I know little bit about certificates but not in details. I am asked to install .CER certificate in an android app, I saw currently app uses three files(see below). I am confused how just one CER file will used for authentication/identification if currently system is using multiple files.
I tried to look online but did not find good explanation of how these files work together for authentication/identification. I am sure I need same set of new files and only CER file will not be suffice, its just I don't know the relation between these files and how these files used by system.
If you can point me to some good online resource that would be great help.
cacert.file=ca.cert.pem
cert.file=client.cert.pem
key.file=client.key.pem
Related
I'm working on creating a local image registry for an OKD installation by following along with this Medium article which assumes the creation of
the self-sign CA, server certificate with both the short and fully
qualified hostname of this VM
It calls for
the CA cert, server cert, server key saved as myca.pem,
registry.pem, registry-key.pem
I'm pretty new to certs so I was following the guidance of this article and using cfssl (as recommended by the former article) for generating those. I've gotten through generating and signing the "Intermediate CA". I'm a little unclear on where and how to generate the specific certs the former article requires. I'd really appreciate some clarifications or guidance, if possible, on the following issues.
I believe the ca.pem generated in the first "CA Authority" process in the
latter article is the equivalent of the myca.pem file mentioned in
the former article, but with a different name. Is this the case?
I am unclear where exactly the registry.pem and registry-key.pem
files are generated. Are these just certificates generated using the
"server" profile and assigned the name "registry"? Are they a
completely separate profile I should be adding to the
cfssl.json file? Are they neither?
In whichever case, are there any additional usages I need in the
cfssl.json file or additional config files I need to create in order for it to be suitable for an image registry? Do I
still need to create the additional "host certificate config file" mentioned in
the latter article?
I have tried absorbing as much information about ssl certificates as I could but so far I am unfortunately not finding anything that clears up the specific questions I have. I am sure this is probably simpler than I realize, so any help clarifying what's needed here would be profoundly appreciated. Thanks very much.
I was able to figure this all out. Here are the answers to my three questions:
This was the correct assumption.
These are generated using the "server" profile and given whichever name I choose.
I had to create the additional host certificate config file and point the CN in that file to my local fully qualified domain name. This config file was then used as an argument for generating the certificates.
First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
I and another guy are developing an add-in project for PowerPoint using C# and VSTO. Our project is being kept in a repository and every time when one of us gets a newest version from the repository, updated by another one, he gets a compiler problem with signing. Up to now, we solved this compiler problem by generating a test certificate on the corresponding machine every time after updating from repository.
My question is: Is it possible to avoid somehow this every-time generating of a test certificate after taking the solution, compilable on other machine, from the repository in order to have it compilable on both machines?
We tried everything:
We used the same .pfx file for both of our PC's (i.e. we sent this file to the repository).
We tried to uncheck the checkbox "Sign the ClickOnce Manifest" in the Properties window of the Solution and to remove the .pfx file at all.
We tried to use our own .pfx files with putting them into the ignore list.
But there was no result!
We have a similar scenario and we are doing the following:
'Sign the ClickOnce manifest' is signed with a locally generated .pfx key that is checked into the repository.
The assembly is signed with a strong name key.
On the build server the manifest is re-signed using the company's digital certificate for deployment using the instructions provided in this article - http://blogs.msdn.com/b/vsto/archive/2009/04/29/signing-and-re-signing-manifests-in-clickonce.aspx
Let me answer my own question. The solution is probably found. The steps are the following:
One developer should generate a new .pfx file defining the password. As a result, he can already develop the add-in correctly, on his machine; but other developer still can not, on their machines.
Using the same tab of the project's "Properties" window, this developer has to select the same .pfx file with the "Select from File..." button, giving the password.
The .pfx file should be sent to the repository (i.e. one shouldn't include it into the ignore list). As a result, other developers will not be required to generate anytime other .pfx files anymore.
We are ready!
The "magic" is that knowing the password by all developers is crucial. When the .pfx file is added to the project as it is described in the item 2, it means that all developers know the password.
I've spent the better part of this afternoon trying to figure out how to implement SSL/TLS support directly in the Play Framework 2.1 web server without having to use a front end proxy, to no avail. I have all of my certificates signed by a CA and I'm told Play 2.1 supports SSL, but am lost on the configuration options to use in application.conf to set this up. There doesn't appear to be a clear answer out there in the documentation.
Couple questions:
Do I HAVE to convert my .crt and .key files to a .jks file (Java keystore) or can I use them as-is?
If I have to import to the Java keystore, can someone provide some insight into how this is done? I have seen a lot of conflicting documentation on this.
What are the configuration options in the Play Framework 2.1.x application.conf to set this up?
As I stated before, I could not find any clear answers after a couple hours of Googling, so I figured I better ask here. Also, I want to reiterate - I DO NOT want to use a front-end web server like Apache for specific reasons, so I am looking ONLY to set up SSL/TLS support directly in Play.
EDIT:
I have found this thread: http://grokbase.com/t/gg/play-framework/1326s1ttny/2-1-ssl but I can't get any of it to work still. Not sure if I'm created the JKS file correctly by combining all of my bundled CRT files AND the private key into a single file then importing and I'm not sure what I should use for the "path to keystore".
Could anybody explain to me the process of uploading to and downloading form and ftp server with the iPhone SDK. If you could just point me in the right direction (e.g. documentation etc.). How difficult is a task like this?
Thanks in advance.
You can use this. It support all the basic ftp operations:
Download file
Upload file
Delete file
Delete directory
Create directory
List directory contents
[DISCLAIMER] I am the developer of the library, I needed a ftp library too in the past and came over this answer. However, I decided to write one myself because s7ftprequest didn't support at that point several operations that I needed.(like download or list directory)
Try this Simple FTP Download
The Apple documentation will provide far more info in general than I could. Have a look at:
http://developer.apple.com/iphone/library/documentation/Networking/Conceptual/CFNetwork/CFFTPTasks/CFFTPTasks.html#//apple_ref/doc/uid/TP30001132-CH9-SW1
which details the FTP information you need. If you prefer a PDF with all the networking info in it, have a look at:
http://developer.apple.com/iphone/library/documentation/Networking/Conceptual/CFNetwork/CFNetwork.pdf
In this, you'll be particularly interested in Chapter 5. Both detail working with FTP sites, including uploading, downloading, retrieving directory listings, etc.
s7ftprequest only for uploading files to FTP.
The below is sample code from apple
http://developer.apple.com/library/ios/#samplecode/SimpleFTPSample/Introduction/Intro.html
Limitations:
FTPS (that is, FTP over TLS)
deleting items
renaming items
other less common FTP commands
custom FTP commands
I ended up using GoldRacoon. It turns out that in iOS/objc land, there's BlackRaccoon as the original FTP client lib, then WhiteRaccoon was forked from that, and then GoldRacoon was forked from WhiteRaccoon (I think)
pod search GoldRaccoon
... will show you.
I ended up making a few changes (in my own fork) so that you can pass in a successBlock & failBlock into any request, so that block-y callers (like my classes) don't have extra work to manage the delegate callbacks. Github link (my fork): https://github.com/xaphod/GoldRaccoon