Self signed certificate process - cryptography

How does a certificate self signed process work? From requesting a self signed certificate, who does it go to and who performs the signing? (End-to-end process)

You do all the self-signed certificate things yourself.
Here is a PowerShell script that I have used in the past. Of course update the values to something that makes sense to you.
$myName = "Your Name"
$myEmail = "your#emaildomain.tld"
$certPassword = "password1234"
$cert = New-SelfSignedCertificate -Type Custom -certstorelocation cert:\localmachine\my -Container test* -Subject "CN=$myName" -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=$myEmail") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddMonths(6)
$pwd = ConvertTo-SecureString -String "$certPassword" -Force -AsPlainText
$path = "cert:\localMachine\my\" + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\temp\pdf\pdf.pfx -Password $pwd
I have used the self-signed certificate generated by that script to sign PDF files. To see an example and context of how I have used this script, you can check out this blog post: https://www.leadtools.com/blog/document-imaging/pdf/csharp-java-code-digitally-sign-pdf-files-certificate/

You can easily create self-signed certificates by yourself. The best option would be PowerShell. With a single PowerShell cmdlet, you can do magic.
$Certificate=New-SelfSignedCertificate –Subject testing.com -CertStoreLocation Cert:\CurrentUser\My
Then you can export the created certificate to store it in your local machine for further use.
Export-Certificate -Cert $Certificate -FilePath "C:\$certname.cer"
You can create certificates with multiple properties and for various purposes. For more example, you can refer this blog: https://blog.admindroid.com/how-to-create-self-signed-certificate-using-powershell/

Related

Create React App: HTTPS and self signed certificate

I'm trying to run a react app created with create-react-app template in HTTPS mode:
set SSL_CRT_FILE=.cert/server.pfx&&set HTTPS=true&&npm start
I created this certificate using Power Shell. Although there are lot's of explanations how to run react app with certificate created using OpenSSL, it's not an option for me as I'm not allowed to install OpenSSL on my machine.
Cert creation:
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "localhost" -FriendlyName "MyCert" -NotAfter (Get-Date).AddYears(10)
$pwd = ConvertTo-SecureString -String `my_password' -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\my_react_app\.cert\server.pfx -Password $pwd
Then I imported this certificate to Personal certificates and copied it to Trusted Root Certification Authorities. But when I open the project in browser I'm getting NET::ERR_CERT_AUTHORITY_INVALID
What I'm doing wrong?
p.s.
Exporting as a .cer file also doesn't work:
Export-Certificate -Cert $cert -FilePath C:\my_react_app\.cert\server.cer
The following commands in PowerShell (run as admin) will create a root certificate and its associated trusted certificate:
1. We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
2. We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -FriendlyName "MyCert" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256" -NotAfter (Get-Date).AddYears(10)
3. We copy the thumbprint returned by the last command
4. (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002
5. We associate the new certificate with any ip and your port, 3002 for example (the appid value does not matter, is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint
6. Now, you must drag and drop the TestRootCA from the Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.
These commands also resolve the error ERR_CERT_WEAK_SIGNATURE_ALGORITHM returned later by Google Chrome because the certificate is created with SHA256 instead of SHA1

creating valid test SSL certificates for IIS

I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.
Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command.
Bonus points if you get the key usage settings right :-)
Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.
for reference, here is how to do it with makecert:
# create the self signed root certificate
makecert -n "CN=root.lan" -r -sv root.pvk root.cer
# create the certificate for IIS that gets signed with the root certificate
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe
# convert to other formats
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.
The documentation and the examples could seems still not clear enough for creating two certificates:
one self-signed certificate, which will be used as CA certificate from your example
the second SSL certificate, which signed with the first certificate.
The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
-Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
-KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)
-CertStoreLocation "Cert:\CurrentUser\My" -Type Custom
the output will look like
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE
The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name
dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"
or by usage certutil.exe -user -store My to display certificates on My store of the current user.
To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
-HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
-KeyUsage KeyEncipherment,DigitalSignature
-CertStoreLocation "cert:\LocalMachine\My"
-Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
-TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.

How to enable WinRM HTTPS transport?

I know the server need a self-signed CA. But how can I generate a CA, and where can I put it to make server's PowerShell 2.0 work? And what is CN matching?
The following is what happens when I run the command winrm quickconfig -transport:https:
WinRM already is set up to receive requests on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not
have an appropriate certificate. To be used for SSL, a certificate
must have a CN matching the hostname, be appropriate for
Server Authentication, and not be expired, revoked, or self-signed.
Unless you want to go to the trouble of setting up a full-fledged single-tier or two-tier PKI infrastructure (which would be a topic for ServerFault rather than StackOverflow) you could make do with makecert.exe to create a self-signed CA certificate and host certificates signed with it.
Create the CA certificate like this:
& makecert.exe -pe -r `
-n "CN=TestCA" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky signature `
"TestCA.cer"
Then create certificate for the host:
$cn = if ($env:USERDNSDOMAIN) {
"$env:COMPUTERNAME.$env:USERDNSDOMAIN"
} else {
$env:COMPUTERNAME
}
& makecert.exe -pe `
-n "CN=$cn" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky exchange `
-eku 1.3.6.1.5.5.7.3.1 `
-in "TestCA" `
-is my `
-ir LocalMachine `
-sp "Microsoft RSA SChannel Cryptographic Provider" `
-sy 12 `
"$cn.cer"
The CN (Common Name) is the subject of your certificate and for host certificates must match the computer's FQDN.
If you want to create host certificates for other hosts than your local computer you need to set $cn to the name/FQDN of the other computer. To get the certificate and private key to the destination computer export both from your certificate store (<serial> is the serial number of the certificate):
& certutil.exe -exportPFX -f -privatekey -p "password" "<serial>" computer.pfx
Copy computer.pfx to the computer for which you generated the certificate and import it like this:
& certutil.exe -importPFX -f -privatekey C:\path\to\computer.pfx
You'll be prompted for the password you specified when exporting the certificate.
On all machines that should use certificates signed by your TestCA you need to import TestCA.cer under Trusted Root Certification Authorities for the computer account.
& certutil.exe -f -addstore ca C:\path\to\TestCA.cer
Note that makecert.exe isn't available as a separate download anymore, but you can get it from the Windows SDK (download the ISO image and run the SDK Tools installer from the subfolder \setup\WinSDKTools).
Note also that using a makeshift CA like that is strongly discouraged for any kind of production environment.
I know its bad to just share a link, but I'm on a mobile and its better than nothing and uses all/mostly PS commands.
https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/

How to setup Dart to use a CA SSL certificate?

I recently deployed a Dart server application that serves HTTP requests. I wanted to add support for HTTPS so I have been trying to add SSL to the Dart server application.
This answer gives a clear explanation of how to add a self-signing SSL certificate to Dart. However, I want to add an SSL certificate I bought from an SSL provider.
The SSL provider e-mailed my 4 files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - my_domain.crt
I have been trying to figure out how certutil works and how to add these certificates to the certificate database, but I just can't figure it all out.
Anyone with experience enabling a CA SSL certificate in Dart?
SOLVED: Thanks to suggestion in the comments, I solved the issue. This is the gist of my complete setup: https://gist.github.com/stevenroose/e6abde14258971eae982
First of all, you probably have three files generated with openssl for your private key, server certificate and CA certificate. To convert all those into a PKCS12 file, you can use openssl:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CAcert.crt
Then, you can adapt the certutil commands as shown to load you PKCS12 instead of generating new certificates:
certutil -N -d sql:certdb
certutil -A -n mycertnick -i server.crt -t "TCu,Cu,Tuw" -d sql:certdb
certutil -A -n myCA -i CAcert.crt -t "TCu,Cu,Tuw" -d sql:certdb
pk12util -i server.p12 -d sql:certdb
It seems to work with the sample code in the referenced question.
Unfortunately the SSL management in Dart is known to be very lacking.
I reported this many times, with no serious answer from the Dart team.
Star this issue if you want something done about it:
https://code.google.com/p/dart/issues/detail?id=20967

Certificate marked as not exportable

I am trying to make a development certificate chain for myself for some testing for WCF. I'm following the insructions on msdn here: How to: Create Temporary Certificates for Use During Development
Unfortunately the instructions don't work. The private key is not exportable. I have even re-tried it with the "-pe" option to makecert.exe and it still doesn't work. I've tried it while running as an administrator and it doesn't work. In mmc itself when using "export" the first screen where it asks about private keys has the "yes/no" option greyed out, and a message below it that says: "The associated private key is marked as not exportable. Only the certificate can be exported."
Any advice? An updated procedure from MSDN maybe, or another one entirely? All I'm looking for is a cert to use with WCF for some basic testing. This is on Windows 8 Pro, though I doubt that matters.
See this SO answer. I used it for a WCF project a few months ago.
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature).
The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= allow batch command-line to wrap line)
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange).
It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
The issuing certificate is in a file (-ic), as is the key (-iv).
Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
You could always use openssl to create a self-signed certificate, you'd then just import the certificate into the windows certificate store. It's pretty easy to do from the command line:
openssl genrsa -des3 -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
The first line generates the private key and the second line the actual self-signed certificate. There's a Win32 installer available.
For me, it is still to find why option -pe is not working.
Answer given in Make exportable private key with makecert and http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development may help you.
It suggests that to output the private and then generate PFX file using certificate and private key and then import this PFX file.
Try the SSL Diagnostics tool.
You should be able to create your development certificate for IIS without headache:
http://www.softpedia.com/get/Internet/Servers/Server-Tools/SSL-Diagnostics.shtml
And yes, the tool lets you do some diagnostics too.