Python Cryptography, generate certificate from CSR, existing private key and root certificate - x509certificate

I need to generate a TLS certificate with the python crypto library from an existing Custom CA using its private key and root certificate file (and potentially a CSR). I can easily do this using openssl in bash by running the following command
openssl x509 -req -sha256 -in $CSR -CA $CA_CRT -CAkey $CA_KEY -CASerial $CA_SERIAL -out $OUT_CRT -days 365
I can follow the steps in here to create a CSR and KEY but I'm not really sure I need a new private key if I already have the private key of my custom CA. Also can't figure out how to add the root certificate as a parameter. So the question is what is python equivalent of the above linux command?

Related

Get my private key

I've just recieved a certificate from Commodo. The ZIP file contains a xxx.crt and xxx.pb7b
I need to convert the xxx.pb7b file in to a xxx.pfx so that I can import it in IIS. I'm using OpenSSL for the conversion, but I need a private.KEY file.
Is there away to get\extract this file??
Export the current certificate (PFX) that is about to expire. This file contains your certificate and public key. Then use OpenSSL to extract the private key from the PFX file.
openssl pkcs12 -in myfile.pfx -nocerts -out private_key.pem -nodes

How to generate EC X509 certificate on unix?

I need to generate X509 certificate using EC.
What are the commands that I need to perform in order to achieve a PEM file of this certificate?
First, you need to create a private key with the elliptic curve of your choice:
openssl ecparam -name <curve> -param_enc explicit -genkey -out key.pem
You can find all supported curves with openssl ecparam -list_curves.
Afterwards you can create your certificate request, e.g.:
openssl req -x509 -new -key key.pem -out certificate.pem

Generate SignedData with Openssl console (with CRT)

I'm really new to openssl and I need to generate a CMS Signed Data Message,I was given a xml file with some data in it, and I have a CRT and my private key.
How do I generate the CMS Signed Data using the xml, crt and key?? How do I write the command in the console
I've been looking in the documentation but I'm lost.
openssl cms -sign -in data.xml -nodetach -inkey private.key -signer cert.crt -out result.cms -outform PEM

How can I encrypt data with a public key in Node.js? [duplicate]

This question already has answers here:
Encrypting data with a public key in Node.js
(6 answers)
Closed 2 years ago.
In crypto, I see only Signer/Verifier for doing digital signature and Cipher/Decipher with symmetric key encryption.
How do I encrypt data with public key?
As mentioned in the official nodejs api docs here:
crypto.publicEncrypt(key, buffer)
Encrypts the content of buffer with key and returns a new Buffer with encrypted content. The returned data can be decrypted using the corresponding private key, for example using crypto.privateDecrypt().
If key is not a KeyObject, this function behaves as if key had been
passed to crypto.createPublicKey(). If it is an object, the padding
property can be passed. Otherwise, this function uses
RSA_PKCS1_OAEP_PADDING.
Because RSA public keys can be derived from private keys, a private
key may be passed instead of a public key.
So the answer is:
var encrypted = crypto.publicEncrypt(publicKey, buffer);
You might be interested in my NaCl bindings. From its API:
// Encrypt and sign
box(message, nonce, pubkey, privkey)
// Decrypt and validate
unbox(box, nonce, pubkey, privkey)
// Generates a new keypair, returns {private: <buffer>, public: <buffer>}
boxKeypair()
// Lengths of nonces and public and private keys in bytes
// { nonce: x, pubkey: x, privkey: x }
lengths.box
Yet another approach is using Cryptographic Message Syntax (CMS). It's not a pure Node.js solution, but you likely have all tools you need in the box. Below is the example using OpenSSL:
Generate x509 certificate (recipient) and private key files (in Bash):
openssl req -nodes -new -x509 -keyout key.pem -out cert.pem
Encrypt/Decrypt message from standard input (in Bash):
echo 123 | openssl cms -encrypt -recip cert.pem | openssl cms -decrypt -inkey key.pem
You can use -in/-out parameters to work with files. Below is an example you can use for Node.js:
require('child_process').execSync("openssl cms -encrypt -in file.json -recip cert.pem -out file.json.cms")
On Linux you'll likely have OpenSSL installed already. You can get OpenSSL on Windows by installing Git Bash, although you can also use built-in PowerShell commands. You'll need to generate a PFX certificate (using New-SelfSignedCertificate) or install existing one (can be generated with OpenSSL too). Once the certificate installed in the certificate store, you can use below commands for encryption/decryption:
Protect-CmsMessage -to CN=MyCertName -Path file.json -OutFile file.json.cms
Unprotect-CmsMessage -Path file.json # It will find proper cert in cert store for you
Below is an example how to generate .pem and PFX certificates from the same private key using OpenSSL, and make messages interchangeable between OpenSSL and PowerShell.
Generate certificate with extensions (that's required on Windows):
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj '/CN=MyCertName' -addext extendedKeyUsage=1.3.6.1.4.1.311.80.1 -addext keyUsage=keyEncipherment
The above snippet will work only for newer versions of OpenSSL (1.1.1). Otherwise you need a separate file to define extensions. Then generate a PFX certificate (protect it with some password):
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem -passout pass:P#ssw0rd
Then copy that PFX file to your Windows machine. You should be able to install it via PowerShell (Import-PfxCertificate) or manually (click on it and follow wizard, use all defaults). In order to make messages interchangeable use the -inform \ -outform parameter when using OpenSSL. For example:
openssl cms -encrypt -in file.json -recip cert.pem -outform PEM
openssl cms -decrypt -in file.json.cms -inkey key.pem -inform PEM
# If having both OpenSSL/PowerShell on the same OS, use this for testing:
echo test | Protect-CmsMessage -to CN=MyCertName | openssl cms -decrypt -inform PEM -inkey key.pem
Btw, the CmsMessage commands will be available on PowerShell Core 7.1, so you can use it on Linux/Mac too (it's in preview now, and a stable version will be released in Dec 2020).

How to create a X.509V3 certificate without makecert or bouncy castle

Please Help. I must create a X.509V3 certificate without using makecert or Bouncy Castle library. The purpose is to use theme in order to extract public key.
is it possible?
i can't do this... please can you help me
milles merci.
Assuming that running a command line program will work for you, then you could try using the openssl tool.
First up, you'd want to generate a private key:
openssl genrsa -out new.key 4096
Generating RSA private key, 4096 bit long modulus
...........................................................
.................................................................
...............................................................
............................................................++
........................++
e is 65537 (0x10001)
Then, generate a self signed certificate with it:
openssl req -new -key new.key -x509 -days 1095 -out new.crt
You'll be asked what values to put into the certificate before it's generated. You'll then have a private key and a x509 certificate with your values in.

Resources