I need use ssl(2 way handshake) socket for connection in my project.
So for creating keys, i used openssl with this comands :
for server :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout a_private.key -out a_certificate.cert
rsa -in a_private.key -des3 -out a_private_des.key
rsa -in a_private_des.key -pubout -out a_pub.key
for client :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout b_private.key -out b_certificate.cert
rsa -in b_private.key -des3 -out b_private_des.key
rsa -in b_private_des.key -pubout -out b_pub.key
for import to jks file i used keytool:
keytool -import -alias a_private -file a_private_des.key -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
after that, I made der file with this command :
pkcs8 -topk8 -in a_private_des.key -out a_private_des.der -outform DER
and retry to import key to jks file:
keytool -import -alias a_private -file a_private_des.der -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
and I get same exception with b_pub.key
how can I import encrypted private key and public key in jks file ?
tanx alot.
To import a key pair (key and cert) into a java keystore, you first need to create a p12 file. Whilst the question is "import encrypted private key to jks", I don't actually believe the key in question is encrypted as the "nodes" option is used.
So to import a key, and cert into a JKS use:
# create p12
openssl pkcs12 -export \
-name a_private \
-out a_private.p12 \
-inkey a_private.key \
-in a_certificate.cert \
-passin "pass:changeit" \
-passout "pass:changeit"
# create jks
keytool -v -importkeystore -deststoretype pkcs12 -destkeystore \
"a.jks" \
-srckeystore "a_private.p12" -srcstoretype pkcs12 \
-alias "a_private" -srcstorepass "changeit" \
-deststorepass "changeit" -destkeypass "changeit"
Actually change the password "changeit" as well.
I believe the -import option only let's you import certificates, not keys. Looking at this post it seems you may have to write some kind of workaround.
Related
I want to encrypt local plain text file using openssl and RSAES_OAEP_SHA_256 algorithm.
I tried to use the same approach with this blog entry but it did not work.
https://europatech.co.uk/encryption-decryption-with-kms-and-openssl/
$ echo "hello" > plaintext.txt
$ openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
-in plaintext.txt -pubin -inkey pubkey.pem -out plaintext.bin
-pkeyopt command before -inkey
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-passin arg pass phrase source
am I missing something?
I was looking for the same openssl command and this worked for me:
openssl pkeyutl -in data.txt -encrypt -pubin -inkey Oaep_Pub_Rsa.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out enc.pem
I'm trying to sign the (ITfoxtec Identity SAML2) SAMLRequests and testing with Auth0 and I'm getting the following error on the Auth0 side:
invalid_request: PEM_read_bio_PUBKEY failed
I filled the public key in their config.
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signingCert": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqt7eddg/N9MgaivTEWif\n...\nnmEbAFKJtjieiwu1JjsMsdUCAwEAAQ==\n-----END PUBLIC KEY-----\n"
}
Here is how I generated the keys:
openssl req -x509 -sha256 -newkey rsa:4096 -keyout auth0samlprivate.key -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=mydomain.com"
# then i generate the public key to fill in the configuration of Auth0
openssl x509 -pubkey -noout -in auth0samlpublic.pem > auth0samlpublickey.pem
# then I generate the .pfx file to use server side for the private key
openssl pkcs12 -export -out auth0saml.pfx -inkey auth0samlprivate.key -in auth0samlpublic.cer
Then in the code:
config.SignAuthnRequest = true;
config.SigningCertificate = CertificateUtil.Load("Path/To/auth0saml.pfx", "myPassword");
In the browser, I get redirected to the right URL that contains a Signature query parameter, so it seems to be handled correctly but Auth0 doesn't seem to be able to read it.
What did I miss? I'm new to the certificate part of it.
The issue was about the generated certificate.
First, although the example in Auth0 is using a private key, using certificate is fine too.
The following commands worked fine for me:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout auth0samlprivate.pem -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=thefiftyapp.com"
openssl pkcs12 -export -in auth0samlpublic.pem -inkey auth0samlprivate.pem -out auth0saml.pfx
I think the real issue was about changing manually the pem file to a cer file without using a command line.
And the Auth0 config:
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signingCert": "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUXg1jHZ9qRIrtySCsF/bK2JvYxMQwDQYJKoZIhvcNAQEL\n...\n53f63eKJn9PMmyqIYl9/K48ABR3Bf8exfvK4HRudkSU66pQsj8biIxl4MSDMg/6G\naHUZoTBJbJ/sXmoExGpltvFDcNMITfJMKGFCIBO9VnlsJrXdwalSTpxg/9Yi79GD\n5yMXEjicqion8KE0LMsk93LVS92bkujhSg==\n-----END CERTIFICATE-----\n"
}
I create my own Certificate Authority using OpenSSL.
I put the created root certificate on Windows 10 and Ubuntu 18.04.
I create a signed certificate which is used in a .NET Core Server (running on Ubuntu).
When accessing the server on Windows 10 using Chrome, the certifiate is valid/secure.
When accessing on Ubuntu, the certificate is invalid.
Here are the steps I took:
Create a CA
openssl genrsa -des3 -out self-ca.key -passout pass:password 2048
openssl req -x509 -new -nodes -key self-ca.key -sha256 -days 1825 -out self-ca.pem -passin pass:password
Install CA on Ubuntu
openssl x509 -outform der -in self-ca.pem -out self-ca.crt
cp self-ca.crt /usr/local/share/ca-certificates/.
update-ca-certificates
Install CA on Windows
Place certificate under Trusted Root Authorities
Create Certificate
req.conf file:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
O = Self Certificate
CN = www.<mysite>.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = #alt_names
[alt_names]
DNS.1 = *.<mysite>.com
Certificate commands
openssl genrsa -out self.key 2048
openssl req -new -sha256 -key self.key -config req.conf -out self.csr
openssl x509 -req -in self.csr -CA self-ca.pem -CAkey self-ca.key -CAcreateserial -out self.crt -days 1095 -sha256 -extensions v3_req -extfile req.conf -passin pass:password
Create pfx file for use with .NET Core Server:
openssl pkcs12 -export -inkey self.key -in self.crt -out self.pfx
Chrome in Ubuntu uses NSS database instead of global /etc/ssl storage.
The command certutil can be used to import your certificate to the user-level NSS db.
Install certutil: sudo apt install libnss3-tools
Add your CA certificate: certutil -d sql:$HOME/.pki/nssdb/ -A -n "My private CA" -i CA_cert.pem -t "C,C,C"
This command will install the certificate from file CA_Cert.pem under the name My private CA as trusted root for SSL cerver certificates, S/MIME certificates and code signing sertificates.
To check that the certificate is installed: certutil -L -d sql:$HOME/.pki/nssdb/
I am generating a .pem file using openssl using the command:
openssl genrsa -aes256 -out ca.key.pem 4096
It is working great but when I do this:
openssl genrsa -aes256 -out ca.key.pem 4096 -password pass:abcd
It is still asking me for a password in the terminal and not automatically taking the supplied password.
I've tried generating certificates before and it works for them eg.
openssl pkcs12 -name username -inkey cert/key.key -in abc.pem -export -out cert.p12 -password pass:abcd
You're very close to the goal ! Key size must be the last parameter and -password replace with -passout
openssl genrsa -aes256 -out ca.key.pem -passout pass:abcd 4096
I need to generate X509 certificate using EC.
What are the commands that I need to perform in order to achieve a PEM file of this certificate?
First, you need to create a private key with the elliptic curve of your choice:
openssl ecparam -name <curve> -param_enc explicit -genkey -out key.pem
You can find all supported curves with openssl ecparam -list_curves.
Afterwards you can create your certificate request, e.g.:
openssl req -x509 -new -key key.pem -out certificate.pem