how to remove or revoke openssl self signed certificates - ssl

Recently i have created self signed ssl certificates with the following commands
STEP 1: Create the server private key
openssl genrsa -out main.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key main.key -out main.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in tls.csr -signkey main.key -out main.crt
i haven't added ssl certificate info, in to my apache default file in : site-enabled config folder
but after an apache restart it took effect and i am able get https connection, but with a warning.
now i want to remove those self signed certificate. is that possible ?
i tried to revoke those certificates with this command - openssl ca -config /root/tls/openssl.cnf -revoke /certs/server-1.crt
but the above command didnt work .
i am currently very new to ssl certificate generation. any help is appreciated.

Related

Why does NOT my certificate chain contain the CA root certificate?

I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie

How to create root certificate authority using CLI? [OSX]

Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl

How to verify openssl certificate on raspberry pi?

I am creating a test network using raspberry pis. My computer will be the CA and my pi zero W the client. I have created a self-signed CA certificate on my computer, certificate request on the pi, and signed the request with the CA keys on my computer.
When I verify the certificate on the pi, I get an error. There is no error on my computer with the same command and same files
Error on raspberry pi:
$ openssl verify -verbose -CAfile ca.pem pi.pem
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key
using the SAME files on my computer:
$ openssl verify -verbose -CAfile ca.pem pi.pem
error cert.pem: verification failed
error 18 at 0 depth lookup: self signed certificate
OK
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key
What I have tried so far
reinstall openssl on pi
replace openssl.cnf file with the one on the pi with the one on my computer
changed time on raspberry pi
switched roles: pi as CA and computer as client. This led to verification working on computer but not pi (as before)
raspbian version is stretch not sun
tried self signed certificate verification. Verify works on computer and pi.
The process for creating the certificates:
# Server: https://support.symantec.com/en_US/article.TECH242030.html
openssl req -new -sha256 -out cert.csr
openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -sha256 -out cert.crt
openssl x509 -in cert.crt -out ca.pem -outform PEM
# Client:
openssl req -new -sha256 -out pi.csr
openssl x509 -req -days 365 -in pi.csr -signkey privkey.pem -sha256 -out pi.crt # <--- privkey.pem is the privkey of CA
openssl x509 -in pi.crt -out pi.pem -outform PEM
You need some kind of configuration file for your CA certificate, otherwise it will use basicConstraints=CA:FALSE which means that it creates a self signed leaf certificate rather than a CA certificate. In other words, your certificate is trusted but not for signing other certificates.
See e.g. here how to create a chain.
https://gist.github.com/Soarez/9688998
Note that you also need to use e.g. -CA and -CAkey so please do not use your own commands and just a config file.

Create CSR and self-signed-certificate with pyOpenSSL

using pyOpenSSL I want to create
a key pair for self-signing
a certificate signing request (csr)
a self-signed-certificate
When I use the openSSL command line tool I used the following commands to do that:
a key pair for self-signing
openssl genrsa -out pkey.pem 2048
openssl rsa -in pkey.pem -out public-pkey.pem -outform PEM -pubout
a certificate signing request (csr)
openssl req -new -key pkey.pem -subj "/C=US/O=XXX/CN=XXX" -days 365 -out csrrequest.csr
a self-signed-certificate
openssl x509 -in csrrequest.csr -req -signkey pkey.pem -days 365 -set_serial 0x12345 -sha256 -out selfsignedcert.pem
This works! Server accepts the self-signed certificate and returns a server-signed certificate.
For pyOpenSSL I use the following code:
a key pair for self-signing
psec = crypto.PKey()
psec.generate_key(crypto.TYPE_RSA, 2048)
a certificate signing request (csr)
csrrequest = crypto.X509Req()
csrrequest.get_subject().C = "US"
csrrequest.get_subject().O = "XXX"
csrrequest.get_subject().CN = "XXX"
csrrequest.set_pubkey(psec)
a self-signed-certificate
selfsignedcert = crypto.X509()
selfsignedcert.set_serial_number(12345)
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
selfsignedcert.set_subject(csrrequest.get_subject())
selfsignedcert.set_issuer(selfsignedcert.get_subject())
selfsignedcert.set_pubkey(csrrequest.get_pubkey())
selfsignedcert.sign(psec, "sha256")
This is not working! Server does not accept the self-signed certificate. The server is not able to sign and return a server-signed certificate.
By using pyOpenSSL, however, I miss the input of openssl x509 -in csrrequest.csr -req for the creation of the self-signed certificate...
Where is my fault? Does anyone know what I am doing wrong??
Thanks!
You need to sign the CSR with the private key (similar to a self-signed certificate, but the CA will replace this signature with its own signature in the final certificate).
Try csrrequest.sign(psec,"sha256")
What is it that is not working ?
I noticed that the times are set wrong
Instead of :
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
What if you tried
current_ts = int(datetime.datetime.now().timestamp())
selfsignedcert.gmtime_adj_notBefore(current_ts)
selfsignedcert.gmtime_adj_notAfter(current_ts + 365*24*60*60)

Trouble getting https to work with self signed certificate on aws elastic load balancer

I am having issue configuring https on my aws elastic load balancer using a self-signed certificate. After I've done with the set up, making connection to https endpoint does not work. http connection is still fine.
Here's what I did.
Generate the self-signed certificate using this command
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Verified the key and certificate is working by using this command:
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
Convert the certificate the key and the cert into a .pem encoded format to comply with aws certificate requirement.
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in certificate.crt > public.pem
Upload the certificate to my elastic load balancer using the the AWS Management Console
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html. For the private key and public cert value, I used the private.pem and public.pem that were generated in step 3.
Go into EBL Listener configuration, added a https listener and used the certificate that I just uploaded. Here's the configuration for the Listener:
Any thought on what might be wrong in my configuration? Thanks!!!
Does the Security Groups of the Load Balancer include an inbound HTTPS 443 Port for source 0.0.0.0/0? I just spent a few hours until I finally found this solution.