I have _client-cert.pem and client-key.pem and ca.pem files which I am trying to add to my grails project.
I used following commands :
Convert client keys/certificate files to PKCS#12 before creating a keystore
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
-name “mysqlclient” -passout pass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
-srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword
Then Modified my application.yml file with that path :
enabled: true
key-store: /..../proxreg
key-store-password:kjsfghsfjlhgl
keyStoreType: pkcs12
keyAlias: tomcat
I was wondering if I am missing any step or what am I doing wrong. I am getting access denied error but when I try to connect thro mysql wokbench it works
You can generate a self-signed certificate using the openssl command-line utility.
We can use openssl's req command to create a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Above will prompt you to supply metadata about the certificate, such as Country, Organization, etc. Moreover, it will ask you to provide a PEM pass phrase. Enter a random password and keep it safe; we will need in the next step.
Now you have you self-signed certificate. Unfortunately Grails (and Spring Boot) doesn’t support the PEM format directly. Instead, we need to use the PKCS12 format for our keys. Fortunately, there is another openssl command to make the conversion:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name tomcat -caname root
Update grails-app/conf/application.yml with the following lines:
server:
port: 8443
ssl:
keyStore: /certificates/keystore.p12
keyStorePassword: secret
# keyAlias: tomcat
Above all worked fine with me. for more information please refer this and this
Hope this will help you.
Related
I have create .pem file from .cert file using the below line in openssl.exe :
OpenSSL> x509 -inform der -in C:\Certificate\Binary_Certificate_245568.cer -out C:\Certificate\Binary_Cert.pem
It worked without any issues.
Then when I try to generate the pfx file from .cert and .pem file using the following statement I get error:
OpenSSL> pkcs12 -inkey C:\Certificate\Binary_Cert.pem -in C:\Certificate\Binary_Certificate_245568.cer -export -out C:\Certificate\SGS_VS_CERT.pfx
unable to load private key
34359836736:error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:698:
34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:
error in pkcs12
Can anyone please advise what I am doing wrong as I need to generate .pfx file. Thanks
You can follow steps given below in order to create .pfx certificate by combining the external CA issued server(.cer), intermediate(.cer) and root(.cer) certificates into one file (.pfx) on redhat linux server using openssl tool :
A) To run below command for generating the CSR in linux using openssl tool -
[user#machine]$ openssl req -new -nodes -newkeys rsa:2048 -keyout myapp.mydomain.com.key -out myapp.mydomain.com.csr -sha256
Note : -nodes means 'NOT TO USE DES ALOGORITHM' and create multiple backup of this key file, which will be used again during certificate renewal.
B) To generate .pfx ( certificate chain sequence to be SERVER-CER --> INTERMEDIATE-CERT --> ROOT-CERT ) in linux using openssl.
SERVER-CERT myapp.mydomain.com.cer
INTERMEDIATE-CERT myintermediatecert.com.cer
ROOT-CERT myrootcert.cer
KEY FILE myapp.mydomain.com.key
STEP 1 - To combine all certificates in one pem certificate(myapp.mydomain.pem) using command 'cat' in redhat.
[user#machine]$ cat myapp.mydomain.com.cer myintermediatecert.com.cer myrootcert.cer > myapp.mydomain.com.pem (output pem cert)
STEP 2 - To convert PEM to PFX by importing the private key with password configured.
[user#machine]$ openssl pkcs12 -export -out myapp.mydomain.com.pfx -inkey myapp.mydomain.com.key -in myapp.mydomain.com.pem
Note : you will get an option to set the password to output .pfx file.
STEP 3 : To verify .pfx file using openssl by entering the password.
[user#machine]$ openssl pkcs12 -in myapp.mydomain.com.pfx -info
i am trying to deploy my node-RED environment using CA certificate.
i have created the pem files using .p12 file by executing below commands
– openssl pkcs12 -in test.p12 -passin pass:Password -out keyfile.pem -nodes
– openssl pkcs12 -in test.p12 -passin pass:Password -out crtfile.pem -nodes
then i have uncommented the https code from settings.js file of node red
https: {
key: require("fs").readFileSync('keyfile.pem'),
cert: require("fs").readFileSync('crtfile.pem')
}
i have used default http node and made the following configuration to the tls config
when i deploy the node i get the following error
"Error: unable to verify the first certificate"
what am i missing here?
Remove the changes you made to the settings.js. That section is only for if you want to have Node-RED serve the editor via TLS.
Next your openssl commands to export the user'sprivate key and certificate should probably be more like
openssl pkcs12 -in test.p12 -out keyfile.pem -passin pass:Password -nocerts
openssl pkcs12 -in test.p12 -out crtfile.crt -passin pass:Password -nokeys -clcert
You should also export the include CA chain with
openssl pkcs12 -in test.p12 -out ca.crt -passin pass:Password -cacerts -nokeys
You then need to add the ca.crt file to the HTTP node's TLS config.
I have a basic nginx home server setup which i use Client certificates to allow outside access. I have followed this guide to get everything setup which works as expected:
https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6
in summary:
openssl genrsa -aes256 -out ca.privkey 4096
openssl req -new -x509 -days 365 -key ca.privkey -out ca.crt
openssl genrsa -aes256 -out bobs-ipad.privkey 4096
openssl req -new -out bobs-ipad.csr -key bobs-ipad.privkey
openssl x509 -req -days 365 -in bobs-ipad.csr -CA ca.crt -CAkey ca.privkey -set_serial 100 -out bobs-ipad.crt
openssl pkcs12 -export -clcerts -in bobs-ipad.crt -inkey bobs-ipad.privkey -out bobs-ipad.p12
Also openssl pkcs12 -in bobs-ipad.p12 -out bobs-ipad.pem -nodes to generate a pem file as well.
And in nginx config:
ssl_client_certificate <path>/ca.crt;
# ssl_crl <path>/ca.crl;
ssl_verify_client optional;
...
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I am able to access the server from outside and only signed certificates on the client machine allow access.
However if one of the signed certificates were to be compromised i'd have to re-generate the CA and re-distribute the new signed client certificates. I understand that a CRL file can be used to revoke certificates using ssl_crl <path to crl>; in the nginx config but i am not sure to generate this using the guide i followed.
A command like this can be used openssl ca -gencrl -keyfile ca.privkey -cert ca.crt -out ca.crl
But this relies on a configuration file with an index of the certificates i believe?
Is there anyway of using a command like the above to input a (or list of) pem or p12 client certificate(s) -in bobs-ipad.pem that i want to revoke?
If not perhaps i need to start again and have a config with index file to then -revoke the certificates and re-generate the crl file.
Thanks in advance,
Richard
It doesn't seem like this is possible. I have found some other guides to get this working with a configuration file (and generating a new CA): https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
https://www.djouxtech.net/posts/nginx-client-certificate-authentication/
This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.
We are try to set up the shield SSL in local machine.
Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version
We generated self signed crt, key, pem file as below:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt
and added in shield configuration.
Shield configuration:
shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX
Kibana configuration:
elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true
So when run the kibana the below error is displayed in elasticsearch log:
log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.
After that when I change the elasticsearch.ssl.verify: false Kibana is working fine, but showing some error in elasticsearch log:
ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]
In elastic client also the same issue is coming. When we use rejectUnauthorized: true then client is not connecting to elasticsearch.
My questions are:
is the self signed certificate working in Elasticsearch, Kibana or not?
do we have to buy a commercial CA certificate?
are we missing anything?
You are using unnecessary steps when generating and importing the key. Also the certificate you are generating is not signed by the CA and hence it will never be trusted
Unless you have a large deployment I would just use a selfsigned certificate, rather than a certificate signed by a selfsigned CA.
1) Generate a selfsigned certificate with SAN extensions as indicated here How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
2) Merge the key and certificate in a PKCS12 container and import it to the a java keystore as explained here importing an existing x509 certificate and private key in Java keystore to use in ssl