I am unable to create Apple Push Notification cert files. When I test .pem files I get an error.
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert pushapp_cert_dev.pem -key pushapp_key_dev.pem
will give an error:
unable to load client certificate private key file
140735327015760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
I am following these instructions: https://github.com/raix/push/wiki/iOS-Micro-Walkthrough
pushapp_cert_dev.pem
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAw...ff6eVQDZV4=
-----END CERTIFICATE-----
pushapp_key_dev.pem
Bag Attributes
friendlyName: pushApp
localKeyID: EB 91 B3 CD A0 F5 9A 56 46 96 43 24 C8 B0 A7 56 62 01 9E 2C
Key Attributes: <No Attributes>
Both files are in the same location.
When I created the .pem file, I simply needed to enter passphrase (min 4 char) when prompted. First, I just skipped it because I didn't want to create passphrase. It doesn't give any error or otherwise inform that passphrase is required and it actually creates a non working .pem file.
Related
Problem Statement:
I've wanted to change the SSL certificate, because I've changed my server so I had to create a new CSR with the different name as discuss in the following question with this command. And generated the Privatekey and CSR.
$ openssl req -new -newkey rsa:2048 -nodes -keyout example_new.key -out example_new.csr
Then I'd paste the CSR to Re-Key in Godaddy portal and received certificate from Godaddy and then i renamed it to the following as per best practises.
example.com.crt
intermediate.crt
example.com.pem
And then I've concatenated the certificate with signing certificate in right order as discussed in this answer.
$ cat example.com.crt intermediate.crt > bundle_chained.crt
Exception:
Getting following exception while restarting Nginx.
$ sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/path/example_new.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
Here's what I tested:
The certificate and private key has no trailing spaces.
I checked the nginx.conf and the directives are pointing to the
correct private key and certificate.
I've checked md5 hashed of the key and bundle_chained
$ openssl x509 -noout -modulus -in bundle_chained.crt | openssl md5
(stdin)= d91144b76e2fa292e9aee71f10ac8b63
$ openssl rsa -noout -modulus -in example.key | openssl md5
(stdin)= a4773e7fa31e0bdc7edad15ee5412d3e
Note: Md5 hash are not matching
Checked bundle_chained.crt using following and figure out that it doesn't look like my as I've specified Maharashtra ST and it is showing Arizona which is my CA.
$ openssl x509 -noout -text -in bundle_chained.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:a1:9d:55:8c:d8:as:45
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Aug 20 11:54:25 2020 GMT
Not After : Aug 19 10:00:10 2022 GMT
Subject: OU = Domain Control Validated, CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
....
.....
Note: Please note that it did showing CN correct as example.com in my case.
Thank you for your help. :)
I have three certificate files rootcertificate.txt, intermediateCertificate.txt, and serverCertificate.txt.
I want to install an SSL certificate on the Nginx server in the ubuntu platform and for this required two files yourdomain.cert and yourdomain.key
So my question is how to convert three files into .cert and .key format
No you can't, as I understand all you have are certificates
rootcertificate.txt is root CA certificate
intermediateCertificate.txt is Intermediate CA certificate, created by root CA
serverCertificate.txt is your server certificate, created by Intermediate CA certificate
for yourdomain.cert, you just need to rename serverCertificate.txt into yourdomain.cert
for yourdomain.key, it's not possible, you need to request the person who give you certificates for the private key
You need to build a certificate bundle (certificate chain). To do so, you just have to concatenate your three certificates. Make sure to have the Root CA on top of your chain, instead it won't work.
cat rootcertificate.txt intermediateCertificate.txt \
serverCertificate.txt > fullchain.txt
If your certificate are in DER format and you want to convert them in PEM before building your chain. You can use the ssl command below to convert your certificate in PEM.
openssl x509 -in serverCertificate.txt -out serverCertificate.pem \
-inform DER -outform PEM
You can use the same conversion to convert your private key in PEM also. Make sure to change in the "inform" in your certificate format they are not DER. Default value is PEM format.
I need to connect our SimpleSAMLphp SP to a customers SAML 2.0 IdP. We have done this several times before and it worked quiet well. Normaly the certificates of our customers have been created using OpenSSL and we havent had any issues before.
Our current customer is using Javas keytool to generate their certificate for the metadata exchange.
The certificate has been generated using the following command:
keytool -genkeypair -keystore saml.jks -alias idp-signing -dname "cn=idp-signing-INT" -validity 1825 -keyalg RSA -sigalg SHA256withRSA -keysize 2048
When I inspect the cert it looks something like this:
keytool -list -v -keystore saml.jks -alias idp-signing
Alias name: idp-signing
Creation date: 27-Jun-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=idp-signing-INT
Issuer: CN=idp-signing-INT
Serial number: 5f09e950
Valid from: Tue Jun 27 12:00:34 CEST 2017 until: Sun Jun 26 12:00:34 CEST 2022
Certificate fingerprints:
MD5: 85:E8:5D:EB:11:9B:CA:3C:02:06:65:A7:82:A4:4B:2B
SHA1: 41:79:18:80:65:C4:D6:27:CD:27:05:11:AD:5A:43:33:60:C7:89:AA
SHA256: 65:53:6E:FD:98:1E:0E:FE:B8:0F:50:11:EC:9A:06:FD:7C:27:F5:F5:D6:C8:11:AB:FA:D6:CE:80:86:09:CC:DF
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 88 3B 15 B4 22 FD 83 B6 BE 35 7F 3E E4 72 1E ..;.."....5.>.r.
0010: 30 7C 84 89 0...
]
]
Now when trying to authenticate via our customers IdP, our SP does not accept the IdPs certificate with the log message: Decryption failed: Algorithm disabled. It turns out, that simpleSAMLphp does not accept certificates using a PKCS#1 v1.5 encryption.
I could solve the problem pretty easy by removing that algorithm from simpleSAMLphps blacklist. But... To be honest... That is not a good solution. It would be nice to be able to generate a certificate using keytool that does not make use of PKCS#1 1.5 and just satisfies the recommendations.
Unfortunately I am not an encryption specialist and normally do not use java/keytool either.
Maybe someone can give me a hint on how our customer should generate their certificate the right way?
Would be really nice! Thanks in advance!
I have inherited an ASP.NET MVC Application and an ASP.NET Web Api which both use SSL along with the api requiring client certificates. Both have been in production for over a year now with minor changes.
For development everything was originally set up with IIS Express and everything worked fine but now I have a requirement to move the local dev environment out of IIS Express and into Local IIS. My problem is all requests from the app to the api are failing with my setup.
I think I have my IIS (Windows 7 IIS 7.5) setup correct but it’s possible I could have something wrong. I have two different sites running on different ports for the api and app as well as what looks to be the appropriate settings for SSL and one to one mapping. Both sites have different app pools with two local users setup (I tried NetworkService originally). I added two domains to my host file (localapp.com and localapi.com) and I created two certificates for both domains with makecert. The api certificate is marked for server authentication and the app certificate is marked for server and client authentication (I have tried separate certificates for both purposes). The two SSL certificates have private keys that were marked as exportable when added to the certificate store and I have given private key permissions to the two local accounts. My self-signed root certificate is added to the LocalMachine root certificate store and the two site certificates (signed with the root certificate) are in the LocalMachine personal store. I can connect to both sites independently and don’t receive any warnings about certificate errors.
If I access an api URL through Chrome I can select the appropriate client certificate and see the JSON data expected. Accessing the app is similar in that I don’t get any certificate warnings but no data is being returned in any api calls it makes.
The app is using RestSharp for its HTTP requests and I have verified through debugging that the correct client certificate is being added to the request and a private key does exist. The code that is adding the certificate to the request should be fine since it has been running for over a year and nothing has changed. Every api request from the app returns
“System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized”
and
“The request was aborted: Could not create SSL/TLS secure channel.”
If I look into the network trace I get the following in regards to the localapp.com certificate…
System.Net Information: 0 : [6564] SecureChannel#37489757 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [6564] SecureChannel#37489757 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [6564] SecureChannel#37489757 - Locating the private key for the certificate: [Version]
V3
[Subject]
CN=localapp.com
Simple Name: localapp.com
DNS Name: localapp.com
[Issuer]
CN=DevRoot
Simple Name: DevRoot
DNS Name: DevRoot
[Serial Number]
975C024DB7A08A9A48BE78F3382D4A93
[Not Before]
12/31/2015 11:00:00 PM
[Not After]
12/30/2039 11:00:00 PM
[Thumbprint]
28F3032F0E6ED488CFFE6706D3B17F851EFE1860
[Signature Algorithm]
sha512RSA(1.2.840.113549.1.1.13)
[Public Key]
Algorithm: RSA
Length: 4096
Key Blob: 30 82 02 0a 02 82 02 01 00 a9 c2 27 fc 60 11 1d 99 fe 1e e7 fb 05 b4 75 33 4a e3 d5 33 15 0c 9d 72 6a 3a df e2 58 49 20 34 39 59 77 7e 85 f7 fa 93 53 92 1d fa 63 32 98 b1 66 74 b6 60 23 e2 2b 97 f6 d9 ce bb 0a 1a ae 2f c8 a1 44 6f 60 12 9a bd b6 33 87 90 8d 1c 1f 61 7e f5 85 41 de 30 11 78 01 72 6b eb 77 8e 1b 9f 58 45 f6 ad 0d d3 2d ec 59 1d 63 2a 18 2f 77 87 6c a3 fe ee 68 2e 12 94 6a d5 ce 69 77 98 f2 14 bd bb ff eb 49 ac 1d a5 06 bf 97 51 0e 36 e6 8f 55 45 a3 91 29 77 94 93 1a 78 54 ....
System.Net Information: 0 : [6564] SecureChannel#37489757 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [6564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [6564] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [6564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [6564] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [16268] Socket#3648821::Dispose()
System.Net Error: 0 : [16268] Exception in HttpWebRequest#16098066:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [16268] HttpWebRequest#16098066::EndGetResponse()
System.Net Error: 0 : [16268] Exception in HttpWebRequest#16098066::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel..
The trace log looks like I don’t have permissions set up correctly but I have explicitly given the local users permissions to the private keys for both the app and api certificates. Everyone else with the 0X8009030D error looks to have solved the issue by adding the app pool user to the private key permissions. If I go to Manage Private Keys in the MMC snap in for the localapp.com certificate I see my LocalApp and LocalApi users having read permissions.
I am completely out of ideas on things I can try to get the communication to work. It is probably something very simple but no matter what I try it just won’t work.
Anyone ever try this set up before and have success or anyone have ideas I can try to get this working?
Any help is greatly appreciated.
Thanks in advance!
-Aaron
I'm trying to make a paper based backup of a 4092 bit secret/private PGP key using a QR code generator, but the key is just too big. I'm going to go low tech here and split it into two pieces, but perhaps I don't need to. I know that when exporting the secret key, it also exports the public key embedded within it.
Is there any way to remove the public portion of the key from that file, or prior to exporting, so that the resulting file is only the private key?
I'm not certain the resulting file will be small enough still, but it is worth a shot.
D:\Users\tharding>gpg --edit-key "04EAC14C"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/04EAC14C created: 2015-02-11 expires: never usage: SCE
trust: unknown validity: unknown
[ unknown] (1). Timothy Harding <hardingt#gmail.com>
gpg> key 1
No subkey with index 1
gpg> delkey
You must select at least one key.
gpg> delkey 0
You must select at least one key.
Update:
From what I can tell, (looking at the ASCII Armored output for both the public key and the private key) it looks like they are structured this way:
Update 2:
Looked at the files again, and this is what I've got, I haven't pulled out a hex editor yet to verify the non armored files, but I've found surprisingly little help online about how these key files are internally structured:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version:
4 header chars ??
1517 pub key chars
4 footer chars ??
-----END PGP PUBLIC KEY BLOCK-----
and
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version:
4 different header chars from pub key ??
700 pub key chars
1772 private key chars (possibly some header/footer to do with the symmetric cipher)
817 pub key chars (same total 1517, exact same ASCII sequence if put together)
4 different footer chars from pub key ??
-----END PGP PRIVATE KEY BLOCK-----
Update 3:
Took a look at the binary pub/private keys and found that:
public key is 1138 bytes
4 unique bytes
1134 bytes found in private key as well
private key is 2467 bytes
4 unique bytes
524 of which are found verbatim in the public key
1329 of which are unique to the private key
38 bytes which are found verbatim in the public key (key name & Email address)
572 bytes which are found verbatim in the public key
There is a program called Paperkey[1], written by David Shaw[2], that extracts only the private key information from an exported OpenPGP private key.
Excerpt from the package description:
extract just the secret information out of OpenPGP secret keys
The Paperkey page has a version already built for Windows 32bit, and provides the source to compile on Linux, Unix, *BSD and OSX.
Paperkey is also available via the package manager on some Linux/BSD distributions.
Example package manager installs -
apt (debian) -
apt-get install paperkey
yum (redhat)
yum install paperkey
pkg (bsd)
pkg install paperkey
ports (bsd)
cd /usr/ports/security/paperkey
make install clean