I tried to generate a private key and certificate using OpenSSL v3.0.1 on x64 using the command:
"C:\Program Files\OpenSSL\bin\openssl.exe" req -x509 -sha256 -days 7300 -newkey rsa:2048 -keyout ProductPrivate.key -out ProductCertificate.crt
Then I try to package the key and certificate into a single PFX file using the command:
"C:\Program Files\OpenSSL\bin\openssl.exe" pkcs12 -export -out KeyPackage.pfx -inkey ProductPrivate.key -in ProductCertificate.crt -passout pass:superevil -passin pass:secret
Here is the actual screenshot, you can see all steps completes successfully and that you can see the password I set it up with.
I verified that all three files are created:
Next I took the pfx and try to import it into a certificate store of couple of machines, however everywhere I tried, I got the same password incorrect error. I used this same instruction 5 - 6 years ago and everything worked so I don't know what changed? do you happen to know?
The screen below proof that I have the right password for the pfx entered.
I found the answer, this is only issue if I use openssl v. 3.0.1. I test the same steps against openssl 1.1 and the import works.
Related
I'm trying to install an SSL certificate on XAMPP, Windows 10 but no matter what I do I get this error:
22632:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 511 characters
22632:error:0906406D:PEM routines:PEM_def_callback:problems getting password:.\crypto\pem\pem_lib.c:116:
22632:error:0907E06F:PEM routines:DO_PK8PKEY:read key:.\crypto\pem\pem_pk8.c:130:
unable to load Private Key
18224:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:707:Expecting: ANY PRIVATE KEY
server.csr: No such file or directory
Could Not Find c:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.
Press any key to continue . . .
makecert.bat:
#echo off
set OPENSSL_CONF=./conf/openssl.cnf
if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr
move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key
pause
It looks like server.crt, server.csr, and server.key were created and they sit in the conf/sll... as stated in makecert.bat , I have also tried other passwords with no success.
Setting set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf didn't help either, nor did changing openssl.cnf to openssl.cfg (like some people suggest on other related SO questions).
I'm spamming google with this question for hours and no Stack Overflow answers seemed to help either.
EDIT: Adding an image to show that this issue is happening even with a completely new pem file. (the pem file name was changed to privkey77.pem by me for testing purposes, I get the same error obviously).
png
EDIT #2: Even creating a new key with password with openssl genrsa -des3 -out mykey.pem 2048 returns: 27492:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 1023 characters.
So I basically cannot create pem files with passwords for some reason.
Can anyone please help?
I've managed to avoid this error by passing the -nodes arg to the line that triggers the error, as suggested here.
My makecert.bat file, in line 7, looks like this:
bin\openssl req -new -out server.csr -nodes
This parameter disables the authentication completely. I don't know if this had any side effects in the certificate, since I haven't managed to make it work and I don't know why. (Maybe is because of this, or maybe is something else)
During the creation of a SSL certificate this error occurs:
problem creating object tsa_policy1=1.2.3.4.1
13964:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\objects\obj_dat.c:690:
error in req
This is what I've done
set RANDFILE=c:\certificate\.rnd
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
C:\openssl-win64\bin\openssl.exe
genrsa -des3 -out server.key 1024
I've entered a passphrase and then:
req -new -key server.key -out server.csr
and then It shows me the error.
Can someone help me?
Figured It out. Don't install OpenSSl version 1.1.0
Try to upgrade OPENSSL Version to 1.0.2o
Follow this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/
I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr
openssl genrsa -out mykey-private-key-file.pem 2048
openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey
openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem
But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985
openssl genrsa -des3 -out mykey-private-key-file.pem 2048
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
We got our approval response with the x.509 Web Server Certificate and Intermediate CA.
When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:
"Error creating certificate
Unable to parse key; the body is encrypted."
I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?
Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).
This process assumes you already know how to request a certificate from your favorite certificate issuer.
You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.
# to generate a certificate request
openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr
# Sumbit the CSR. When the CRT file comes back...
# Open the cert in a text editor...
# create a new file
vi yourDomain.crt
# press 'i' to start insert mode
# paste the contents of the CRT file you received
# prese ESC, then 'wq', then enter. This saves the file and exits VIM
# convert the CRT you just wrote to disk into the PEM format expected by ELB
openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM
# convert the private key to PEM format expected by ELB
openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key
# display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB
cat yourDomain.pem.key
cat yourDomain.pem
Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.
But I did have to to run this step from the geekpete link.
openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key
Using Apache 2.2, SSL is configured. I am creating the key and temporary cert in command prompt. When I use
openssl genrsa -des3 -out server.key 1024
I am returned this output :
WARNING: can't open config file:
z:/strawberry_libs/build/2013Q3_/ssl/openssl. cnf error on line -1
of C:\Program Files\Apache Software Foundation\Apache2.2\conf\o
penssl.cnf
and then it creates the key.
So good and fine. The error is bothersome. Then I try to make the cert with
openssl req -new -key server.key -out server.csr
Now it shows an error and wont create it.
C:\temp>openssl req -new -key server.key -out server.csr WARNING:
can't open config file:
z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf Unable to load
config info from z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf
Not exactly sure how to proceed at this point as I can't get past this step for my assignment without the certification. If there is another way, or a way to correct the error that would be great.
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12