: https://groups.google.com/forum/#!topic/httpfiddler/pErxaOtMlyc
You can change the credentials expected by Fiddler by setting the preference fiddler.proxy.creds to the base64 encoded username:password string. The default value is MToX which is the base64 encoded version of the string 1:1. You can compute the base64 value you need using the Tools > TextWizard feature in Fiddler.
To update the preference, click into the QuickExec box below Fiddler's Web Sessions list and type prefs set fiddler.proxy.creds YOURBASE64StringHere and hit Enter.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I really need to use SSL in my Socket Server\Client Communication but paying for a certification is too over priced for me :( i can't afford payed Certification
[Note] : my program will be publicly released so i wanna to secure my program communication with my server
The Question Is : Is it possible to use SSL\TLS for free in an effective [Without Security Riscs] way because i can't afford payed certificates... ?
Is it possible to use SSL\TLS for free in an effective way because i
can't afford payed certificates... ?
Yes it is. Buying certificates from a trusted CA, makes your server be trusted by all browsers without any manual action (e.g. Verisign).
If you own both the client and server and you are using SSL you can create your own certificates (or get free ones) and install them to all clients as trusted (in an off-line process).
The only part that relates to security now is the key size. Should be at least 2048 bits.
But there is one catch. If you create your own certificates you need to be careful what extensions you set so that you don't have any issues during deployment. The CAs know how to create X509v3 compliant certificates to be accepted by all browser (libraries) without any issues
Short answer: yes.
Long answer: What you're buying from a CA (certificate authority) is typically NOT a certificate. Typically, you create your own certificate, and ask the CA for a "signature", which you present to the client (browser, etc) in order to show that your certificate is trusted by that CA.
Browsers (and other software) typically have a internal list of CAs they trust. This is why one generally buys a signature - to have one's certificate recognized as valid by currently deployed software.
However, you are not required to get such a signature. You can just as well create your certificate (typically referred to as a "self signed" certificate) and either ask the end-user to introduce it to the software as trusted, or distribute it included in the software itself.
There are lots of instructions on how to create a self-signed certificate on the web, typicaly using the openSSL CLI, but also IIS, or Java.
As to how you deploy such a certificate on your software, you're better of asking another question.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 11 months ago.
The community reviewed whether to reopen this question 11 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I want my site to use URLs like http://192.0.2.2/... and https://192.0.2.2/... for static content to avoid unnecessary cookies in request AND avoid additional DNS request.
Is there any way to obtain SSL cert for this purpose?
According to this answer, it is possible, but rarely used.
As for how to get it: I would tend to simply try and order one with the provider of your choice, and enter the IP address instead of a domain during the ordering process.
However, running a site on an IP address to avoid the DNS lookup sounds awfully like unnecessary micro-optimization to me. You will save a few milliseconds at best, and that is per visit, as DNS results are cached on multiple levels.
I don't think your idea makes sense from an optimization viewpoint.
The short answer is yes, as long as it is a public IP address.
Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.
According to the CA Browser forum, there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields. This is due to legacy SSL implementations which are not aligned with RFC 5280, notably, Windows OS prior to Windows 10.
Sources:
Guidance on IP Addresses In Certificates CA Browser Forum
Baseline Requirements 1.4.1 CA Browser Forum
The (soon to be) not-so Common Name unmitigatedrisk.com
RFC 5280 IETF
Note: an earlier version of this answer stated that all IP address certificates would be revoked on 1 October 2016. Thanks to Navin for pointing out the error.
Yep. Cloudflare uses it for its DNS instructions homepage: https://1.1.1.1
The answer I guess, is yes. Check this link for instance.
Issuing an SSL Certificate to a Public IP Address
An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.domain.com". However, some organizations need an SSL certificate issued to a public IP address. This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request (CSR). The issued certificate can then be used to secure connections directly with the public IP address (e.g., https://123.456.78.99.).
The answer is yes. In short, it is a subject alternative name (SAN) certificate that contains IPs where you would typically see DNS entries. The certificate type is not limited to Public IPs - that restriction is only imposed by a signing authority rather than the technology. I just wanted to clarify that point. I suspect you really just want to get rid of that pesky insecure prompt on your internal websites and devices without the cost and hassle of giving them DNS names then paying for a CA to issue a cert every year or two. You should NOT be trying to convince the world that your IP address is a reputable website and folks should feel comfortable providing their payment information. Now that we have established why no reputable organization wants to issue this type of certificate, lets just do it ourselves with a self signed SAN certificate. Internally I have a trusted certificate that is deployed to all of our hosts, then I sign this type of certificate with it and all devices become trusted. Doing that here is beyond the scope of the question but I think it relevant to the discussion as the question and solution go hand in hand. To be concise, here is how to generate an individual self signed SAN certificate with IP addresses. Expand the IP list to include your entire subnet and use one cert for everything.
#!/bin/bash
#using: OpenSSL 1.1.1c FIPS 28 May 2019 / CentOS Linux release 8.2.2004
C=US ; ST=Confusion ; L=Anywhere ; O=Private\ Subnet ; EMAIL=admin#company.com
BITS=2048
CN=RFC1918
DOM=company.com
SUBJ="/C=$C/ST=$ST/L=$L/O=$O/CN=$CN.$DOM"
openssl genrsa -out ip.key $BITS
SAN='\n[SAN]\nsubjectAltName=IP:192.168.1.0,IP:192.168.1.1,IP:192.168.1.2,IP:192.168.1.3,IP:192.168.1.4,IP:192.168.1.5,IP:192.168.1.6,IP:192.168.1.7,IP:192.168.1.8,IP:192.168.1.9,IP:192.168.1.10'
cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
echo -e "$SAN" >> /tmp/openssl.cnf
openssl req -subj "$SUBJ" -new -x509 -days 10950 \
-key ip.key -out ip.crt -batch \
-set_serial 168933982 \
-config /tmp/openssl.cnf \
-extensions SAN
openssl x509 -in ip.crt -noout -text
The C/A Browser forum sets what is and is not valid in a certificate, and what CA's should reject.
According to their Baseline Requirements
for the
Issuance and Management of
Publicly-Trusted Certificates document, CAs must, since 2015, not issue certificats where the common name, or common alternate names fields contains a reserved IP or internal name, where reserved IP addresses are IPs that IANA has listed as reserved - which includes all NAT IPs - and internal names are any names that don't resolve on the public DNS.
Public IP addresses CAN be used (and the baseline requirements doc specifies what kinds of checks a CA must perform to ensure the applicant owns the IP).
It entirely depends upon the Certificate Authority who issuing a certificate.
As far as Let's Encrypt CA, they wont issue TLS certificate on public IP address.
https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082
To know your Certificate authority , you can execute following command and look for an entry marked below.
curl -v -u <username>:<password> "https://IPaddress/.."