What is the certutil syntax to add in a modifier like "ExtendedProperties" - modifier

I am trying to find out where to put the modifier "ExtendedProperties" in the certutil -p "abcd" -exportPFX.... What would the syntax look like?

You can check the certutil help for -exportPFX
C:\WINDOWS\system32>certutil -exportPFX -?
Usage:
CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]
Export certificate and private key
CertificateStoreName -- Certificate store name. See -store.
CertId -- Certificate or CRL match token. See -store.
PFXFile -- exported PFX data output file
Modifiers -- Comma separated list of one or more of the following:
NoChain -- Do not export the certificate chain
NoRoot -- Do not export the root certificate
ExtendedProperties -- Include extended properties
NoEncryptCert -- Do not encrypt the certificates
EncryptCert -- Encrypt the certificates
ExportParameters -- Export Parameters
CryptoAlgorithm=AlgorithmString -- Cryptographic Algorithm
AlgorithmString Examples:
TripleDES-Sha1
Aes256-Sha256
Defaults to personal machine store.
Modifiers:
NoChain -- End Entity certificate only
NoRoot -- Exclude root certificate
CryptoAlgorithm= -- Cryptographic algorithm used to create a PFX file
ExtendedProperties
NoEncryptCert
EncryptCert
ExportParameters
Options:
-f -- Force overwrite
-Enterprise -- (-ent) Use local machine Enterprise registry certificate store
-user -- Use HKEY_CURRENT_USER keys or certificate store
-GroupPolicy -- (-gp) Use Group Policy certificate store
-Unicode -- Write redirected output in Unicode
-gmt -- Display times as GMT
-seconds -- Display times with seconds and milliseconds
-split -- Split embedded ASN.1 elements, and save to files
-v -- Verbose operation
-privatekey -- Display password and private key data
-pin PIN -- Smart Card PIN
-p Password -- Password
-ProtectTo SAMNameAndSIDList -- Comma separated SAM Name/SID List
-t Timeout -- URL fetch timeout in milliseconds
-sid WELL_KNOWN_SID_TYPE -- Numeric SID
22 -- Local System
23 -- Local Service
24 -- Network Service
CertUtil -? -- Display a verb list (command list)
CertUtil -exportPFX -? -- Display help text for the "exportPFX" verb
CertUtil -v -? -- Display all help text for all verbs

Related

Problem running an encrypted singularity container

I've created an encrypted singularity container using the PEM file encryption method (paragraph 3.3 of the documentation). But when I try to run it I get an error message :
FATAL: Invalid encryption private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey #2
Any hint on what goes wrong ?
Thank you,
Michal
I can think of two issues that could cause the error message: (1) the keypair should be generated with -m pem option to have the pem format and (2) the keypair should not have password protection I dont think it is supported by singularity at this point in time.
The issue lies in an OpenSSH update (version 7.8). Thats why some people have this problem and some don't.
To cite the release notes: write OpenSSH format private keys by default instead of using OpenSSL's PEM format
So the correct command to generate the keys should be ssh-keygen -t rsa -b 4096 -m pem -N "" -f ./rsa
By adding the -m pem you get the key in the correct format.
More here: https://github.com/hpcng/singularity/issues/6007

Is possible to configure OpenLDAP Crypt passwords without using a salt?

From the docs I got this config that works but use a salt,
password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"
and I need to store passwords in the LDAP directory that have been generated without salt encryption.
You had better to use another password storage scheme that does not do salting like {SHA} or {MD5} instead of {CRYPT} :
password-hash {SHA}
If using {CRYPT} is a requirement :
You can still provide a static salt (! bad, unsecure, nearly as if no salt !), just comply with the given format:
password-crypt-salt-format "$6$%.16s"
$6$ is the crypt identifier for the SHA512 schema, and we provide a 16-chars long salt :
~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret1
$6$verybadseasoning$Q2kceqwB2uYT2tU./QF.qRCIWjMQdObEAZ71Ni5Ko1zJOnxUwpu3oMeyjtgiR3hSVHIT20Ay9V1.pXaNhkHYk/
~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret2
$6$verybadseasoning$SHof1u2BCPJhYoVOk.LkWax7n5g28rzMkNCRAC5NmlT29GSeWLAlv2AoSkOS4rYfMUXsmTcyIxKDUU8aL7TlP0
Note that mkpasswd won't allow using an empty salt :
~$ mkpasswd -m sha-512 --salt '' secret
Wrong salt length: 0 bytes when 8 <= n <= 16 expected.
Or you can try to make crypt ignore the given/generated salt string whatever it is (by taking zero character from it) :
password-crypt-salt-format "$6$%.0s"
It tells crypt() to use a SHA512 algorithm, the %s being substituted with a string of zero characters of salt (%.0s). I can't tell if slapd makes the %s conversion mandatory or not, but setting just "$6$" without any substitution for salting may do the trick as it means the same (no salt), i.e :
~$ php -r 'print(crypt("secret", "$6$"));'
$6$$2M9DchxW4txWyTYoZrH9D3VvAAQxBpEezYsLY6Cao.jwzEXpyL9xwip9hiUZX7GqTqe/E/z6iKvZqXUuqniQH.
See slapd.conf(5)
Note that a lack of salt exposes your system to dictionary attacks.
You can simply import user entries with existing userPassword values without salt. The password verification will work provided the hash scheme is one supported by your local OpenLDAP installation.
The config directives password-hash and password-crypt-salt-format when setting new passwords.

How to install Zimbra certification?

I have this error when I want install a commercial SSL in Zimbra
Your certificate was not installed due to the error : system failure:
exception executing command: zmcertmgr verifycrtkey comm
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt with
{RemoteManager: mail.mydomain.com->zimbra#mail.mydomain.com:22}
Use below script for SSL install in Zimbra.
#!/bin/bash -x
# SSL certificate installation in Zimbra
# with SSL certificate provided by Let's Encrypt (letsencrypt.org)
# Author: Subhash (serverkaka.com)
# Check if running as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
read -p 'letsencrypt_email [xx#xx.xx]: ' letsencrypt_email
read -p 'mail_server_url [xx.xx.xx]: ' mail_server_url
# Check All variable have a value
if [ -z $mail_server_url ] || [ -z $letsencrypt_email ]
then
echo run script again please insert all value. do not miss any value
else
# Installation start
# Stop the jetty or nginx service at Zimbra level
su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'
# Install git and letsencrypt
cd /opt/
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
# Get SSL certificate
./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
# Verify commercial certificate
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'
# Deploy the new Let's Encrypt SSL certificate
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'
# Restart Zimbra
su - zimbra -c 'zmcontrol restart'
# setting auto https redirect
cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi
For more reference check this link: https://github.com/SubhashPatel/Install-Zimbra-mail-server-ubuntu/blob/master/configure-ssl-zimbra.sh
You should try using CLI to install SSL certificate for Zimbra. Also you need to verify that you have the same certificate which you have downloaded from the certificate authority.
For commercial.crt you need to copy one certificate downloaded from the authority. For commercial_ca.crt, there must be one CA bundle file, you will have from certificate authority.
Private key, you need to verify during generating your CSR and also verify with the hosting. After that restart the Zimbra by command
zmcontrol restart
finally i found the solution.
you shouldn't fill the subject alternative name when you want create csr!
thats all.
Every other year I spend hours on renewing the ssl certificates on zimbra with the help of hopeless outdated tutorials. A tedious process that I don't do often enough to remember how I did it. I learned the hard way that it is easier to use the admin console, than using CLI and messing around with concatinating the different certificates.
Hereby the steps that I take:
Please note that this is a walkthrough, dedicated to the
GoGetSSL Sectigo PositiveSSL Wildcard certificate, and may not work for other SSL providers.
Zimbra version: 8.8.15
We use the wildcard certificate on several servers, but we generate the CSR always(!) on the zimbra server. So go to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. Choose the generate CSR option (second of the 3 options). Make sure that in the common name field you use the wildcard symbol: e.g.
*.example.com
Also check the checkbox that it concerns a wildcard common name
Fill out the rest of the info according to your situation. At the bottom, there's option to add other names; remove all of them (if any). Go to next page and download the CSR, finish the wizard.
on the GoGetSSL page create the new/renew the SSL certificate with the by Zimbra generated CSR. Finish up the entire process, including the validation. All the way up to that the certificate is issued and files can be downloaded. Choose to download the 'All files' zip file. extract on your local system.
browse to: https://www.gogetssl.com/wiki/intermediate-certificates/sectigo-intermediate-root-certificates/
On this page download the file: DV RSA Files > RSA DV Bundle with SHA-1 (TXT file)
go back to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. This time you choose the 3rd option: install commercial signed certificate. First screen of the wizard shows the info you entered earlier for the CSR. The info may show up empty. For me this didn't give me any problems, so I left it. On the next screen: You have to upload 3 certificate files by default, but we need to upload 4, so we need to do Add Intermediate CA for the fourth file.
Choose files as follows:
Certificate: server certificate from the zip file: e.g. _example.com.crt
Root CA: RSA DV Bundle with SHA-1 (TXT file), from the link above
Intermediate CA: USERTrust_RSA_Certification_Authority.crt from zip file
(Added) Intermediate CA: AAA_Certificate_Services.crt
NOTE: I can't remember which Intermediate CA I chose first, so if any problems, try switching the last 2 mentioned files around.
Finish the wizard and test by sending and receiving email.
Then I take the certificates and update other servers with these certificates. (e.g. nginx, apache2, etc). Note: you may need to get the commercial.key file for use on other servers. On linux this file is located in: /opt/zimbra/ssl/zimbra/commercial/
If permission denied, you may use root account or do: sudo su - zimbra
I hope this helps for people struggling with the same certificate and zimbra

Curl and dialog popups

Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]

SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?

When I create a new Amazon EC2 server, I connect to it using ssh as usual.
I see the typical warning:
$ ssh myserver
The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)' can't be established.
ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07.
Are you sure you want to continue connecting (yes/no)?
How do I verify the fingerprint before I sign in?
Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.
Amazon EC2 console now has a web-based terminal (which presumably guarantees secure connection). Go to Actions > Connect > EC2 Instance Connect > Connect on Instances page. In the terminal, use ssh-keygen command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key -E md5
The previous answer, before the web-based terminal was introduced:
As #joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
I have prepared Guide for connecting to EC2 instance safely using WinSCP.
Here are two solutions that worked for me during the creation of the EC2 system.
Solution 1: Use the Amazon EC2 dashboard
Go to https://console.aws.amazon.com
Tap "EC2" link.
Tap "Instances" in the left column
Tap the instance name you want
Tap the select button "Actions" and choose "Get System Log" (a.k.a. "Console Output")
In the console output, you should see the keys being generated
Solution 2: Use the AWS EC2 command line
You can use the aws command or ec2-get-console-output command. Both are available for download from Amazon.
To use your EC2 private key pem file, certificate pem file, region, and instance:
ec2-get-console-output \
--private-key pk-ABCDEF1234567890.pem \
--cert cert-ABCDEF1234567890.pem \
--region us-east-1c \
i-e706689a
The output shows the ssh host key fingerprints like this:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b root#ip-10-243-118-182 (DSA)
ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07 root#ip-10-243-118-182 (ECDSA)
ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8 root#ip-10-243-118-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
The aws tool works similarly.
Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.