i am trying to create a self signed certificate using openssl following the docs https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
i tried to add the generated private and public pem files to my NLB TCP listener as a self signed certificate and it is failing with the below exception.
Error creating listener The imported certificate's configuration is not compatible and will not appear in the list of available certificates for your listeners. Select or upload a different certificate and try again.
I saw that NLB allows RSA 2048 certs. Not sure why the console is showing the error display.
You need to generate a RSA 1024 or 2028 certificate. check the valid certificates that ACM supports. i used the below commands to generate the self signed certificate
openssl genrsa -out private-key.pem 1024
openssl rsa -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 3600
mention the country, state and domain name. I initially missed the domain name because of which NLB listener wasn't accepting the certificate.
Related
Recently i have created self signed ssl certificates with the following commands
STEP 1: Create the server private key
openssl genrsa -out main.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key main.key -out main.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in tls.csr -signkey main.key -out main.crt
i haven't added ssl certificate info, in to my apache default file in : site-enabled config folder
but after an apache restart it took effect and i am able get https connection, but with a warning.
now i want to remove those self signed certificate. is that possible ?
i tried to revoke those certificates with this command - openssl ca -config /root/tls/openssl.cnf -revoke /certs/server-1.crt
but the above command didnt work .
i am currently very new to ssl certificate generation. any help is appreciated.
I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie
From here, I learnt that, we need a public key and user identification:
to create CSR
Goal is to establish SSL/TLS connections between two nodes(client & server).
Based on the above diagram, my understanding is, to give public key as input to create CSR but step 4 uses private key(server-key.pem) to create CSR(server.CSR)
Step 1) Create certificate authority key(private key)
$ openssl genrsa -aes256 -out ca-key.pem 4096
Step 2) Create Certificate authority(root certificate) with the input(ca-key.pem)
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Step 3) Create a private key for web server
$ openssl genrsa -out server-key.pem 4096
Step 4) Create Certificate signing request(CSR) by entering user identification. This will create public key in-turn.
$ openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr
Step 5) Add the configuration
$ echo subjectAltName = IP:40.xx.xx.164,IP:10.0.0.4,IP:127.0.0.1,DNS:dockerbuildsys.westus.cloudapp.azure.com,DNS:dockerbuild.harebrained-apps.com > extfile.cnf
Step 6) Create server certificate
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Step 7) Create client private key
$ openssl genrsa -out key.pem 4096
Step 8) Create CSR for client by entering user identification
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Step 9) Certificate extension file for client
$ echo extendedKeyUsage = clientAuth > extfile.cnf
Step 10) Create client certificate
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Step 11) Removing signing requests
$ rm -v client.csr server.csr
Step 12) Remove write permissions on keys
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
Step 13) Read permissions to certificate for every user
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
Step 14) Uploaded on server side, Certificate authority(ca.pem), server certificate(server-cert.pem) & server key(server-key.pem)
I have very good understanding on symmetric and asymmetric key encryption.
We use asymmetric keys to solve key distribution problem(symmetric key) between two parties
I understand that, every certificate has public key + Identity of owner(that provides certificate)
Questions:
1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority?
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
6) Does openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr create server.csr that contain a public key + user identification? If yes, how this public key different from the public key provided by certificate(server-cert.pem)?
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?
1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
These are asymmetric keys. There are no symmetric keys at all involved when creating certificates. Symmetric keys are only involved for the actual encryption in TLS.
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority? Because it contradicts with the diagram(above)
A CA is a trust anchor. The private key of the CA is used to issue (sign) new certificates. The CA certificate containing the public key is trusted by the party which likes to verify the certificate. See SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? to get a better idea how CA certificates and leaf certificates and signatures (done using the private key) play together.
It is not actually necessary to have a CA, i.e. one could use a self-signed certificate. But in this case each party who like to verify the connection using the certificate needs to have some previous knowledge of each self-signed certificate it should be able to verify. This does not scale well, i.e. it is easier to explicitly trust a CA and then derive from this trust into the certificates issues by the CA.
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
The CSR gets signed to prove that you own the private key matching the public key in the CSR (and thus in the future certificate).
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
Usually the CSR is created by a different party than the CA. In this case the CSR is a signed container which provides information about the certificate the party likes to have issued. It is not technically needed to create a certificate but organizationally.
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
We don't. Usually only the server certificate is needed to make sure that the client communicates with the correct server. Client certificates are only needed with mutual authentication where the server likes to authenticate the client too using a certificate.
6) Does server.csr contain a public key + user identification? If yes, how this public key different from the public key provided by certificate?
The public key in CSR is the same as in the certificate. There are user specific information in the certificate (the domain) but the CA must verify through other means that these information are actually correct (i.e. user owns the domain) before issuing the certificate.
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
The TLS handshake contains an authentication part (check that the server is the expected one based on the certificate) and a key exchange. The latter generates symmetric keys used for encrypting the application data. See How does SSL/TLS work? for the details.
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?
The private key of the server certificate is used to sign some challenge inside the TLS handshake in order to prove that the server owns the given certificate. The private key of the client certificate is used in a similar way if mutual authentication is done. The CA certificate is used to verify the certificate (again, see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?).
I need to get a certificate from a certificate authority with .crt extension.
I used openssl commands but it generates a self-signed certificate which is not suitable for my use.
$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert
How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.
These are the steps you would need to do to get a certificate signed by a CA.
Generate a Asymmetric Key Pair.
openssl genrsa -out localhost.key 2048
Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.
openssl req -new -sha256 -key localhost.key -out localhost.csr
Send the above generated request to the CA (different CA's have different ways of receiving your request).
CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).
You can convert the above received PKCS#7 to PEM format
openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem
-print_certs
Associate the above PEM certificate chain to the private key you generated in the step 1.
openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name
sslCertificate -out localhost.pfx
You now have a PKCS#12 keystore that you can use to secure your server.
So to answer you question, this is how you could proceed with step 3.
There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).
I am hosting a nginx webserver in my LAN and I want to authenticate client who are accessing my server with ssl client certificate.I generated a self signed SSL certificate and one client certificate following some documents on google. But I am unable to authenticate client who has certificate. I am getting the following errors
When requested from Firefox:
2017/08/10 18:30:13 [info] 8994#0: *4 client sent no required SSL certificate while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls1/master.m3u8 HTTP/1.1", host: "192.168.26.43"
When request using curl:
curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://192.168.26.43/hls2/master.m3u8
2017/08/10 18:30:33 [info] 8994#0: *5 client SSL certificate verify error: (18:self signed certificate) while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls2/master.m3u8 HTTP/1.1", host: "192.168.26.43"
So,my question is can I use self-signed certificate to authenticate client?If so, can anyone provide the steps to achieve this?
I just stumbled over this and discovered a small pitfall which caused the same error you encountered:
error 18 at 0 depth lookup: self signed certificate
There are plenty of guides how to create a self signed client certificate, I used the following (adapted from here):
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# Convert to .p12 so import in OSX works
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "MyKey"
However, if you use the same Organization Name (eg, company) for both your ca and your client certificate, you will see above error! (edited: important)
If openssl verify -verbose -CAfile ca.crt client.crt does not complain about a self-signed certificate, you're good to go.
The server has to trust the client certificate. In the case of a self-signed certificate, that means the certificate has to be exported from the client's keystore and imported into the server's truststore.
When the server asks for the client certificate, it also sends a list of trusted signers, and the client is only allowed to send a certificate which is ultimately signed by one of those signers. As the server didn't know about the self-signed client certificate, it didn't include that as a trusted signer, so the client was unable to send its certificate. Hence client sent no required SSL certificate while reading client request headers.