Can you please advise if key password and keystore password using ikeyman tool are they same or different because ikeyman tool ask only keystore password?Help please..
thanks
Ikeyman uses 1 passphrase to encrypt the keystore (container) and its contents. There is no ability to protect the individual private keys with a separate passphrase. Contrast with openssl pkcs12 handling -- the entire keystore can have one password, and each RSA key inside can have a separate passphrase.
Related
I am attempting to set the KeySpec flag on an existing certificate for use in a SQL server encryption role. Current KeySpec is 0, and I need it to be a 1.
The way to do this is by first exporting the cert, its private key, and key usages into a .pfx file (with a password, regardless of what it claims). Then, utilizing certutil, run certutil -importpfx AT_KEYEXCHANGE.
This "works" in that it prompts for the password (which is typed in correctly), but it fails with this error message:
CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
CertUtil: The requested operation is not supported.
Unfortunately, there's not much online that I could find - just this one post apparently:
https://anotherexchangeblog.wordpress.com/tag/importpfx-command-failed-0x80090029/
That one appears to indicate that it's a problem with permissions on a directory located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Specifically, that "SYSTEM" had permissions on it, which he removed and got certutil working. However, my copy of that directory does not have SYSTEM with permissions - it looks to be the same as his picture.
Not a whole lot more to go on, and this certutil import method appears to be the only way to set KeySpec to 1. What can I do from here to allow me to import that key with the correct KeySpec flag?
I encountered this issue after generating my private key with Template = (No Template) CNG Key
To convert from CNG key back to Legacy Key you can use OpenSSL (https://www.google.com/search?q=Download+windows+OpenSSL) to re-encode the certificate
Export your current certificate to a passwordless pem
openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes
Convert the pem file to a new pfx file with password:
openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem
You can avoid the problem by generating your CSR using Template = (No Template) Legacy Key
Good Luck!
I work at Microsoft. My customer got this today and we couldn't fix it. We ended up making a new CSR.
This is the main article that explains how key specs work and CNG versus a legacy Cryptographic Service Provider.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-and-keyspec-property
What you can do is go to your MMC snap in for certificates. Right click on the personal store -> All tasks -> Advanced Operations -> Create custom request.
Proceed without an enrollment policy -> select Legacy template, -> PKCS #10 -> Next -> DETAILS -> Properties
Put a friendly name -> Add a common name -> Add a DNS names for any SANs you need-> on Extended Key Usuage select Server and Client Authentication -> on the Private Key Tab -> select Microsoft Strong Cryptographic Provider -> for Key Options you want 2048 -> Make the private key exportable -> Key Type tab -> select Exchange
This will generate a (CSR) Certificate Signing Request and then have your Certificate of Authority full fill it.
It is possible to make certutil import use the legacy Strong Cryptographic Provider by specifying the -csp argument.
certutil -csp "Microsoft Strong Cryptographic Provider" -importpfx -f -enterprise my mycert.pfx AT_KEYEXCHANGE
I used windows and linux machine to create java keystore (JKS) by java keytool. When i run the keytool command mention below:
keytool -genkey -alias TESTSSL -dname "cn=Test.com, ou=testlab, o=myorg, c=UK" -keyalg "RSA" -keysize 2048 -keystore TESTSSL.private.jks -validity 10 -storepass XXXXXXX
It prompt to enter keystore password and key password.
The query is that, I want to know where both passwords are stored and in which form. Is it stored in keystore file or somewhere else in OS(If this is the case, know the exact location).
Any information related to this highly appreciated.
Note you are actually creating the default format of keystore, assuming this file doesn't exist at the time you run keytool; through Java 8 the default is JKS, but from 9 up it is PKCS12. (Naming the file something.jks does not control the format, any more than naming it something.lollipop would make it a child's sweet.)
If you specify -storepass whatever on the commandline as you stated, it should not prompt for keystore password -- at least not on that operation; if you run keytool again to (re)use the same file, that will prompt unless you again specify it on that commandline. Similarly if you specify -keypass whatever on the commandline, when needed depending on the operation, it should not prompt for key password.
For JKS JCEKS and PKCS12, the password(s) are not stored at all. Doing so would be grossly insecure. Instead, the password(s) plus 'salt' (a randomized value) are processed by a one-way 'key derivation' algorithm to create the key(s) used to encrypt at least the privatekey entries in the keystore, and to authenticate (MAC) the entire keystore. PKCS12 as implemented in Java (weakly) encrypts the certificates as well as the privatekeys; JKS and JCEKS do not. PKCS12 as implemented in Java may not support a private-key password differing from the store password.
If you can't or don't supply the correct password(s) when using the keystore file it may fail depending on exactly what operation(s) you try to do, so it is your job to remember them, and if necessary transfer or distribute them. If you need to do this on a scale difficult to manage manually, there are password-management tools -- which can handle passwords for all things, not just Java keystores -- of many kinds and from lots of sources.
For non-file-based keystores, like PKCS11 on some systems or the OS-provided store on Windows, how the password is implemented and used -- if at all -- depends on the particulars of that keystore, although storing the password would usually be poor or bad practice.
The key password and keystore password are stored in the keystore itself. It's self-contained. That way the keystore is portable and can be sent to others who can open it (provided they know the key[store] password).
Normally a cacert is used as a truststore which means a base where we put certificates of other servers so that we will authenticate them (we trust connection from these servers only if they use the same certificate as in truststore).
Whereas, a keystore is normally used for storing keys (they are used when we behave as a servers).
But the problem is that I find in the internet commands for adding certificates too in keystore and that there's no basic functionality in keytool for adding a private key in keystore.
So, I start wondering if I did misunderstand the purpose of a keystore and it's role. Can anyone tell me if I'm wrong?
Technically a KeyStore and a TrustStore are of same type. They just serve different purposes based on what they contain.
A KeyStore is simply a database or repository or a collection of Certificates or Secret Keys or key pairs. When a KeyStore contains only certificates, you call it a TrustStore.
When you also have Private Keys associated with their corresponding Certificate chain (Key Pair or asymmetric keys), it is called a KeyStore.
There are different types of KeyStores the JCE provider supports:
JKS (Java Key Store) --> When you have only certifcates, it is a TrustStore. When you also have Private Keys associated with the certificate chain, it is a KeyStore.
JCEKS (Java Enhanced Key Store) --> These can store what JKS can store and additionally Secret Key (Symmetric Key) too. You cannot store secret keys in JKS type KeyStore's.
PKCS12 --> This is like a KeyStore but a different type called PKCS12. These can store Private Keys along with their certificate chains. But the standard is to have 1 Entry only, i.e, 1 Private Key and its associated certificate chain.
Their purposes can are broad, but generally used for these purposes:
JKS - Securing your web server.
JCEKS - Store your encryption keys (symmetric), can also be used to secure web server.
PKCS12 - When a web server is setup for Two-Way SSL, it requires the clients to authenticate to the server. In these cases, the client would generate a KeyPair, and generate a CSR (PKCS10) from it and have it signed by a Certificate Authority (CA). The client is then given a certificate chain, which the client associates it with his PrivateKey in a PKCS12 KeyStore. It can then be used to make the SSL connection.
i have got a certificate in .cer extension from our company's Windows PKI server (infrastructure).
Now i want to manually sign an exe file with this certificate. But Microsoft signtool only allows pfx file to sign the exe file i guess.
So, i wanted to convert the .cer file into .pfx file using openssl tool and the command i issued was
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
But my question is how do i get the privateKey.key file or how do i have to generate it ?
Is my procedure to sign an exe file correct ?
Update
Did some reading on the whole Windows server PKI infra and CertTool.
I have the .cer file with private key.
But not able to locate it somehow.
But was able to sign my exe with this certificate using DigiCertUtil.exe
cheers,
Saurav
signtool can sign with a privatekey and certificate from the Windows certificate "store" (shown as an entry for a certificate WITH a private key) or from a PFX/P12 file (which contains a privatekey and certificate(s)). The common theme is that you use the privatekey as well as the certificate to sign, or decrypt; a certificate alone contains only the publickey and is not sufficient. The whole point of public-key cryptography is that only the privatekey "owner", or someone given a copy, can sign or decrypt; the publickey can be distributed publicly and used to verify or encrypt, but no one else can use the publickey to obtain the privatekey so the privatekey remains private. If you could 'generate' the privatekey from the certificate, so could an adversary and it would provide no security.
If you received the certificate newly generated (by a corporate PKI) in response to your request, you must already have the privatekey, because the request you sent (called a Certificate Signing Request or CSR) was itself signed using the privatekey. You need to specify what method you used to generate the request, and that will determine where your privatekey is and how to use it.
If you received a certificate generated in response to someone else's request, or initiated by the CA on its own, they have the privatekey and you need to obtain it from them.
Note that for the signature on an .exe to be of any value, your certificate must be specifically flagged as a code-signing certificate, and issued by a CA that is trusted (on your client machines) to issue such certificates. Make sure the request you or someone submitted specified this.
I have a public key in a file called key.pub, and the contents look like:
ssh-rsa AAAAB...<snip>...t+f klahnakoski
I would like to to use it to encrypt a file with gpg. What is the sequence of shell commands required?
I imagine the sequence looks something like:
convert key to gpg-friendly format
invent some credentials to sign key with
invent a user to facilitate adding key to keyring
perform the encryption
Thank you!
RSA keys can only be used to encrypt a proportion of their key length. e.g. a 2048 bit RSA key can only be used to encrypt about 245 bytes.
See:
https://security.stackexchange.com/questions/33434/rsa-maximum-bytes-to-encrypt-comparison-to-aes-in-terms-of-security
So to encrypt / decrypt large amounts of data (files) you would use a symmetric key which was encrypted using a public key, not the public key itself.
Also, you wouldn't add a symmetric key to a public SSH key, because the the symmetric key is a secret, and the public SSH key isn't a secret. The symmetric key should be added to the private SSH key.
It goes something like the following:
To convert the file format, install the monkeysphere tool set (Ubuntu)
sudo apt-get install monkeysphere
Use the pem2openpgp tool to convert the private key to gpg format. Pipe to gpg for import.
pem2openpgp userid-ssh#example.com < id_rsa | gpg --import
# Check it's there
gpg --list-secret-keys
Edit the trust level you have in the key.
gpg --edit-key userid-ssh#example.com
gpg> trust
Add the trust level you need (ultimate for example)
The key imported is only suitable for creating certificates, not for signing or encryption.
Encryption
The key is an RSA key and can't be used to encrypt / decrypt large amounts of data. If you want to do that you have to add a symmetric encryption subkey. When you encrypt, GPG will use this subkey rather than the original SSH key.
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
Now you can encrypt and decrypt using the identity based on the SSH key.
gpg -vv -r userid-ssh#example.com -e -a unencrypted_file.txt
So how useful is this?
Well, it makes more sense to use GPG to generate and manage your SSH keys as authentication subkeys rather than trying to do it the other way round. In fact it can be integrated into SSH instead of ssh-agent.
Probably ssh-vault could give you some ideas, it follows the same principle of PGP and using the public ssh keys to encrypt the password only.