For testing purposes, I am trying to generate a large client certificate with openSSL (this is not meant to be practical), I generate the CSR and the private key with:
openssl req -newkey rsa:16384 -keyout PRIVATEKEY.key -out MYCSR.csr
Then I fill the fields with the largest value possible, so PEM pass phrase is 1024 characters, state name is 128 characters and so on, the issue when I generate a certificate from this CSR using AD certificate authority service, I am getting the following error:
Certificate Request Denied
Your certificate request was denied.
Your Request Id is 0. The disposition message is "Error Parsing
Request The filename, directory name, or volume label syntax is
incorrect. 0x8007007b (WIN32/HTTP: 123 ERROR_INVALID_NAME)".
Contact your administrator for further information.
Is there a limit to the size or fields length for csr to be accepted by the active directory?
And how can I generate this CSR very fast without the need to keep entering the same information manually?
Related
I've set up my own CA following the directions from Jamie and issued my first certs a year ago happily. They have now expired, but I'm having a devils own time trying to renew them.
I have tried the code I used to create the certs in the first place, giving it a different output name, but I'm getting an error.
openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in intermediate/csr/blahapi2.csr.pem -out intermediate/certs/blahapi2.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=AU/ST=Victoria/O=MD/CN=blahapi.there.com.au/emailAddress=pnunn#example.com
The matching entry has the following details
Type :Valid
Expires on :220501022116Z
Serial Number :1000
File name :unknown
Subject Name :/C=AU/ST=Victoria/O=MD/CN=blahapi.there.com.au/emailAddress=pnunn#example.com
I guess there is another way to renew a certificate with the same credentials, but I can't find it anywhere.
Clues?
I have an existing MQ MQI connection (Server-Connection) between an HP Nonstop and a Windows server. I am working on configuring the queue manager for SSL on the Nonstop.
I have followed a couple sources available on net closely but am still confused about a few things.
The Stash.sth file, I have not gotten the following command to work:
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
I get an "Error unable to get local issuer certificate chain."
The SSLUpdate.pdf document that is delivered with MQ mentions creating the Stash.sth file using:
amqrsslc -s cert (cert being the trusted certificate store), and this DOES work for me.
However, it also says "The amqrsslc command will prompt for the private key pass phrase used when creating the certificate/key pair and will write a masked copy of that pass phrase to the Stash.sth file"
If I should have specified the same pass phrase earlier, where should I have done that?
When I created the private key? Should I have specified a -passin or -passout parameter? All I used was openssl genrsa -out privatekey.pem 2048 -sha256
Or, when I generated the certificate request? There is a prompt to enter an optional password.
Or neither? Is the pass phrase used when creating the Stash.sth file completely arbitrary?
Thanks for any help!
The error usually means the list of trusted certificates is not complete.
I think you need to be sure you certificate chain is complete.
Here is from the technote:
If the certificate request is signed by an intermediate certificate, the
certificate chain for the signed personal certificate will need to be
added to the trust.pem file. You need to add the root certificate and
the intermediate to the trust.pem file. Review create_trust_file.sh
script for the syntax.
I also think this presentation document may be helpful to you.
http://www-01.ibm.com/support/docview.wss?uid=swg27023472&aid=1
We need to provide a secure SSL on our intranet website. Could anyone please help me query below:
Is it possible to get Internal CA signed cert without a CSR?
If above is Yes, how do it generate a Internal CA signed Cert without a CSR.
What am I trying to achieve?
We don't have Production IIS setup. And production IIS will only be setup during the change window. During this change window no resource available to generate CA signed Cert. for a given CSR. Hence, we are trying to create CA signed certs before hand without having to setup the Prod IIS.
The Certificate Signing Request (CSR) is a tool for including a third party in the certificate creation process without divulging your private key. Its essentially a packet of encoded information (including the public key) which can be sent to the third party for signing. The third party receives the CSR, signs it with their intermediate or root certificate, and send back the certificate to you. Your new and shiny certificate file is now a keypair with your private key file. Even better, the third party never had access to your private key through the entire process.
Now to answer your question, yes it is possible. There is no requirement that a third party be involved. Its more a question of how to accomplish this with the cryptographic library of your choice. Check out my post here for a way to get OpenSSL running on windows without admin privileges.
Create a new key and certificate
openssl req -newkey rsa:2048 -nodes -keyout [filepath to key] -x509 -out [filepath to cert]
Create a certificate from an existing key
openssl req -key [filepath to key] -x509 -out [filepath to cert]
You should be able to use OpenSSL to create a CSR independently of IIS (see its req command).
I am in the process of purchasing a Thawte SSL cert to be applied to my slice on slicehost which is hosting my new web app.
Thawte is looking for a CSR.
How do i generate this?
Regards,
Fiona
I doubt you still need this info after 9 months, however...
You'll need to generate an OpenSSL keypair and a Certificate Signing Request.
The keypair consists of two cryptographic keys. A public and private. The public key is included with the CSR along with other applicant information such as name, company, etc. The private key is used to sign the CSR request.
A CSR is what you send to your chosen Certificate Authority (CA) to request that they supply you with an SSL certificate. It includes your identifying information and the public key for your server/site.
Generate the CSR
openssl req -new -newkey rsa:1024 -nodes -keyout example.key -out example.csr
You’ll be prompted to enter information such as Common Name, Organisation, Country etc.
It should be fairly straight forward, but your CA will let you know if you’ve done it wrong, I’m sure.
This will create example.key (the private key) and example.csr (the CSR).
Requesting your certificate
Normally your CA will have a form on their website which allows you to paste in your CSR. This obviously varies from company to company. Once you have given them your CSR, they will first ask you for money, and then generate your CRT file.
P.S. I basically copy and pasted this info from my website, dunno if that's allowed here.
We use a private certificate authority powered by OpenSSL to authenticate our customers. We provide a simple web-based utility which allows them to upload a CSR file for the certificate authority to sign.
At the moment, we can only issue certificates for a fixed period, currently 365 days. However, our customers have asked if they can specify the validity period of their certificates instead.
I would prefer not to have to ask the user what validity period they want, since they have to specify a validity period when they generate their CSR, and it makes sense to extract this period from the CSR when signing the certificate. However I can't work out how to do it: the normal things that OpenSSL lets you do to debug CSRs, certificates and keys don't show the relevant information: here's an example of the output of "openssl req -text -noout < csrfile":
$ openssl req -text -noout < my.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=London, O=example.com, CN=customer/emailAddress=ssl#example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:3b:11:7f:61:31:19:97:b6:26:19:01:e7:c6:
c3:d5:03:a5:f6:5a:4d:e2:03:d0:4e:76:49:d0:7f:
59:92:bf:5e:12:b3:b0:7e:20:5b:d8:a2:3f:cb:50:
c1:64:e5:48:04:c3:b2:04:e3:f2:4c:2f:0e:e2:a6:
c3:7c:36:24:dc:97:c9:f0:ba:ad:87:0f:71:45:9c:
6a:7f:d4:4c:d5:31:8e:49:a8:e4:3d:c4:ec:5e:54:
bf:f9:ba:ce:21:4c:11:15:7d:f0:d3:7a:77:f6:66:
5d:07:4e:4a:d3:0e:f0:52:0d:d9:cf:81:86:fe:9b:
c8:f8:e4:8d:d6:d1:d0:85:7f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
5e:4c:38:59:95:e5:11:b4:a3:d5:88:1f:3c:c0:33:67:cb:b2:
14:85:73:c3:5a:b8:23:bf:1d:25:2b:a9:38:93:da:fb:67:17:
26:6c:79:07:dd:7f:3c:3f:b0:33:17:d1:c2:41:f7:c9:ce:1e:
32:1c:a1:a0:a3:50:67:56:1b:58:d9:b4:48:56:70:00:43:22:
a9:0c:17:be:67:42:f4:98:d6:d8:c0:d0:4f:6a:73:d1:a8:57:
91:3c:02:dc:dc:8f:e3:fb:48:28:06:a2:8e:8e:27:b2:39:d7:
3e:ce:63:ae:66:9b:ec:38:ee:09:77:dc:0f:91:40:ab:28:0f:
ae:a9
No mention of the requested validity period anywhere.
Any suggestions?
I've been trying to figure out how to request a specific validity period in a CSR, and as far as I can tell, the CSR simply doesn't carry that information. The CSR's structure is defined in PKCS#10 / RFC2986, and it doesn't have a field specifically for a requested validity period. The attributes and extensions that can be put in the CSR are listed in PKCS#9, and there's nothing there about validity periods. And finally, I can do a openssl asn1parse on my generated CSRs and find that there's no validity-period-related information included regardless of what I pass to openssl req.
I stumbled across you question while researching the validity of a CSR. As other have mentioned, the validity period is not included in the CSR, but I was curious about the -days option a lot of people include in their examples for creating a CSR. After reading the documentation of OpenSSL it is quite clear:
-days n
when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
and the -x509 option outputs a self signed certificate instead of a certificate request
-x509
this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.
Though you request for a certain validity period for your certificate, while generating the CSR, its uncertain to expect that validity to be acceptable by CA. Most CA's would prefer a predefined validity period and few CA's are OK with the requested validity period and generate the CSR accordingly. Now coming to the point, the CSR ASN.1 structure according to PKCS#10 standard does not specify the validity period. And thus you cannot extract that information from the CSR.
Try to add -days xx parameter to your request creation command