I am able to configure security with the openssl certificates. But with the Godaddy certificates, I could not configure the secure mosquitto.
I got 3 files from Godaddy SSL,
2324145e73d34dad.crt
2324145e73d34dad.pem
gd_bundle-g2-g1.crt
As per the Godaddy site, the 1st one is Root certificate i.e ca.crt
3rd one is the intermediate / chain certificate.
But I want the server.crt and server.key to configure.
How can we configure the ssl with those files? Can we generate the server.key and server.crt with them?
You should already have the private key, you needed to use it to generate the CSR you sent to Godaddy to get the certificate signed.
2324145e73d34dad.pem sounds like it's your server certificate (which is what mosquitto wants)
From the man page:
certfile file path
Path to the PEM encoded server certificate. This option and keyfile must be present to enable certificate based TLS encryption.
The issue is with the private key encoding.
When we download the private key from GoDaddy, it is in UTF-8-BOM encoding, we need to change the Encoding to UTF-8.
Related
I don't know much about ssl certificates but I need to do ssl termination in haproxy. The team in charge of the certificate gave me a zip file which i assume is an entrust bundle when i check the crt files in it. So it seems like haproxy will only accept pem file(correct me if im wrong) and the bundle i have contains 5 files: ca.crt <domain>.key intermediate.crt root.crt and ServerCertificate.crt Can anyone help me on how I can convert these to a pem file that haproxy will accept?
You will need to concate everything in one file.
cat ServerCertificate.crt intermediate.crt root.crt ca.crt <domain>.key > <domain>_haproxy.pem
After wards can you configure HAProxy to handle TLS/SSL as described in the doc How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound
On my Github enterprise when I install the SSL certificate with the key its displaying an error message:
"Github ssl cert The certificate is not signed by a trusted
certificate authority (CA) or the certificate chain is missing
intermediate CA signing certificates."
I was given from our certification authority team 4 certificates.
SSL certificate : github.pem
A set of 3 CA certificates : root, subca and subca2
On my Github enterprise management console, it needs 2 entries
A x509 SSL certificate
Unencrypted key
I have tried github.pem key alone and with different combination by concatenating CA certificates, but its failing always with the same error.
Is there a pattern to concatenate the certificate?
Any clue how i can resolve this?
Thanks in advance.
Please abide the following steps to add 3 certificates to your .pem file:
Open your domain certificate pem file in Notepad ++.
Add intermediate (DigiCertCA2.pem) certificate under Domain certificate.
Add root certificate (TrustedRoot.pem) to your domain certificate.
Save the .pem file that have the following 3 certificates (domain , intermediate, root).
Upload the modified certificate.pem file and the private key.
click on Save Settings.
I had the same issue.
When trying to load the PEM and Key files to GitHub Enterprise I got the same message. The cert was created using the exact same methods as I have done before, but was failing.
Github ssl cert The certificate is not signed by a trusted certificate authority (CA) or the certificate chain is missing intermediate CA signing certificates.
Steps I took:
Created a cert for the server (webserver with Private Key)
Exported from my users personal store (PFX including all certs in the path and export all extended properties)
C:\OpenSSL-Win64\bin> openssl.exe pkcs12 -in git_key_included.pfx -nocerts -out priv-key.pem -nodes
C:\OpenSSL-Win64\bin> openssl.exe pkcs12 -in git_key_included.pfx -nokeys -out cert.pem
C:\OpenSSL-Win64\bin> openssl rsa -in priv-key.pem -out server.key
I eventually figured it out by opening the PEM using Notepad++. The openssl commands work fine on the old exported cert, but swap around the ordering of the certs on the new exported cert. The broken cert had:
Primary SSL certificate
Root certificate
Intermediate certificate
Instead of the correct ordering of:
Primary SSL certificate
Intermediate certificate
Root certificate
So I swapped them around and it worked.
I have a backend server with SSL only as defaut public interface. This server listens on 443 with cert, key and ca files on, ssl verify client is set to true.
On client side, I have client cert, key and a ca file made of 2 CA files catted together (intermediate CA, root CA) in a single ca.pem file. When I do curl request on my backend server, it works fine. I also tested the server / client cert and key with gnutls-serv and openssl s_server to ensure all was valid.
But when I create a keystore on Apigee (client cert and key file [pem format]) and a trustore (ca.pem file), there is an error:
- target.name fsbca-test
- Properties
- Expression ("fsbca-test" equals target.name)
- ExpressionResult true
- Tree TARGET_fsbca-test
- error The Service is temporarily unavailable
- error.cause General SSLEngine problem
- error.cause.cause General SSLEngine problem
- error.class com.apigee.messaging.adaptors.http.HttpAdaptorException
- state TARGET_REQ_FLOW
- type ErrorPoint
If I put SSL verify client to false on my backend, then the request is correctly diverted by Apigee and I get the response.
If I put IgnoreValidationErrors to true in the target endpoints property, then the request is diverted to my backend server but I can see an error in the server's log: "client sent no required SSL certificate while reading c...".
Any ideas about what could be wrong in what I am doing?
Additional track: could it be an issue on Apigee side with the CA file made of 2 certs (it may ignore trailing certificates found in a .pem). If wanted to test pkcs12 and jks but I failed to upload them to Apigee (the API doc page only describes .pem, JAR and cert action). I wrote a small Java client with pkcs12 keystore and jks trustore and it worked fine from my local workstation.
Thank you in advance for any piece of information that could help me.
Regards
Fr
You should upload your certificates separately (one per cert), and you need the entire trust chain of certificates to be stored in your truststore.
Here is the page about SSL to your backend.
EDIT:
Here is a method I know works:
1) Separate certs into separate PEM files. Do not put more than once cert in a file.
2) Validate each cert using openssl:
openssl x509 -noout -text -in <cert file name>
Validate that no certs are expired, and that the Subject and Issuer fields create a chain of all the certs, with identical names.
The server's certificate, the root certificate, and all certificates in between need to be in the truststore.
We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12
I have requested a class 1 certificate from StartSSL and installed it in Weblogic 10.0.1 (see screenshots).
The browsers (Chrome & IE9 on Windows 7, IE8 on XPSP3) still give a certificate error (see screenshots).
I think the StartSSL root certificate is available in several browsers (see here). Please advise.
StartSSL Class 1 certificates are signed by a intermediate CA, which is signed by the StartCom Root CA. For your browser to trust this certificate, it needs to know the trust chain up to the Root CA it already knows.
Your server needs to send the complete trust chain to the browser (minus the Root CA), so your browser can verify that your certificate is trusted.
See the StartSSL FAQ for more info.
Found the problem. I've imported the StartSSL certificate incorrectly in our keystore. Also, I've specified "weblogic" as alias in the Weblogic console which is not the certificate but the public/private key pair. I'm using Portecle to edit the keystore.
When I've noticed that I was probably using the wrong alias I've changed it to the alias of the certificate. This resulted in a Weblogic error:
Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: No identity key/certificate entry was found under alias startssl-hostname in keystore keystore_StartSSL on server servername
In the end I've followed these steps to pack the certificate and private key in one PKCS#12 keystore. I've then imported that keystore into our java keystore using Portecle:
Export the "weblogic" public/private key using Portecle as a PKCS#12 keystore.
Extract the private key from this keystore using openssl:
openssl pkcs12 -in weblogic.p12 -nocerts -out privatekey.pem
Package the certificate and private key as a PKCS#12 keystore (cert.p12) using openssl:
openssl pkcs12 -export -in cert.cer -inkey privatekey.pem -out cert.p12 -name cert -CAfile ca.pem -caname root
Import cert.p12 file into our java keystore using Portecle using "cert" as alias.
Changed the Weblogic configuration to use the "cert" alias with the correct passphrase.
And it worked!
PS: I've added the JCE unlimited strength policy along the way since Portecle complained about this at one point.
Generally the trust store and keystore would be separate, but it will not cause the error above.
If your browser does not trust the CA then you will receive the above error. You need to add the root CA to your browser. You can check the certs that your browser supports.
Eg for IE -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root CA
Assuming you need to import this into one or two browsers, its not a big deal. But if you need to do this across the enterprise (meaning 100 or 1000 of browsers), you will need help from your desktop support team !