I need to connect our SimpleSAMLphp SP to a customers SAML 2.0 IdP. We have done this several times before and it worked quiet well. Normaly the certificates of our customers have been created using OpenSSL and we havent had any issues before.
Our current customer is using Javas keytool to generate their certificate for the metadata exchange.
The certificate has been generated using the following command:
keytool -genkeypair -keystore saml.jks -alias idp-signing -dname "cn=idp-signing-INT" -validity 1825 -keyalg RSA -sigalg SHA256withRSA -keysize 2048
When I inspect the cert it looks something like this:
keytool -list -v -keystore saml.jks -alias idp-signing
Alias name: idp-signing
Creation date: 27-Jun-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=idp-signing-INT
Issuer: CN=idp-signing-INT
Serial number: 5f09e950
Valid from: Tue Jun 27 12:00:34 CEST 2017 until: Sun Jun 26 12:00:34 CEST 2022
Certificate fingerprints:
MD5: 85:E8:5D:EB:11:9B:CA:3C:02:06:65:A7:82:A4:4B:2B
SHA1: 41:79:18:80:65:C4:D6:27:CD:27:05:11:AD:5A:43:33:60:C7:89:AA
SHA256: 65:53:6E:FD:98:1E:0E:FE:B8:0F:50:11:EC:9A:06:FD:7C:27:F5:F5:D6:C8:11:AB:FA:D6:CE:80:86:09:CC:DF
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 88 3B 15 B4 22 FD 83 B6 BE 35 7F 3E E4 72 1E ..;.."....5.>.r.
0010: 30 7C 84 89 0...
]
]
Now when trying to authenticate via our customers IdP, our SP does not accept the IdPs certificate with the log message: Decryption failed: Algorithm disabled. It turns out, that simpleSAMLphp does not accept certificates using a PKCS#1 v1.5 encryption.
I could solve the problem pretty easy by removing that algorithm from simpleSAMLphps blacklist. But... To be honest... That is not a good solution. It would be nice to be able to generate a certificate using keytool that does not make use of PKCS#1 1.5 and just satisfies the recommendations.
Unfortunately I am not an encryption specialist and normally do not use java/keytool either.
Maybe someone can give me a hint on how our customer should generate their certificate the right way?
Would be really nice! Thanks in advance!
Related
I'm running the qtopcuaviewer example following these instructions to create the client certificate:
# create a self-signed certificate and private key
openssl req -new -x509 -config opcuaviewer.config -newkey rsa:2048 -keyout opcuaviewer.key -nodes -outform der -out opcuaviewer.der
# install the certificate and key into the application PKI directory
mv opcuaviewer.der /path/to/application/pki/own/certs/opcuaviewer.der
mv opcuaviewer.key /path/to/application/pki/own/private/opcuaviewer.pem
# secure private key file permissions
chmod 600 /path/to/application/pki/own/private/opcuaviewer.pem
Here the warnings I get:
Debug: "Creating PKI path '/home/user/bin/pki/trusted/certs': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/trusted/crl': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/issuers/certs': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/issuers/crl': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Warning: No functional TLS backend was found (:0, )
Warning: No TLS backend is available (:0, )
Warning: No client certificate found at "/home/user/bin/pki/own/certs/opcuaviewer.der" . Application identity will be invalid. (:0, )
First issue
The certificate created with the procedure above is there and it has the correct permissions:
$ ls -l /home/user/bin/pki/own/certs/opcuaviewer.der
-rw-rw-r-- 1 user user 1143 Jan 18 14:57 /home/user/bin/pki/own/certs/opcuaviewer.der
Why does it not find it?
Second issue
The warning about TLS should imply there are some missing library for SSL. But ldd tell me nothing wrong and I have the following libraries installed:
$ dpkg -l | grep libssl
ii libssl-dev:amd64 1.1.1f-1ubuntu2.8 amd64 Secure Sockets Layer toolkit - development files
ii libssl1.1:amd64 1.1.1f-1ubuntu2.8 amd64 Secure Sockets Layer toolkit - shared libraries
$ dpkg -l | grep libk5crypto
ii libk5crypto3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Crypto Library
Is there anything else I need to deploy?
Qt 6.2.0 under Ubuntu 20.04.
You have to deploy the TLS plugin found under:
qt-path/6.2.0/gcc_64/plugins/tls/
and it would solve both issues.
Problem Statement:
I've wanted to change the SSL certificate, because I've changed my server so I had to create a new CSR with the different name as discuss in the following question with this command. And generated the Privatekey and CSR.
$ openssl req -new -newkey rsa:2048 -nodes -keyout example_new.key -out example_new.csr
Then I'd paste the CSR to Re-Key in Godaddy portal and received certificate from Godaddy and then i renamed it to the following as per best practises.
example.com.crt
intermediate.crt
example.com.pem
And then I've concatenated the certificate with signing certificate in right order as discussed in this answer.
$ cat example.com.crt intermediate.crt > bundle_chained.crt
Exception:
Getting following exception while restarting Nginx.
$ sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/path/example_new.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
Here's what I tested:
The certificate and private key has no trailing spaces.
I checked the nginx.conf and the directives are pointing to the
correct private key and certificate.
I've checked md5 hashed of the key and bundle_chained
$ openssl x509 -noout -modulus -in bundle_chained.crt | openssl md5
(stdin)= d91144b76e2fa292e9aee71f10ac8b63
$ openssl rsa -noout -modulus -in example.key | openssl md5
(stdin)= a4773e7fa31e0bdc7edad15ee5412d3e
Note: Md5 hash are not matching
Checked bundle_chained.crt using following and figure out that it doesn't look like my as I've specified Maharashtra ST and it is showing Arizona which is my CA.
$ openssl x509 -noout -text -in bundle_chained.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:a1:9d:55:8c:d8:as:45
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Aug 20 11:54:25 2020 GMT
Not After : Aug 19 10:00:10 2022 GMT
Subject: OU = Domain Control Validated, CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
....
.....
Note: Please note that it did showing CN correct as example.com in my case.
Thank you for your help. :)
We have an orchestration of microservices running on a server. An nginx service is acting as a proxy between microservices. We would like to have all the communications on SSL with our self-signed certificates.
We want to add our private CA to every service (running on Debian Buster), so that it is considered valid everywhere within that service. We generate our server certificate and CA as follows:
# Generate Root CA Certificate
openssl genrsa -des3 -out CA-key.pem 2048
openssl req -new -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
# Generate a Signing a Server Certificate
openssl genrsa -des3 -out server-key.pem 2048
openssl req –new –config openssl.cnf –key server-key.pem –out signingReq.csr
openssl x509 -req -days 365 -in signingReq.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem
However, we can't make the microservices to consider the certificate as valid and trust it. When a get request is issued using the request library of Python in the micro-service, the following exception is thrown:
requests.exceptions.SSLError: HTTPSConnectionPool(host='server.name', port=443): Max
retries exceeded with url: /url/to/microservice2/routed/via/nginx/ (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: self signed certificate (_ssl.c:1076)')))
What we have tried so far:
Copying the certificate to /usr/share/ca-certificate/ and running the sudo dpkg-reconfigure ca-certificates and/or update-ca-certificates commands.
Set the REQUESTS_CA_BUNDLE env variable to /path/to/internal-CA-cert.pem
Set the SSL_CERT_FILE env variable to /path/to/internal-CA-cert.pem
The only workaround that works is setting the valid=False in requests.get(url, params=params, verify=False, **kwargs), to ignore the validity of the SSL certificate is ignored. But, this is not the worfklow we would want to implement for all the microservices and communications.
The solution was to copy the self-signed server certificate (signed with our own CA) to the /usr/local/share/ca-certificates directory and use the update-ca-certificates which is shipped in debian distributions (similar solution is available for other linux distributions).
cp /path/to/certificate/mycert.crt /usr/local/share/ca-certificates/mycert.crt
update-ca-certificates
However, the tricky part is that the above solution is not sufficient for the python request library to consider the certificate as valid. To resolve that, one has to append the self-signed server certificate to the cat-certificates.crt and then set the environment variable REQUESTS_CA_BUNDLE to that appended file.
cat /path/to/certificate/mycert.crt >>/etc/ssl/certs/ca-certificates.crt
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
I am unable to create Apple Push Notification cert files. When I test .pem files I get an error.
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert pushapp_cert_dev.pem -key pushapp_key_dev.pem
will give an error:
unable to load client certificate private key file
140735327015760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
I am following these instructions: https://github.com/raix/push/wiki/iOS-Micro-Walkthrough
pushapp_cert_dev.pem
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAw...ff6eVQDZV4=
-----END CERTIFICATE-----
pushapp_key_dev.pem
Bag Attributes
friendlyName: pushApp
localKeyID: EB 91 B3 CD A0 F5 9A 56 46 96 43 24 C8 B0 A7 56 62 01 9E 2C
Key Attributes: <No Attributes>
Both files are in the same location.
When I created the .pem file, I simply needed to enter passphrase (min 4 char) when prompted. First, I just skipped it because I didn't want to create passphrase. It doesn't give any error or otherwise inform that passphrase is required and it actually creates a non working .pem file.
I'm trying to start the Java WS Core container version 4.0.8 from the Globus Tooklit. Before I can start the container, I need to create a grid proxy using grid-proxy-init. I am using my CERN certificate for this purpose. I have also downloaded the CERN Root CA and the CERN Trusted Certificate Authority certificates and configured globus to trust them. However, when I do grid-proxy-init, I get the following error:
Files used:
proxy : /tmp/x509up_u501
user key : ~/.globus/userkey.pem
user cert : ~/.globus/usercert.pem
Your identity: (correct identity)
Error: Wrong pass phrase
java.security.InvalidKeyException: Algorithm not supported.
at org.globus.gsi.OpenSSLKey.readPEM(OpenSSLKey.java:169)
at org.globus.gsi.OpenSSLKey.<init>(OpenSSLKey.java:105)
at org.globus.gsi.bc.BouncyCastleOpenSSLKey.<init>(BouncyCastleOpenSSLKey.java:45)
at org.globus.tools.DefaultProxyInit.loadKey(ProxyInit.java:608)
at org.globus.tools.ProxyInit.createProxy(ProxyInit.java:204)
at org.globus.tools.ProxyInit.main(ProxyInit.java:518)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.globus.bootstrap.BootstrapBase.launch(BootstrapBase.java:95)
at org.globus.bootstrap.Bootstrap.main(Bootstrap.java:37)
Please note that my CA certificates are in a non-standard location (~/.globus/certificates). I've tried using X509_CERT_DIR=~/.globus/certificates, but to no avail. Also, grid-proxy-init doesn't actually ask me for a passphrase. It just gives that error. I have no idea how to debug this further. I would appreciate any ideas about how to procee. Also, I would like to verify that globus is indeed recognising my CA certificates without any problems. Thanks!
Ok so I figured out what the problem was. I was converting the certificate to PEM from PKCS using:
openssl pkcs12 -in cert.p12 -out usercert.pem -nokeys
openssl pkcs12 -in cert.p12 -out userkey.pem -nocerts -nodes
Apparently this only extracts the private key from the certificate file but does not actually convert it to PEM format. For that I had to use the following command:
openssl pkcs12 -in cert.p12 -nocerts -nodes|openssl rsa -out userkey.pem -des3
This outputs the private key in the required format and grid-proxy-init works fine now.