I have tried self-signed certificate, certificate chain ... etc but uploading SSL certificates to IBM Cloud just doesn't work! All I get is the "Internal Server Error", I don't know what to make of it. Anyone who has got it working recently pl. reply back here.
I created certificate as under
winpty openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout testjeetcom.key -days 365 -out testjeetcom.pem
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Kansas
Locality Name (eg, city) []:Overland Park
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Personal
Organizational Unit Name (eg, section) []:Pers
Common Name (e.g. server FQDN or YOUR name) []:test.jeet.com
Email Address []:jeet#dummy.com
All I get is the below error
Related
I have generated a self signed certificate using openSSL following commands
in my ubuntu based pc.
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -pubkey -days 365 -subj "/C=NZ/ST=LH/O=SoN, Inc./CN=10.16.1.96" -reqexts Canada -config <(cat /etc/ssl/openssl.cnf <(printf "[Wellington]\nsubjectAltName=DNS:10.16.1.96,DNS:10.16.1.96"))
Next, I have copied the private key and cert.pem in the raspberrypi(10.16.1.96) which is running a webserver and using these keys.
Also, I have added the cert.pem in my chrome browser - Manage Certificates/Authorities, I have imported this certificate.
However, my browser complains about this -
Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Certificate error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
How can I get rid of this error?
At the end of your command, you're providing subject alternative names like this: subjectAltName=DNS:10.16.1.96,DNS:10.16.1.96".
The problem is that you're using SANs of type dNSName (DNS: in the OpenSSL configuration), but you're using IP addresses, so you you need SANs of type iPAddress in this case (see this answer more details about the specifications).
Changing your command to use subjectAltName=IP:10.16.1.96,IP:10.16.1.96" should fix it.
I am using collider (https://github.com/webrtc/apprtc/tree/master/src/collider -a websockets server in go) and I am trying to add SSL/TLS support. For which I generated self-signed certificates:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:testwebsite.com
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:www.testwebsite.com
Email Address []:testwebsite#gmail.com
When I run the collider, I see this error:
2017/06/05 21:25:50 Error Run: crypto/tls: failed to parse private key
When I generate using (based on http://www.kaihag.com/https-and-go/):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
I get this error:
2017/06/05 22:11:31 http: TLS handshake error from <some-ip>:1082: remote error: unknown certificate
How to fix this?
Note: collider uses golang.org/x/net/websocket
I ended up obtaining the certs from: https://certbot.eff.org/#ubuntuxenial-other
certbot certonly --standalone -d example.com -d www.example.com
I had to use fullchain.pem instead of cert.pem for this collider to work:
https://github.com/webrtc/apprtc/issues/442
I need to generate a client authentication certificate with "NT Principal Name" and "RFC 822 Name" under Subject Alternative Name, similar to this certificate, as shown in macOS keychain access (the obscured field values are AD UPN such as test#domain.com):
I've tried using OpenSSL to generate the client authentication certificate with this command:
openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout client.key -out client.crt
and this cert_config file:
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
commonName = Test
countryName = US
localityName = Anywhere
organizationName = Test
organizationalUnitName = Dev
stateOrProvinceName = CO
emailAddress = info#test.com
name = Test Cert
surname = Cert
givenName = Test
initials = TC
[ my server exts ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
subjectAltName = otherName:1.3.18.0.2.4.318;UTF8:test#example.com
But I'm unable to correct format the subject alternative name to match the example in the image above. I could not find a definition for "NT Principal Name" or "RFC 822 Name" under Subject Alternative Name in the OpenSSL documentation. When I look at the certificate produced by the command above in keychain access I see:
How do I specify the "NT Principal Name" and "RFC 822 Name" fields under Subject Alternative Name in my client authentication certificate?
I also suffered with this question for a long time ...
I was engaged in generating a certificate for EFS Recovery Agent and this field Subject Alternative Name is there.
Here of course many interesting things are written, but unfortunately there is no explicit example: https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
By downloading a great utility XCA https://www.hohnstaedt.de/xca/
And by looking at the contents of the certificates generated cipher.exe /r: for EFS Recovery Agent
Generated the required string for OpenSSL
openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.cer -days 36500 -subj '/OU=EFS File Encryption Certificate/L=EFS/CN=efs' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4.1' -addext 'basicConstraints=CA:FALSE' -addext 'subjectAltName=otherName:msUPN;UTF8:sb#sb.local'
Here you will understand how to insert the "Principal Name" an "Subject Alternative Name" ;)
I need to:
create a CA certificate
create a https_client-certificate
sign the https_client-certificate by the CA
by using the command-line on Linux - openSUSE. I create the CA certificate:
# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
# openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
#
Works fine. Then I create the https_client-certificate:
# openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
#
# openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
#
Works fine. Now when I try to sign the https_client-certificate with the CA I'm getting some error here:
# openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
#
I already tried:
using absolute paths ("Error opening CA private key" on Windows)
but no success for me. I read somewhere that specific entered attributes need to be the same entered on CA-creation, but at least when creating certificates on Windows using XCA-Tool this is not correct. I can enter completely different stuff as long as I sign it with CA I can use it. Can someone help me?
Update:
I only use .key and .pem because this works for me on Windows using XCA-Tool ... I'm actual reading the openSSL Cookbook (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) to see if I did any special wrong. First thought, do I have to use .csr to sign a certificate, or can I do this using any other format too?
You are using 'openssl ca' tool which uses the following configuration file by default: /etc/ssl/openssl.cnf. In other words you were not trying to sign with your CA certificate but using default values from that config file. You were also passing -x509 parameter to the client certificate signing request which lead to an invalid csr.
Please, find below the working generation and signing commands.
Generate CA key and cert:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa#aa.com'
Generate client key and csr:
openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb#bb.com'
Generate client cert signed with CA cert:
openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem
Of course you can set your config file to use right CA files and use the 'openssl ca' tool after that.
You can verify your certificate like this:
openssl verify -verbose -CAfile rootCA.pem client1.pem
I am actually trying to create a test ssl certifcate for my webserver.
I started with this tutorial.
But when I try to create a certificate with the following command:
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Company/OU=Department/CN=www.10.9.11.99/lebenmittel_test'
The following errors appears:
Generating a 1024 bit RSA private key
..............++++++
.................................++++++
writing new private key to 'server.key'
-----
end of string encountered while processing type of subject name element #3
problems making Certificate Request
I think the problem is, that I am trying to create a certificate for a IP address ... :/
I tried the same command with www.example.com and it worked.
Is there a way to create a certifcate for a IP address?
Your problem is that 'lebenmittel_test' is not a valid attribute syntax. Additionally, 'CN=www.10.9.11.99' is definitely dodgy for a CN.
Why not just assign a valid name for the CN, and then tweak your /etc/hosts file to point to the IP address using that name?