Sorry, I am pretty noob to Digital Certificates.
Basically there is a website, which every time I reach it as https://ip/, It throws me an error saying: Certificate Error: Sorry but you need to provide a client certificate to continue while I did my research I found this article: https://medium.com/#sevcsik/authentication-using-https-client-certificates-3c9d270e8326
Since I don't have access to website's CA, I assume I have the option of bob only to make the site respond to me as a trusted user.
So I did below:
$ openssl req -newkey rsa:4096 -keyout bob_key.pem -out bob_csr.pem -nodes -days 365 -subj "/CN=Alice"
$ openssl x509 -req -in bob_csr.pem -signkey bob_key.pem -out bob_cert.pem -days 365
Enter Export Password: 1234
$ curl --insecure --cert bob.p12 --cert-type p12 https://IP/
I also tried: curl --insecure --cert bob.p12:1234 --cert-type p12 https://IP/
But I still am getting error from site asking to provide a client certificate to continue
Any help? I am in kali-linux env
Related
I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
I made a tls server by below commands, which will request the client who is connecting to provide a client certificate. And I also simulated a client with the openssl commandline which will provide a client certificate. But it seems that the server didn't check if the client certificate is what exactly we want or not. Do you know how to make the server to do the check?
For the server:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -key key.pem -cert cert.pem -accept 44330 -Verify 0
For the client:
openssl req -x509 -newkey rsa:2048 -keyout clientkey.pem -out clientcert.pem -days 365 -nodes
openssl s_client -connect 127.0.0.1:44330 -cert clientcert.pem -key clientkey.pem
... check if the client certificate is what exactly we want or not
You do not specify what you want from the client certificate, that's why it cannot check it. If you want that the client certificate is signed by a specific CA use the -CAfile option as documented:
-CAfile infile
A file containing trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested.
Thus, if you want to make sure that the client certificate is the self-signed certificate you issued (or some other certificate signed by this), use:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -Verify 0 \
-CAfile clientcert.pem
Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl
I have a root CA that was used to generate both server and client certificates in a currently working system.
It will soon reach its expiration date, and I am trying to renew it without changing any server or client certificate but I have failed so far.
To renew the CA, I have used:
openssl req -new -key ca.key -out newcsr.csr
openssl x509 -req -days 3650 -in newcsr.csr -signkey ca.key -out newca.pem
Then I have replaced my old CA certificate by newca.pem.
I expected that to be enough to have it working, but unfortunately it does not.
When trying to send a request with CuRL using my old client certificates (which are not expired), I get this error message:
curl --cert clientcrt.pem --key clientkey.pem https://myserver/
(35) Peer does not recognize and trust the CA that issued your
certificate
(the same request with the old CA does work, since it is not yet expired)
What are the steps that I missed?
Or do you have any clue of causes of error that I may look for?
If it can be useful to anyone, I finally resolved this problem by setting the serial of my new CA to the same value than the serial of the old CA:
openssl req -new -x509 -days 3650 -key ca.key -set_serial <oldserial> -out newca.pem
With that my client certificates are successfully validated by my CA.
I used the openssl to generate a self-signed certificate using following command
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365ls
I am sending this cert.pem with the curl command
curl --header 'Accept: application/json' --header 'Authorization: Bearer 043473b9-5cf4-3dcc-b7a6-32813f6e4df2' 'https://localhost:8243/pizzashack/1.0.0/menu' --cert cert.pem --key key.pem -k -v
But this fails with the error: error reading X.509 key or certificate file: Error in parsing when sending certificate in Curl Request
How can i overcome this issue?
Here's a solution to this. This occurs when curl is unable to decrypt my key.pem file which is encrypted by default. We can use the -nodes directive when generating the certificate to avoid encrypting the keys.
certificate generated from following request worked correctly.
openssl req -newkey rsa:2048 -x509 -keyout pii_key.pem -out piisp.pem -days 3650 -nodes