In all docs, it is mentioned to add .crt and .key to traefik.toml.
In my case, I just have a .p12 file, it is possible to use a .p12 with traefik?
Let me start with differences between formats. Thanks to #sysadmin1138 for great explanation.
PEM - Governed by RFCs, its used preferentially by open-source
software. It can have a variety of extensions (.pem, .key, .cer,
.cert, more)
DER -
The parent format of PEM. It's useful to think of it as a binary
version of the base64-encoded PEM file. Not routinely used very much
outside of Windows.
.pkcs12 .pfx .p12 - Originally defined by RSA in the Public-Key
Cryptography Standards (abbreviated PKCS), the "12" variant was
originally enhanced by Microsoft, and later submitted as RFC 7292.
This is a passworded container format that contains both public and
private certificate pairs. Unlike .pem files, this container is fully
encrypted.
The main info about .p12 - it is fully encrypted and passworded container.
Take a quick look into traefik certificate.go
Package tls use only crypto/tls and crypto/x509.
package tls
import (
"crypto/tls"
"crypto/x509"
...
)
Look at crypto/x509: reading certificates from PKCS12 files github issue:
There was a try to add PKCS12 cert support into crypto/x509 but in the end it was not implemented.
As it was mentioned in comments, right way is to convert .p12.
Here is example hot to achieve it (thank to #mulaz):
openssl pkcs12 -in filename.pfx -nocerts -out filename.key
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out filename.crt
And a source of the same: Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)
Hope it helps!
Related
I'm having problems understanding the difference between files produced by openssl and how to detect them.
For example I'm trying to generate Self-signed cert with private key and generate JKS file from p12
format. I'm googling like a madman but I still don't know how to generate it correctly to be able to use following commands.
openssl pkcs12 -export -in user.pem -inkey user.key -certfile user.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS
Source: https://www.ibm.com/support/pages/how-generate-jks-keystore-existing-private-key
I found a couple of different commands to generate Self-signed cert and private key but I don't know how to map resulting files to the commands above and whats worse I don't understand what those commands do.
I mean I see what files they generate and understand that certificate and private key used to sign it ( or maybe the other way around :| ) but what is the difference between those commands and is cert.pem === certificate.crt - Those file extensions are driving me crazy.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
This is yet another situation where I'm having similar issues with the openssl command. At this point I'm even ready to read some RFC ( I hope it won't come to this :) )
Thanks in advance for help
Those file names represent different parts of the key generation and verification process. Please note that the names are just convention, you could just as easily call the files pepperoni.pizza and the content will be the same, so do be conscious of how you use the filenames.
A brief primer on PKI - Keys come in two halves, a public key and a private key. The public key can be distributed publicly and widely, and you can use it to verify, but not replicate, information generated using the private key. The private key must be kept secret.
.key files are generally the private key, used by the server to encrypt and package data for verification by clients.
.pem files are generally the public key, used by the client to verify and decrypt data sent by servers. PEM files could also be encoded private keys, so check the content if you're not sure.
.p12 files have both halves of the key embedded, so that administrators can easily manage halves of keys.
.cert or .crt files are the signed certificates -- basically the "magic" that allows certain sites to be marked as trustworthy by a third party.
.csr is a certificate signing request, a challenge used by a trusted third party to verify the ownership of a keypair without having direct access to the private key (this is what allows end users, who have no direct knowledge of your website, confident that the certificate is valid). In the self-signed scenario you will use the certificate signing request with your own private key to verify your private key (thus self-signed). Depending on your specific application, this might not be needed. (needed for web servers or RPC servers, but not much else).
A JKS keystore is a native file format for Java to store and manage some or all of the components above, and keep a database of related capabilities that are allowed or rejected for each key.
The commands you list look fine to me, and I don't see a question beyond asking what the different files are for. If you need more information, please enrich your question.
.key is the private key. This is accessible the key owner and no one else.
.csr is the certificate request. This is a request for a certificate authority to sign the key. (The key itself is not included.)
.crt is the certificate produced by the certificate authority that verifies the authenticity of the key. (The key itself is not included.) This is given to other parties, e.g. HTTPS client.
.pem is a text-based container using base-64 encoding. It could be any of the above files.
-----BEGIN EXAMPLE-----
...
-----END EXAMPLE-----
.p12 is a PKCS12 file, which is a container format usually used to combine the private key and certificate.
There isn't only one extension. For example you may see certificates with either the .crt or a .pem extension.
Just to add more info: .der, another (binary) encoding (either public or private key, or csr)
I have the following files:
filename.key (RSA PRIVATE KEY)
filename.pem (CERTIFICATE REQUEST)
certificate.cer (CERTIFICATE)
CertificateChain.p7b
I have received these files from the CA including the certificate chain.
I need to generate 'keystore.p12' to configure SSL for spring boot application with the following information.
server:
port: 443
ssl:
key-store: keystore.p12
key-store-password: <your-password>
keyStoreType: PKCS12
keyAlias: <my alias>
Can anyone please help me to generate the 'keystore.p12'?
File extensions do not actually control the format or contents a file, although usually they should provide at least partial description. Similarly basenames (before the extension) should describe what is in the file, but do not always do so correctly. What matters is what is in the files.
.key is usually used for a lone privatekey, but look at it to make sure, and also to determine what format it is in because there are many. You should never get your privatekey from a CA; it should be generated locally, usually on the machine where it will be used and at least by the 'owner' or admin of that machine. There might be a sort-of exception if you are talking about a CA internal to a company, organization, agency, or office -- in that case the person running the CA may be the same person who is responsible for security on all the machines -- or vice versa, depending on your perspective -- and it may make sense for them to generate both the key and the cert.
.pem is used for lots of things in PEM format, and what the contents of that file is (or are) matters more than the fact of it being PEM. Look at the first line -----BEGIN (somewords)----- and see what the word(s) is(are). That should be followed either immediately or after a few header lines by data in base64 (a solid block of letters, digits, and the special characters + / =), then a matching -----END (somewords)----- line. If the END line is followed by a another similar block, or several, look at all of them.
.cer is commonly used for certificates in either 'DER' (binary) or 'PEM' (as above) format. .p7b is similarly used for 'dummy' PKCS7 messages containing certificates -- especially certificates used in a chain -- in either DER or PEM. More significantly, p7b is sometimes used for the whole chain including the end-entity (server) cert, and sometimes the rest of the chain excluding the EE cert, and it matters which. If you have OpenSSL -- or can get it (e.g. by installing a package, or for Windows I recommend the installer from http://www.slproweb.com/products/Win32OpenSSL.html ) or can move your data to a machine that has it -- then do:
# if the p7b file is in PEM format (you can see ----BEGIN PKCS7----- line)
openssl pkcs7 -in file.p7b -print_certs
# if the p7b file is in DER format (looks like garbage in a text editor or display)
openssl pkcs7 -in file.p7b -inform der -print_certs
# for now look only at the subject= and issuer= lines to see
# for each cert in the file who it is for, and if/how they chain
Then:
if the .key file is a privatekey in one of the PEM formats supported by OpenSSL you can use that; else if .key is a privatekey in some other format, or .pem is or includes a privatekey in some format, you'll need to convert and/or extract it: tell us more about what those files look like.
if the .p7b file is in PEM or DER format, put its expanded output (from above) in a file. If this includes the EE cert skip the next step.
if the .p7b file does not include the EE cert, but the .cer file is that cert, if in PEM format just append it to the file containing the .p7b output; if in DER format convert it with openssl x509 -in file.cer -inform der and append that.
if you now have the privatekey in one of the PEM formats supported by OpenSSL, and the cert chain including the EE cert in PEM format, do
openssl pkcs12 -export -in chain.pem -inkey key.pem -out newfile.p12 [-name x]
# the -name option provides the 'alias' used by Java
# if not specified it defaults to the numeral 1 (one)
I've been using a certificate that's stored on the server in a myserver.pfx file.
However, behavior is not the same in all browsers and some complain on account of, I think, a missing 'intermediate' certificate.
I've downloaded the intermediate certificate from Gandi: GandiStandardSSLCA.pem
Now, my question is, how can I add that intermediate certificate into the pfx file?
Although the server is windows, I'm trying to use openssl on a linux machine to manipulate the certificates, just because that's where I have openssl available. I'm assuming this doesn't matter.
One thing I've tried, is to use openssl to export myserver.pfx to myserver.pem, a text file. Then, with a text editor, I've added the text of GandiStandardSSLCA.pem to myserver.pem in hopes of then converting back to pfx format. However, I couldn't get openssl to do that conversion back to pfx.
Is this possible? If so, at the text editing stage, does it matter if the intermediate certificate text goes at the beginning or the end? Also, would I need to manufacture 'Bag Attributes' somehow?
Or, is the whole operation done in one line with openssl?
The .pfx file can be prepared by exporting the intermediate certificate .pem file with the below command example.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Reference:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
I already have purchased SSL certificate and i have received certificate and a .pem file as a private key? from the supplier; now i need to convert this .pem key into .key for bitnami Redmine Apache web server in order to make it work.
How do I go about doing this what what program or commands to do this? I am a newbie in terms of using Openssl etc to do this.
Any advice would be much appreciated!
Thank you.
I assume you want the DER encoded version of your PEM private key.
openssl rsa -outform der -in private.pem -out private.key
openssl rsa -in privkey.pem -out private.key does the job.
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
CA's don't ask for your private keys! They only asks for CSR to issue a certificate for you.
If they have your private key, it's possible that your SSL certificate will be compromised and end up being revoked.
Your .key file is generated during CSR generation and, most probably, it's somewhere on your PC where you generated the CSR.
That's why private key is called "Private" - because nobody can have that file except you.
If you're looking for a file to use in httpd-ssl.conf as a value for SSLCertificateKeyFile, a PEM file should work just fine.
See this SO question/answer for more details on the SSL options in that file.
Why is SSLCertificateKeyFile needed for Apache?
just as a .crt file is in .pem format, a .key file is also stored in .pem format. Assuming that the cert is the only thing in the .crt file (there may be root certs in there), you can just change the name to .pem. The same goes for a .key file. Which means of course that you can rename the .pem file to .key.
Which makes gtrig's answer the correct one. I just thought I'd explain why.
I'm am trying to create a very simple WCF client application which will send SOAP messages to a 3rd party service. All the messages must be digitally signed. It's really a proof of concept before I add the code to a larger application.
I have a .cer file containing the certificate and a .pem file containing the private key. What I have been trying to do is load the certificate using the .cer file then fire off a message. But I get the following error "The private key is not present in the X.509 certificate".
The problem, well one of the problems, is that I really know almost nothing about WCF, digital certificates, private keys and all that guff. I've done some reading, I've Googled till I'm blue in the face and I've not got anywhere.
If I open the .cert file there is a section labelled "BEGIN ENCRYPTED PRIVATE KEY" which suggests that the private key is included in the certificate. So, why am I getting a message saying that it is not present? Also, if the private key does need to be added to the certificate how do I do it?
Here basically what I'm doing. It's not my actual code, but it includes all the relevant stuff:
MyWSClient c = new MyWSClient();
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"pathToFile.cer");
c.SomeValidCall();
How are you creating this cert / key pair? You can combine them into a PKCS#12 certificate using openssl:
openssl pkcs12 -export -in yourcert.crt -inkey yourprivkey.key -out newcert.p12
You may need to play with the input format to get it to work with a .pem private key.
My colleague has found a solution. I don't know why but using a .der file rather than a .cer file solves the problem. This is the command he used to generate the .der file using a certificate, private key and root certificate as.pem files:
openssl pkcs12 -export -in cert.pem -inkey private_key.pem -certfile root_cert.cer -out pkcs12.der