There is an application (Java) deployed in OpenShift. The istio-ingress-gateway is also configured. My task is to call my service using the https protocol with mTLS. At the moment, I have the following settings in the ingress-gateway in the tls block:
caCertificates: somePath/ca.pem
mode: MUTUAL
privateKey: somePath/tls.key
serverCertificate: somePath/tls.crt
I want to call my service through Google Chrome / Postman / curl, as I understand it, for this I need to generate a client certificate based on the certificates specified in openshift and put it in the calling client.
My question is how can I generate a client certificate from this and how can I put it on the caller?
it's work for browser - openssl pkcs12 -export -out cert.pfx -inkey tls.key -in tls.crt -certfile ca.pem - don't forget import cert.pfx to windows
For Curl - 'c u r l https://mTLSHost -k --key ./tls.key --cert ./tls.crt'
Related
I am developing a mutating webhook with kind and as I understand, the API end-point should be https. The certificate and key of the API server should be signed with the CA of the cluster itself so as to get around issue of self-signed certificates. And, for that, the following are the recommended steps:
Create key - openssl genrsa -out app.key 2048
Create CSR - openssl req -new -key app.key -subj "/CN=${CSR_NAME}" -out app.csr -config csr.conf
Create CSR object in kubernetes - kubectl create -f csr.yaml
Approve CSR - kubectl certificate approve csr_name
Extract PEM - kubectl get csr app.csr -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out app.pem
Notes
1. The csr.conf has details to set-up the CSR successfully.
2. The csr.yaml is written for the kuberenetes kind CertificateSigningRequest.
3. The csr_name is defined in CertificateSigningRequest.
4. The spec.request in csr.yaml is set to cat app.csr | base64 | tr -d '\n'.
5. The app.pem and app.key are used to set-up the https end-point.
The end-point is definitely reachable but errors out as:
Internal error occurred: failed calling webhook "com.me.webhooks.demo": Post https://webhook.sidecars.svc:443/mutate?timeout=10s: x509: certificate signed by unknown authority
How do I get around the certificate signed by unknown authority issue?
References:
1. Writing a very basic kubernetes mutating admission webhook
2. Diving into Kubernetes MutatingAdmissionWebhook
It doesn't need to be signed with the cluster's CA root. It just needs to match the CA bundle in the webhook configuration.
Has anyone managed to install a CA certificate into an activemq instance? I've been doing google searches and reading the activemq documentation but I haven't found anything on how to use a pre-existing CA certificate in activemq.
I assume I install it into the activemq keystore. Is that correct? I'll be using it with websockets and mqtt on the client end.
Also, just in case my assumptions are incorrect, here's why I think I need to use my current CA certificate.
1) I have a web application and our users require communication with the server to be secure. All http traffic is secure.
2) All modern web browsers have a same-origin policy for websockets. They also seem to have a no-mixed-content policy. And so because my http traffic is secure I also have to use secure websockets. (I also have to run the activemq server at the same url)
I'd rather not tunnel the websocket traffic over http because then I have to worry about the apache configuration in addition to the activemq configuration - just another place for things to potentially go wrong.
Also, I don't transfer any sensitive information over the websocket so I could potentially leave it unsecured, but first, my users probably wouldn't understand that, but also it looks like browsers have a no-mixed-content policy.
Has anyone gone through what I'm going through? Any tips?
I eventually got this working, but ultimately I decided to tunnel my websockets communication through apache using the ws_tunnel module.
But to answer my question above, basically what you have to do is create a new java keystore based on your webserver keys, and then replace the apachemq java keystore with this new keystore. I was never able to successfully import the keys into the existing keystore.
For example, on my ubuntu server, my keys are:
SSLCertificateFile /etc/apache2/ssl/star_astracorp_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/star_astracorp_com.key
SSLCertificateChainFile /etc/apache2/ssl/astracorp.com.intermediate.sha1.chcrt
I then export the key as pkcs12:
openssl pkcs12 -export -in /etc/apache2/ssl/star_astracorp_com.crt -inkey /etc/apache2/ssl/star_astracorp_com.key -out server.p12 -name emsu1 -CAfile ca.crt -caname root
I then import the pkcs12 into a new java keystore:
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore server.keystore -srckeystore /etc/apache2/ssl/server.p12 -srcstoretype PKCS12 -srcstorepass password -alias emsu1
Then, in my apachemq directory I move the old broker.ks out of the way and rename server.keystore as kroker.ks and restart activemq.
One of my servers had .pem files for its keys. The process was still similar, however I had to go into OS X's keystore utility to get the password of the key.
openssl pkcs12 -export -in /etc/certificates/ems-dev.local.EDA65671FF2C9CE7DAA56E9AD8E4E5F3F2675C79.cert.pem -inkey /etc/certificates/ems-dev.local.EDA65671FF2C9CE7DAA56E9AD8E4E5F3F2675C79.key.pem -out server.p12 -name emsdev -CAfile ca.crt -caname root
you will then be asked for the key - copy and paste it from the key util.
Then, the process to create a new keystore is the same:
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore server.keystore -srckeystore /etc/certificates/server.p12 -srcstoretype PKCS12 -srcstorepass password -alias emsdev
The Dropwizard example project has a single certificate without intermediate certificate and the HTTPS configuration doesn't mention anything regarding intermediate certs. Is it possible to configure Dropwizard to deliver intermediate certificates?
You should be able to add the intermediate certificate to the key store that you use for your certificate. To do that when you add the private key you should be able to add a chain of the signed public key with the intermediate certificate. The intermediate certificates should not be added by them selves The intermediate certificate should then also be sent to the client.
Dropwizard uses Jetty 9. From the Jetty 9 documentation:
If you have a chain of certificates, because your CA is an
intermediary, build the PKCS12 file as follows:
$ cat example.crt intermediate.crt [intermediate2.crt] ... rootCA.crt > cert-chain.txt
$ openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out example.pkcs12
The order of certificates must be from server to rootCA, as per
RFC2246 section 7.4.2.
I would not include the root CA in the chain because it should be already known to the client.
OpenSSL will ask for an export password. Enter something and remember it for the configuration. The documentation includes further steps to convert the PKCS12 keystore to a JKS one, but that’s not required (PKCS12 works fine on Java 8u261).
Then configure the connector in your Dropwizard configuration file with the filename and password you used:
server:
applicationConnectors:
- type: h2c
port: 80
- type: h2
jceProvider: Conscrypt
port: 443
keyStorePath: example.pkcs12
keyStorePassword: foo
You can verify your configuration using OpenSSL:
openssl s_client -connect localhost:443
The section Certificate chain should show entries for your server certificate and the intermediate CAs.
I recently deployed a Dart server application that serves HTTP requests. I wanted to add support for HTTPS so I have been trying to add SSL to the Dart server application.
This answer gives a clear explanation of how to add a self-signing SSL certificate to Dart. However, I want to add an SSL certificate I bought from an SSL provider.
The SSL provider e-mailed my 4 files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - my_domain.crt
I have been trying to figure out how certutil works and how to add these certificates to the certificate database, but I just can't figure it all out.
Anyone with experience enabling a CA SSL certificate in Dart?
SOLVED: Thanks to suggestion in the comments, I solved the issue. This is the gist of my complete setup: https://gist.github.com/stevenroose/e6abde14258971eae982
First of all, you probably have three files generated with openssl for your private key, server certificate and CA certificate. To convert all those into a PKCS12 file, you can use openssl:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CAcert.crt
Then, you can adapt the certutil commands as shown to load you PKCS12 instead of generating new certificates:
certutil -N -d sql:certdb
certutil -A -n mycertnick -i server.crt -t "TCu,Cu,Tuw" -d sql:certdb
certutil -A -n myCA -i CAcert.crt -t "TCu,Cu,Tuw" -d sql:certdb
pk12util -i server.p12 -d sql:certdb
It seems to work with the sample code in the referenced question.
Unfortunately the SSL management in Dart is known to be very lacking.
I reported this many times, with no serious answer from the Dart team.
Star this issue if you want something done about it:
https://code.google.com/p/dart/issues/detail?id=20967
I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.
Installing the certificate and trying to access the restricted area in various browsers gives the following results:
IE6 - Works fine and I can retrieve the WSDL
IE7 - Prompts for the certificate but then fails with a 403.7 from the server
Firefox3 - Set to ask, but no prompt and fails with a 403.7
Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7
Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.
Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?
Any help would be greatly appreciated.
This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
and use the above command with "-in file.pem" only.
Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".
Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:
openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12