I have generate a ssl certificate using let's encrypt, there contains fullchain.pem and privkey.pem files under my website nginx folder, how to get the public key from this files? what I want the public key may look like:
----- BEGIN CERTIFICATE----
xxxxxx
----- BEGIN CERTIFICATE----
I am using this command to generate the public key in the CentOS:
openssl rsa -in privkey.pem -pubout > key.pub
but the output file look like:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4KmZTSFF9BgWWILjaM87
NRsRb3Ptwaw5pne9UR1Ol8/PP9p6/37NRBVF+ruggPDFRY8G7nBQI5
ht7eNQQnJp7azHxzv+Wn70ujzLBJJuIZZJE3sEKcekNgWX9dH7hjiqwncmu8
yMXUHMnf0KQ559Sziucay4O4Ct2Ped6UMFx3Ysx8LnU0nRMS+GzYoAJdWcJk893d
5fZ9KkwaZBlkCaHulasQEyArUYDxB+w5PMOE1+bzjlxjjrtVl9lwsIiG4kG0/I6E
eXk1x/OU0DSEppqyhp9sR06HSM1ONB51RF8XUUwe1RRUIlTpeLfSZikpZgnSAbOw
pQIDAQAB
-----END PUBLIC KEY-----
I did not want this format, what should I do to get the correct public key? I want to format like this way:
----- BEGIN CERTIFICATE----
xxxxxx
----- BEGIN CERTIFICATE----
Related
I'm trying to
kubectl create secret tls foo-secret --key /tls.key --cert /tls.crt
From keys and certs I've used made from LetsEncrypt. This processes makes sense with self-signed certificates, but the files made by LetsEncrypt look like this:
cert.pem
chain.pem
fullchain.pem
privkey.pem
I can convert those pem files, I don't know if --key want's a public key or a private key, and the only option here is privkey.pem. I assume cert is cert.
I can convert private.pem with:
openssl rsa -outform der -in privkey.pem -out private.key
And cert.pem with:
openssl x509 -outform der -in cert.pem -out cert.crt
Is this the right process? Since I'll be using this secret for ingress oauth in place of __INGRESS_SECRET__, is this ingress suppose to have a private key? This ingress is acting as a TLS terminator for other things.
You are correct, you will need to provide your private key for the tls.key portion. However it's a good practice to automate the letsencrypt certificate generate process, using cert-manager. Check out this tutorial. Dong so will automatically create the tls secret resource for you on the cluster.
Your tls.key file is the private key and begins and ends like the following:
-----BEGIN RSA PRIVATE KEY-----
... [your private key]
-----END RSA PRIVATE KEY-----
And your tls.crt is going to be the concatenation of cert.pem and fullchain.pem, and it will look like the following:
-----BEGIN CERTIFICATE-----
...
[your cert content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
[your fullchain cert content]
-----END CERTIFICATE-----
I'm having .crt and .pem file with
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
and I want RSA key from this file.
anyone is having any idea that how we can do that.
I have used below command one by one
openssl rsa -in XXX.crt -out input1.der -outform DER
openssl rsa -in input1.der -inform DER -out key.pem -outform PEM
But, It gives error:
unable to load Private Key 140331982231200:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY
PRIVATE KEY
and I have also used different command but it give above error.
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
This is a certificate in pem format which is a wrapper over public key. A Certificate is supposed to be public and can be distributed, but private key (as the name suggest) is supposed to be kept secret. So a certificate can never contain a private key.
You mentioned, you have a ´.pem´ file too. What is it's content? Does it start with -----BEGIN RSA PRIVATE KEY-----. If yes, it would be your private key.
The command you are trying:
openssl rsa
It expects a private key in input, but you are supplying it a certificate. Hence the error.
You can't get a private key from a certificate, because the private key isn't in the certificate, and you can't get it from a PEM file unless the PEM file contains it, which ain't necessarily so,
I am working on CentOS 7. I have three blocks in text :
CSR:
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Public key:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Private key:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Also, I have archieve with:
mydomain.crt
mydomain.ca-bundle
and
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
As I understand I need to convert CSR,Private Key, Public Key to right format files ?
Than, add :
CSR and Private Key to /etc/nginx.conf
And set it via .conf by names ?
But could anyone help me convert CSR,Private Key and Public Key to right formats ?
Thank you !
You can discard the CSR or keep it for your reference. A CSR (Certificate Signing Request) is a document asking for a certificate, you already have the certificate, so the request is now only of historical interest.
You should put the private key text, including that header and footer, but no blank lines, into a file, let's call that privkey.pem. The private key is very important, you web server software needs to be able to read it in order to function, but nobody else should ever see this file and you should not keep copies of it where they may be stolen.
You also need the mydomain.crt file, and the mydomain.ca-bundle, you should concatenate them together, you can do this (carefully) with a text editor and save the result as fullchain.pem, or if you're comfortable on a Unix command line you can write
cat mydomain.crt mydomain.ca-bundle > fullchain.pem
In your nginx.conf you should find or create a server block, and set parameters as follows, but with the correct full path names.
ssl_certificate /full/path/to/fullchain.pem
ssl_certificate_key /full/path/to/privkey.pem
I have a JKS keystore in client application and I have been given one PEM file containing both private key and certificate to use for SOAP signature. PEM file looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
First question is how to import correctly this PEM to JKS?
Second question: given private key isn't password protected, it's possible to add a password to it before importing it to JKS keystore?
Thanks!
If you prefer a GUI solution I would take Portecle. This simple key store management tool allows to create a JKS and then import cert and private key.
I am not sure if you can import cert and key from the same combined PEM file as you have it but may be the command "Import Key pair" of Portecle works with such a file.
If not you can simply split the PEM file directly after the -----END RSA PRIVATE KEY----- line into two PEM files and import them separately.
After importing, when you save the JKS Portecle will ask you for a password.
I want know How to generate below key [AES-128-ECB] using openssl cmd.
-----BEGIN PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-ECB,379AB79E55059F9A
gaakm48Y8qYA997fJREN4JtfVkfTdnVzaZK2
......................................
gaakm48Y834748453273tfVkfTdnVzaZK2 ....
-----END PRIVATE KEY-----
From our internal code using below we have cretaed abv key , now I have to generate same format key using openssl cmd
generated RSA Key then convert to PKCS8 then done PEM_encode using AES-128-ECB Alg
Is OpenSSL cmd tool can only use DES-EDE3-CBC alg to generate the keys ?
It is not clear how are you generating your key. Considering you are running openssl genrsa, you can try:
openssl genrsa -aes128