When I try to generate a key from a pfx certificate file, it creates an empty file
openssl pkcs12 -in test.pfx -nocerts -out test.key -nodes
I executed the command on git bash, Windows server 2019. The command seems to run without stoping because I can't type.
Thanks
Related
I needed to create a jave keystore and so I downloaded the latest version of openssl but kept getting:
keytool error: java.io.IOException: keystore password was incorrect
As well as windows telling me I had the wrong password if I tried to import the .p12. After hours of trying to get things to work I finally downloaded v1.1.1 and POW things just worked!
Problem solved! but why - why does OpenSSL v3.0.0 not work like v1.1.1?
C:\openssl3> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks300.p12
C:\openssl3> openssl pkcs12 -info -in ks300.p12
Enter Import Password:
<works fine>
...
</works fine>
C:\openssl3> keytool -list -v -keystore ks300.p12
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 6 more
then:
C:\openssl1.1.1> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks111.p12
C:\openssl1.1.1> openssl pkcs12 -info -in ks111.p12
<works fine />
C:\openssl1.1.1> keytool -list -v -keystore ks111.p12
Enter keystore password:
<works fine />
C:\openssl1.1.1> C:\openssl3\openssl pkcs12 -info -in ks111.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
5C200000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
C:\openssl1.1.1>openssl pkcs12 -info -in ks300.p12
<works fine>
Now that last one surprised me as I was collecting the output for this post, but yes the openssl1.1.1 read the openssl3 .p12 file fine but not the other way (openssl3 cannot read the openssl1.1.1 .p12). The keytool and windows kept complaining about the password for the openssl3 .p12 -- but COULD read the v1.1.1 one.
Is there some downward compatibility option I missed.
I seem to be the only person on the internet to run into this issue which usually means that I did something wrong.
some other data points:
C:\> Java --version
openjdk 11.0.2 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
C:\openssl3>openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
C:\openssl1.1.1>openssl version
OpenSSL 1.1.1l 24 Aug 2021
I am trying to generate self signed certificates using openSSL as part of internal feature testing. The intention is to have new certs (short lived) generated for every round of testing.
For the build procedure I have added custom targets to my CMakeLists.txt like so:
add_custom_target(ca_rsa
COMMAND mkdir -p ${INSTALL_LOCATION}/security_context/ca/cert
COMMAND mkdir -p ${INSTALL_LOCATION}/security_context/ca/private
COMMAND ${OPENSSL} req -nodes -x509 -days 30 -text -sha256 -newkey
rsa:2048 -keyout ${INSTALL_LOCATION}/security_context/ca/private/rsa_key.pem
-out ${INSTALL_LOCATION}/security_context/ca/cert/rsa_cert.pem
-config ./openssl_rsa.cnf)
ca_rsa is added as a dependency for the target executable for the project.
When I run the build I get the following error :
/bin/sh: req not found
recipe for target ca_rsa failed
I tried running the command by itself and it works fine.
Edit:
${OPENSSL} is set as follows:
set(OPENSSL ${OPENSSL_INSTALL_LOCATION}/bin/openssl)
I have to install a certificates on my server, but they only gave me a .cer file. I search on some forums, but I don't find anything to install it, just for .crt files...
How could I install it ?
Thanks a lot
You must first convert the cer file into a crt file.
openssl x509 -inform DER -in <fullfilepath>/certificate.cer -out certificate.crt
Then to install do the following:
sudo mkdir /usr/local/share/ca-certificates/my-custom-ca
sudo cp certificate.crt /usr/local/share/ca-certificates/my-custom-ca
sudo update-ca-certificates
You can find the full installation procedure here.
.cer certificate is a Microsoft specific format. You can try to convert from .cer into .crt before installation following such a guide in the answer provided here: convert_cer_to_crt
I have LEMP and I'm trying to install PureFTPd and Quota. When I enter the following command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 \
-keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
I have error:
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Unable to load config info from /usr/lib/ssl/openssl.cnf
I have this file:
find / -name openssl.cnf
/usr/lib/ssl/openssl.cnf
/etc/ssh/ssl/openssl.cnf
How can I fix this issue?
Ubuntu places openssl.cnf for the OpenSSL here
/usr/lib/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf will be used when you issue:
openssl s_client -connect example.com:443 -tls1 -example.com localhost
The documentation says The signature is a PKCS #7 detached signature of the manifest file but how does one do that with openssl?
For Passbook I found these commands:
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -clcerts -nokeys -out ./certificate.pem
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -nocerts -out ./key.pem
openssl smime -passin pass:test -binary -sign -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
Also tried with the WWDR certificate:
openssl smime -passin pass:test -binary -sign -certfile ~/Downloads/AppleWWDRCA.cer -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
And zip it with:
zip -r ../example.zip . -x '*.DS_Store'
But I still get "Signature verification of push package failed".
I've also encounter such problem. After trying, I figured out the different openssl version will result in different size of signature for the same manifest file.
Originally, I was using openssl 1.0.2, 1.0.3 but with no luck, but after I downgrade my openssl version to 0.9.8zf 19 Mar 2015 then everything works fine, and my safari can recognize the push package (my safari version is 8.0.7 (10600.7.12), MAC OS: 10.10.4(14E46))
my openssl command is:
openssl smime -sign -in manifest.json -out signature -signer push.pem -certfile AppleWWDRCA.pem -binary -inkey push.key -outform der