I want to convert the following curl command into a Karate script:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
All three SSL parts are required, i.e. client cert, client key AND server cert.
Is this possible in Karate?
To resolve this I converted ca.crt, client.key and client.crt into a .pfx file using this command:
openssl pkcs12 -export -out certificate.pfx -inkey client.key -in client.crt -certfile CA.crt
This created a file called certificate.pfx
I then added this line to karateconfig.js:
karate-configure('ssl', { trustAll: true });
I copied my new certificate.pfx file into this location:
src\test\resources\sslCertificates\certificate.pfx
I added the following line to the Background section of my feature file:
* configure ssl = { keyStore: 'classpath:sslCertificates/certificate.pfx', keyStorePassword: '', keyStoreType: 'pkcs12' }
I then received a successful response for my request.
Related
I am learning OAUTH2 and OpenID Connect and configuring multiply tomcat servers (a Client for the UI, and multiply Resource Servers for the APIs) to use SSL. So I have created a PKCS12 keystore with a self-signed certificate + private key the following way and then I pushed it under my 1st Tomcat:
(I know that the commands bellow can be simplify and combine into one (or two) but I deliberately keep tem separately because that way I can see and understand the steps better)
(1) The keypair was created with openssl this way:
openssl genrsa \
-des3 \
-passout pass:$phrase \
-out id_rsa_$domain.key $numbits
(2) Then I created a Certificate Signing Request with this command:
openssl req \
-new \
-key id_rsa_$domain.key \
-passin pass:$phrase \
-subj "$subj" \
-out $domain.csr
(3) After that I created a x509 certificate:
openssl x509 \
-req \
-days $days \
-in $domain.csr \
-signkey id_rsa_$domain.key \
-passin pass:$phrase \
-out $domain.crt
(4) Finnaly I have created a key-store in PKCS12 format:
pem=$domain.pem
cat id_rsa_$domain.key > $pem
cat $domain.crt >> $pem
openssl pkcs12 \
-export \
-in $pem \
-passin pass:$phrase \
-password pass:$keystore_pwd \
-name $domain \
-out example.com.pkcs12
rm $pem
At the end of this process I have the following files:
id_rsa_authserver.example.com.key: the private (and public) key
authserver.example.com.crt: the self signed certificate
example.com.pkcs12: the keystore
Inside the .pkcs12 file I only have one key-pair entry under the authserver.example.com alias. I have checked the result with KeyStore Explorer as well and everything looks fine and the 1st Tomcat works properly with that keystore.
Then I repeated the steps (1), (2) and (3) and I generated new files for order.example.com host machine and at the end I have two new files:
id_rsa_order.example.com.key
order.example.com.crt
Now I would like to add to my "root" example.com.pkcs12 keystore this new keypair + certificate under the order.example.com alias in order to I keep all certs that I use for my demo in one keystore. I can do it easily with the KeyStore Explorer tool via the tools > import key pair > openSSL > browse the private key and cert files, but this is not enough good for me. I would like to do the import via command line using OpenSSL.
Unfortunately I have not found the proper openssl command that I can use to ADD my 2nd key+cert to the existing keystore.
What is the command that I can use?
i am trying to deploy my node-RED environment using CA certificate.
i have created the pem files using .p12 file by executing below commands
– openssl pkcs12 -in test.p12 -passin pass:Password -out keyfile.pem -nodes
– openssl pkcs12 -in test.p12 -passin pass:Password -out crtfile.pem -nodes
then i have uncommented the https code from settings.js file of node red
https: {
key: require("fs").readFileSync('keyfile.pem'),
cert: require("fs").readFileSync('crtfile.pem')
}
i have used default http node and made the following configuration to the tls config
when i deploy the node i get the following error
"Error: unable to verify the first certificate"
what am i missing here?
Remove the changes you made to the settings.js. That section is only for if you want to have Node-RED serve the editor via TLS.
Next your openssl commands to export the user'sprivate key and certificate should probably be more like
openssl pkcs12 -in test.p12 -out keyfile.pem -passin pass:Password -nocerts
openssl pkcs12 -in test.p12 -out crtfile.crt -passin pass:Password -nokeys -clcert
You should also export the include CA chain with
openssl pkcs12 -in test.p12 -out ca.crt -passin pass:Password -cacerts -nokeys
You then need to add the ca.crt file to the HTTP node's TLS config.
I have _client-cert.pem and client-key.pem and ca.pem files which I am trying to add to my grails project.
I used following commands :
Convert client keys/certificate files to PKCS#12 before creating a keystore
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
-name “mysqlclient” -passout pass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
-srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword
Then Modified my application.yml file with that path :
enabled: true
key-store: /..../proxreg
key-store-password:kjsfghsfjlhgl
keyStoreType: pkcs12
keyAlias: tomcat
I was wondering if I am missing any step or what am I doing wrong. I am getting access denied error but when I try to connect thro mysql wokbench it works
You can generate a self-signed certificate using the openssl command-line utility.
We can use openssl's req command to create a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Above will prompt you to supply metadata about the certificate, such as Country, Organization, etc. Moreover, it will ask you to provide a PEM pass phrase. Enter a random password and keep it safe; we will need in the next step.
Now you have you self-signed certificate. Unfortunately Grails (and Spring Boot) doesn’t support the PEM format directly. Instead, we need to use the PKCS12 format for our keys. Fortunately, there is another openssl command to make the conversion:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name tomcat -caname root
Update grails-app/conf/application.yml with the following lines:
server:
port: 8443
ssl:
keyStore: /certificates/keystore.p12
keyStorePassword: secret
# keyAlias: tomcat
Above all worked fine with me. for more information please refer this and this
Hope this will help you.
I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.
Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'
Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.
I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.
I cannot seem to configure Dropwizard to use ssl.
I've created a key
openssl genrsa -des3 -out server.key 1024
and a certificate
openssl req -new -key server.key -days 365 -out server.crt -x509
and imported it into a keystore
keytool -import -file server.crt -keystore keystore.jks
From there, I've placed the keystore.jks file into /src/main/resources, alongside the config.yaml file for dropwizard.
Then I tried configuring ssl for dropwizard according to the manual:
http:
ssl:
keyStore: ./keystore.jks
keyStorePassword: ********
However, when I navigate to the login page, it only works without https: and gives Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when using https.
Are there other steps that I'm missing?
I posted on the mailing list and Codahale was quick to respond. I hadn't set nonblocking+ssl connectors in my configuration yaml file under the http: section. Putting in
connectorType: nonblocking+ssl
fixed everything. Thanks dropwizard wizard!