Azure KeyVault corrupts PFX certificate - ssl

I have a TLS certificate received from a public CA that is in pem format without the intermediate certs included. I need the certificate in PFX format with intermediate certs in Azure KeyVault to use with an Application Gateway.
I am able to successfully add the intermediate certs and convert to PFX format with the following:
$apiCertSecret | openssl pkcs12 -export -nodes -out /tmp/cert.pfx -CAfile /tmp/certchain.pem -chain `
-macalg sha256 -certpbe aes-256-cbc -keypbe aes-256-cbc
Where $apiCertSecret is the raw text of the original cert and /tmp/certchain.pem is the root and intermediate cert in PEM format.
The resulting PFX cert checks out AFAICT as valid with both certutil and openssl. Both certutil cert.pfx, run on Windows, and openssl pkcs12 -info -nokeys -in /tmp/cert.pfx, run in WSL, run without error and show all the intermediate certs.
When I take the cert.pfx file and upload it to Azure KeyVault via the portal or via Import-AzKeyVaultCertificate, I end up with an unusable cert. If I reference it from KeyVault in the Application Gateway configuration, I get an unrecognized name error when connecting to that listener. This is the full error from using openssl s_client -connect to test:
error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1584:SSL alert number 112
If I retrieve the secret from KeyVault with Get-AzKeyVaultSecret -AsPlainText and pipe it to | openssl pkcs12 -info -nokeys I get the following error:
140606285837632:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
140606285837632:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=PKCS12
Importing this same cert directly into the Application Gateway works without issue. It also imports into the Windows cert store without issue although I haven't attempted to use it on a site there. I am looking to complete the automation of a cert upgrade, but I'm at a loss for what else to try. I would prefer to reference the cert from Azure KeyVault so the Application Gateway will automatically pick up changes, but right now that appears to be the issue.
My questions.
Are there any other commands I should use to inspect the certificate I have that might shed a little more light on the issue?
Is there another way I should attempt to upload the certificate to Azure KeyVault that would avoid the "corruption"?
Any chance someone has seen this as a known issue in Azure KeyVault?
In case it matters, the version of openssl in use is OpenSSL 1.1.1f 31 Mar 2020

Related

Unable to add ssl certificate to microsoft power apps

I bought a wildcard ssl certificate with Combell which I need to install in my Microsoft Power App. Combell uses AES-256 encryption and Microsoft want 3DES so I downloaded the .pem file and converted it to a .pfx with 3DES encryption with this openssl command:
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_encrypted_pem.pem -out my_new_pkcs12.pfx -name “my-name”
So now I have a pfx certificate file, and it uses the 3DES encryption that Microsoft wants.
Microsoft requirements for ssl certificate
And still I can't upload the certificate in my admin center, it tells me that the password is incorrect or that the encryption used by the certificate is not supported (It's in Dutch but see image with error here: link to img)
Don't know what's the problem because the password is 100% correct and the encryption used is 3DES. Can someone please help

Valid leaf certificate in PEM format

I am troubleshooting an SSL certificate issue where after the.PFX conversion to.PEM file using the OpenSSL.
The certificate is from Azure App Service Managed Certificate (GoDaddy) for 1-year validity with auto-renewal.
https://azure.github.io/AppService/2021/05/25/App-Service-Managed-Certificate-GA.html
According to https://developer.americanexpress.com/documentation#certificate-requirements I just need to execute:
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Which I have done with no issue or error.
However, it is always throwing errors when uploaded to the Amex portal.
Error:
Please upload a valid leaf certificate in PEM format

Enabling SSL for an MQ queue manager on the HP Nonstop

I have an existing MQ MQI connection (Server-Connection) between an HP Nonstop and a Windows server. I am working on configuring the queue manager for SSL on the Nonstop.
I have followed a couple sources available on net closely but am still confused about a few things.
The Stash.sth file, I have not gotten the following command to work:
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
I get an "Error unable to get local issuer certificate chain."
The SSLUpdate.pdf document that is delivered with MQ mentions creating the Stash.sth file using:
amqrsslc -s cert (cert being the trusted certificate store), and this DOES work for me.
However, it also says "The amqrsslc command will prompt for the private key pass phrase used when creating the certificate/key pair and will write a masked copy of that pass phrase to the Stash.sth file"
If I should have specified the same pass phrase earlier, where should I have done that?
When I created the private key? Should I have specified a -passin or -passout parameter? All I used was openssl genrsa -out privatekey.pem 2048 -sha256
Or, when I generated the certificate request? There is a prompt to enter an optional password.
Or neither? Is the pass phrase used when creating the Stash.sth file completely arbitrary?
Thanks for any help!
The error usually means the list of trusted certificates is not complete.
I think you need to be sure you certificate chain is complete.
Here is from the technote:
If the certificate request is signed by an intermediate certificate, the
certificate chain for the signed personal certificate will need to be
added to the trust.pem file. You need to add the root certificate and
the intermediate to the trust.pem file. Review create_trust_file.sh
script for the syntax.
I also think this presentation document may be helpful to you.
http://www-01.ibm.com/support/docview.wss?uid=swg27023472&aid=1

Couldn't able to connect to APNS Sandbox server

I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)

Client SSL authentication causing 403.7 error from IIS

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.
Installing the certificate and trying to access the restricted area in various browsers gives the following results:
IE6 - Works fine and I can retrieve the WSDL
IE7 - Prompts for the certificate but then fails with a 403.7 from the server
Firefox3 - Set to ask, but no prompt and fails with a 403.7
Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7
Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.
Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?
Any help would be greatly appreciated.
This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
and use the above command with "-in file.pem" only.
Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".
Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:
openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12