JMeter through an external proxy keystore configuration - ssl

I am about to test web application with JMeter. I have already recorded and parametrized scripts and these seem to be working fine.
Problem is, that one of the requirements is to redirect the traffic through mitmproxy.
I already found solution on how to redirect the traffic to the desired proxy:
How to set proxy for JMeter from behind another proxy?
To manually go through the scenario I am setting manual proxy configuration in my Firefox browser, then navigate to mitm.it and if proxy is enabled I get the client side certificate to download. Once trusted, all traffic goes through this proxy instance.
Problem is that certificate downloaded from here is with .crt extension and this is the only form of authentication - no signatures, no passwords and so on.
I am just wondering how to make this proxy trust JMeter requests?
Adding this certificate to existing keystore will do fine? If so, I could not find unambiguous tutorial on how to extend keystore with the certificate having no password and the key.
Any suggestions?
PS. I tried following http://www.middlewareguru.com/mw/?p=478 - but it states: "The key store must have at the least one x509 certificate and private key" -> problem is that I have only certificate, no private keys and it works perfectly for Firefox, but have no idea how keystore will behave in such scenario (my proxy is down as for now, but I would like to be ready with the approach before it's up and running again).

You need to convert your .crt file into .p12 file which JMeter can "understand" using i.e. OpenSSL like:
openssl pkcs12 -export -in certificate.crt -inkey inkey.key -out certificate.p12
Once done you can add the following line to system.properties file (located in "bin" folder of your JMeter installation)
javax.net.ssl.keyStore=/path/to/certificate.p12
Restart JMeter to pick the change up
You can also use SSL Manager instead of steps 2 and 3 but using system properties is way more convenient.
References:
The Most Common OpenSSL Commands
How to Set Your JMeter Load Test to Use Client Side Certificates

Related

How to bind SSL Certs to a locally hosted website on Windows 10 IIS

I have a working local website which I enabled via IIS Manager on Windows 10 Home. Now I want to serve my website via HTTPS instead of HTTP. I have created and added self-signed SSL cert using OpenSSL and MMC (following this blog). However, when I tried to add the HTTPS binding to my website using the IIS Manager, there is NO cert displayed for me to add for the binding. See screen shot. Can someone suggest what I might be missing? How do I bind the key/cert to my local website under Windows 10?
It looks like you forgot to import .pfx file to your IIS server certificate.
Please go to IIS manager->server side->server certificates.
Then click import.. button to upload your certificate.
After uploading the certificate, you should be able to select your certificate in IIS binding.
OK, so it turns out the self-signed cert in the procedure is in the .cer/.pem format, whereas Windows IIS expects a .pfx. The confusion part is the fact the tutorial also demonstrates using Windows MMC and IIS, and that MMC "accepts" the .cer when I did the certificate import.
Bottomline: I need to package my .key and .cer files into a .pfx file using the following command before importing the cert into my Personal store:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt
During cert import using MMC, I did need to change the file extension using the dropdown list. Now this cert would show up when I add the website binding via IIS Manager.

Enable SSL on SOLR with existing cert

I'm trying to enable SSL on SOLR with a SAN cert - I ran the keytool.exe to generate the .jks file from the cert file. That process went fine. I copied the .jks file over to the /etc directory, and then I enabled SSL in solr.in.cmd file. Then when I try to access the site, it tell me: "The client and server don't support a common SSL protocol version or cipher suite." Is the issue with the cert, or issue with the way I generated the .jks file? Any help with this would be appreciated.
MORE INFO:
I learned that .cer files only contain the public key, and the private key is on the machine that generated the CSR. However, in this case, the machine that the cert is installed on is probably not the machine that the CSR was generated in. So, given this situation, how do I generate the keystore file to be used in SOLR?

How to install ssl certificate received from SSLForFree.com on IIS

I received an SSL certificate from sslforfree.com. It is a .zip file consisting of 3 files:
certificate.crt
private.key
ca_bundle.crt
How should I install this certificate on IIS 8.0? (What am I supposed to do with these 3 files?)
First, you need to make a .pfx file to make things easy. You need to Install openssl and run the following in a command prompt with path set to location of downloaded certificate files
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "private.key" -in "certificate.crt" -certfile ca_bundle.crt
Second, import the certificate to IIS:
Note: You created the password when you created .pfx file with openssl in command prompt.
Third, bind https to the website and choose the imported certificate in "Add Site Binding" window:
Note: You need to do this once for every domain name. For example if you have "www.abc.com" and also "abc.com" as your domain names you must do the https binding two times and each time write the corresponding domain name in "Add Site Binding" window and make sure that "Require Server Name Indication" is checked. Also you need to add another extra https binding without checking "Require Server Name Indication" and without writing any Host name to remove the "No default SSL site has been created" warning in IIS.
Congragulations. You are done. Now your website can be accessed with securely with https without any warning or error.

OpenSSL what to do after creating the CA certificate

i've created a self signed CA with DSA using OpenSSL and created a .der file using x509 of openSSL.
I can create user certificate requests, verify them and create user certificates. can create signature and verify them also.
but what to do with the .der file? i can do all the above things with .cert or .pem files. .der supposed to be shown side to the browser address bar. how to install that?
i'm using PHP and Apache.
I think you should read that :
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
i got it. i need to install the .der in my server using config files of apache-openssl.
i've tried that with xampp. initially it worked for the 1st time. i installed the cert files in the browsers. and got the public shown for the page from the address bar.
later when i restarted apache, the whole xampp was crashed and i'was unable to start apache. i needed to re-install xampp and then i'm able to start apache again.

No private key in SSL Certificate for IIS 6.0

We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12