Error while converting CER to CRT using openssl - ssl

I have openssl installed, and my goal is to convert my CER file to .CRT for an SSL update requirement. I keep running into the error (pasted below)
The code I am using in the console is:
openssl x509 -inform PEM -in Downloads\certificate.cer -out certificate.crt
Error:
C220000:error:80000002:system library:file_open:No such file or directory:providers\implementations\storemgmt\file_store.c:269:calling stat( Downloads\certificate.cer)
AC220000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto\store\store_register.c:237:scheme= C
AC220000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto\store\store_meth.c:359:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme ( C : 0), Properties ()
Unable to load certificate

Related

EJBCA web service pkcs12req C#

We are using EJBCA web service pkcs12req to generate PKCS#12 keystore in an C# application, which is afterwards saved as a p12 file.
After that we need to import p12 file to a smart card providing pin and password programmatically.
Problem is, when we try to load p12 file using an external library, we are getting some errors.
Also, when we try to verify p12 file using OpenSSL command:
pkcs12 -info -nodes -in <path-to-p12-file>
we get the following error:
39512:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1316:
39512:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=PKCS12
Are we doing the right thing?
Can the generated PKCS#12 keystore be stored as p12 file without any further actions?

LetsEncrypt generates fullchain.pem and privkey.pem files. I need .crt and .key files. How can I get them?

After running sudo certbot --nginx -d mydomain.io -d www.mydomain.io
I'm getting:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.io/privkey.pem
For my app to work, I need private.key and certificate.crt files.
I have tried converting .pem files like so:
openssl x509 -outform der -in /etc/letsencrypt/live/mydomain.io/fullchain.pem -out certificate.crt
openssl rsa -outform der -in /etc/letsencrypt/live/mydomain.io/privkey.pem -out private.key
When trying to run my app, I'm getting this error in the browser dev tools:
WebSocket connection to 'wss://<my-ip>:<my-port>/' failed:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
On server I'm getting this error (apparently it means that my app couldn't parse the key file):
mbedtls error: returned -0x7780
So it looks like an issue with the certificate. Can you help me to figure out what I have done wrong? What could be causing this issue? Are there other ways to generate .crt and .key files, so I could double check that I didn't make a mistake?
Turns out my problem wasn't related to generating the keys, I was doing it correctly.
But the client version of my app was trying to connect to wss://<my-ip>:<my-port>/, and instead I was supposed to connect to wss://<my-domain-name>:<my-port>/.

Getting "curl: (58) unable to use client certificate" with calls using p12 file

I created a p12 file on my MacOS ElCaptain, using a .pem and .key file via openssl command :
openssl pkcs12 -export -in <PEM_file>.pem -inkey <PRIVATE_KEY>.key -out <FILENAME>.p12
Everything went ok. I was able to make my cURL calls using this p12.
When I did the same on my Ubuntu 14.04.5 LTS (with the same .pem and .key), I started to receive this message when I used cURL with the p12:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
What I am missing?
curl supports about a dozen different SSL/TLS implementations and how certs&keys are supplied varies depending on which implementation is used in your build. Use curl -V (upper vee) to check. I'd guess, but don't know, the MacOS build uses SecureTransport; the (standard) package on my off-in-the-corner Ubuntu 14.04.4 definitely uses OpenSSL.
Per the man page and confirmed by experiment on my Ubuntu, this build wants PEM format files, not PKCS12. These are the same two files you used as input to openssl pkcs12 -export, or you can concatenate them and just use that for --cert (this can work because PEM format marks each block separately); and if you don't have them anymore you can just use openssl pkcs12 -in foo.p12 -out foo.pem (i.e. OMIT -export) to convert back.

How to add an intermediate certificate to a pfx file

I've been using a certificate that's stored on the server in a myserver.pfx file.
However, behavior is not the same in all browsers and some complain on account of, I think, a missing 'intermediate' certificate.
I've downloaded the intermediate certificate from Gandi: GandiStandardSSLCA.pem
Now, my question is, how can I add that intermediate certificate into the pfx file?
Although the server is windows, I'm trying to use openssl on a linux machine to manipulate the certificates, just because that's where I have openssl available. I'm assuming this doesn't matter.
One thing I've tried, is to use openssl to export myserver.pfx to myserver.pem, a text file. Then, with a text editor, I've added the text of GandiStandardSSLCA.pem to myserver.pem in hopes of then converting back to pfx format. However, I couldn't get openssl to do that conversion back to pfx.
Is this possible? If so, at the text editing stage, does it matter if the intermediate certificate text goes at the beginning or the end? Also, would I need to manufacture 'Bag Attributes' somehow?
Or, is the whole operation done in one line with openssl?
The .pfx file can be prepared by exporting the intermediate certificate .pem file with the below command example.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Reference:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Error expecting certificate request while signing a certificate in OpenSSL for apache

I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...