How to generate public certificate, private key from root certificate? - ssl

I have the root certificate pem file from a Linux server. The application that needs to connect to that server is telling me it needs a publicCert pem file and a privateKey pem file to communicate with the server.
Do I generate these from the root certificate? My thought is that I would feed openssl the path to the root cert and then it would dump out the publicCert/privateKey I want.
I've created the certs on the server as described here. Now I need to install on the downstream device as described here.
The input of client connection I need to use requires these parameters:
connString: 'HostName=foo'
protocol: MQTT
publicKeyCertificateString: certificateString or path to certificate
privateKeyString: keyString or path to key
new DeviceClient(connString, protocol, publicKeyCertificateString, privateKeyString);
Cert format: pem
Authentication Format: x509

You would only need the Root CA certificate to be available in the trust store of the downstream device. What you seem to be looking to do is mutual authentication. Azure IoT Edge doesn't currently support downstream devices to connect using client certificates (mutual authentication). (Edge device only supports symmetric key authentication but doesn't support x509 certificate authentication). For publishing messages using MQTT, you would need to generate a SAS token for the downstream device and then use it to communicate with iot hub (edge device would act as a transparent gateway).
Related : c# Azure IOT Edge Auto-provision with Device Provisioning Service(DPS) with x509 certificate sample needed

Related

How to connect to MQTT broker using CA public certificate in java?

Background:
I have a CA root certificate (.crt) file with me and when I try to use the same certificate in MQTT.fx desktop installation tool I am able to connect to the broker successfully.
Problem:
Whereas, when I try to use the same certificate and try to connect using Java with Micronaut framework I am asked for private key, password, etc.
What did I try:
I tried converting the .crt to pem and establish connection using micronaut by using these parameters certificate-authority, certificate, private-key (Passed the same value for all)
tried to create the client certificate using the CA certificate using openssl
Expected solution:
Establishing a Connecting with MQTT broker using java either with or without Micronaut framework.
Note: All I have is the .crt certificate provided by the client.

Establish SSL/TLS Connection using Certificate present in Thales Luna HSM

I am trying to setup a Netty Server with HTTPS enabled. In order to establish the SSL/TLS connections, I need to fetch the certificiate from Safenet Luna Network HSM and pass that Cert to Netty's SSL Context.
I have generated a keypair in the Luna HSM and then generate a self sign certificate using the generated keypair. So now my self sign cert is present inside the HSM and I need to use that cert to establish TLS connections by initializing the SSL Context. According to the usgae of HSM we should not extract our cert and private key details outside of the HSM box.
Then how can i establish a TLS connection by using the certificate present inside Luna Network HSM.
I have tried to fetch the certiciate from HSM box by using the alias name of the certificate and later use that to initialize the SSL context but no luck.
My expectation is to establish TLS connections by using the generated certificate directly from HSM to initilaize SSL Context without extartcting any information oustide of the HSM box.
Thanks
So HSM works on 2way handshake to establish mutual trust, So HSM over HTTPS needs the following configuration:
From the client side: The client will have a self-signed certificate of the HSM host stored inside its own trust store.
On top of the client will have its own key pair of let's say RSA 2048 stored in keystore
From the HSM side: HSM will have a self-signed certificate received from the client (public key of rsa keypair) inside its trust store.
in a similar way its own key-store pair to communicate to client
End result:
Each party has trust between them (as they have their certificates loaded inside truststore) and a key pair to share messages in an encrypted format.
Article to get you started: https://dzone.com/articles/implementing-one-way-and-two-way-ssl-mutual-authen

Certbot SSL keys file names

I am setting up SSL for an IOT device that uses MQTT protocol acting as a client and connecting to a broker server. The server is using Certbot for SSL keys and registration. I configure the IOT device using AT commands and in the AT command I need the cacert, clientcert, and clientkey shown in the picture below. But I am wondering what are the names of these files on my server which is Ubuntu 20?
My best guess is one of the files below:
root#broker1:/etc/letsencrypt/keys# ls
0000_key-certbot.pem 0001_key-certbot.pem 0002_key-certbot.pem 0003_key-certbot.pem
or
root#broker1:/etc/letsencrypt/live/mydnsaddress# ls
README cert.pem chain.pem fullchain.pem privkey.pem
Unless you are using SSL Client authentication the only files you need on the client will be /etc/letsencrypt/live/<hostanme>/fullchain.pem
If you are using SSL Client authentication then you will need a certificate and private key specific to that client and that will not be issued by LetsEncrypt but by a private CA.

TLS connection to cloud mqtt for owntracks

I want to establish a secure connection using TLS to m12.cloudmqtt.com (MQTT Cloud - cloudmqtt.com) for my owntracks MQTT client (Android device).
According to documentation at OWNTRACKS (http://owntracks.org/booklet/features/tls/ ) one has to provide CA CERT and the CLIENT CERT.
CA CERT I can understand according to documentation at cloudmqtt.com (www.cloudmqtt.com/docs-faq.html#TLS_SSL) is a trusted public CA. (That I can obtain from any cert store)
But for CLIENT CERT, how do I obtain this? Do I need to obtain a certificate ( for my android MQTT Client) from the above CA. Or is any other way possible to encrypt the session ?
Client certificates are only needed if the broker supports certificate based client authentication. The connection will still be encrypted and you can verify the broker is who they claim to be.
The cloudmqtt doc does not mention certificate based client authentication. So the implication is that they do not support client authentication.
You should be able to set Owntracks up with a username and password and TLS without a client certificate

How does web browser understand which x509 certificate it should send to server?

I'm trying to create web application with client certificates, generated programmatically. My main problem is following: I've added generated .p12 keystore to my web browser, but it doesn't send certificate to the server.
How does browser understand which x509 certificate it should use? And is it possible to debug SSL in Chrome of Firefox?
SSL/TLS server sends Certificate Request message (see RFC 4346 for TLS 1.1 or others). In this message there is only certificate type and acceptable certificate authorities names, so server doesn't tell anything about particular certificate.
The possible reason is that your certificate of invalid type (i.e. DSA instead of RSA but key exchange algorithm depends on client RSA certificate), or server requests certificate of different certificate authority.