I need to make client approve a server CA certificate which is not known to it.
I have generated cert.pem using the following command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
And then using the following command I came to know that requests points to <full-path>/cacert.pem.
python -mrequests.certs
So, I have copied the generated cert.pem to the same path and gave it to verify. I have tried the following to do so. I don't want to use verify=False.
requests.get("https://<ip>:<port>/route1", verify='<full-path>/cert.pem')
Still I see that the client is throwing the following error.
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
How do I make the client approve the server certificate? Am I missing anything? Any help would be appreciated.
Server side code
context = ('cert.pem', 'key.pem')
#app is flask object
app.run(host="<ip>", port=port, debug=Ture, ssl_context=context)
Related
I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
Sometimes I test an SSL website on my local machine. I was tired to use a self-signed certificate and add them to my KeyChain on Mac (Browser or other OS). Moreover, Chrome always complains about them. Moreover, this approach was a bit different from the one used in production.
I found this article very useful where you create once your own CA root certificate, add it once to your keychain and then you use the CA private key to sign thousands of SSL test certificate for my local websites.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
The tutorial works great but I would like to automate it. For the CA root certificate it was easy, I simply used the option -subj like this:
openssl req -x509 -new -nodes -key /certs/myCA.key -sha256 -days 1825 -subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_CITY/O=$CA_ORGANIZATION/CN=$CA_COMMON_NAME" -out /certs/myCA2.pem
where the environment variable (CA_COUNTRY, CA_STATE, CA_CITY, CA_ORGANIZATION, CA_COMMON_NAME) are read from an external file.
However, when I tried to replicate the same thing for the website certificate I wasn't able to get the same result. The command is this:
openssl x509 -req -in dev.deliciousbrains.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.deliciousbrains.com.crt -days 825 -sha256 -extfile dev.deliciousbrains.com.ext
It seems that the -subj option doesn't work. Is there a way to pass the info above to this command and avoid interactive questions?
The command you show openssl x509 -req -CA/-CAkey ... does not ask any questions except the key password if there is one (which if you followed the instructions at the linked page there is). It is the preceding command to create the CSR openssl req -new that prompts for the subject name, and for that (like the command for creating the CA cert which is also req but with -x509 -- note -x509 is not the same as x509) you can use -subj. The statement on that page that "your answers don’t matter" isn't quite correct; it is true that when you use SubjectAlternativeName in the leaf cert, as that page advises/directs, the value of Subject is ignored for (at least) HTTPS server identification, but it must (still) be different from the name used for the CA to allow certificate validation to work. Standards allow the Subject name in a leaf cert to be empty when SAN is used (and empty is always different from nonempty and a nonempty name is required in the CA cert) but OpenSSL doesn't handle that case.
I have to deploy a backend that wants to handle HTTPS on its own.
The README of that backend provides the following command to generate a self signed cert:
openssl req -x509 -nodes -newkey rsa:2048 -keyout tls.key -out tls.crt -days 3650
That gives me a tls.key and tls.crt file. However, the NGINX guide at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ requires some more stuff which I don't have.
It would be awesome if someone could tell me how to generate all the certificate files I need so that NGINX can talk to the backend via SSL.
The outside facing SSL connection is covered by Lets Encrypt.
I've got an issue with my local SSL certificate in that the site isn't downloading the CSS and JS files because of the error net::ERR_CERT_AUTHORITY_INVALID. I found that it was originally using an SHA-1 certificate and that could be the problem. In order to fix this I ran this command:
sudo openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
When I look at the certificate details on Chrome (v48) under "Certificate Signature Algorithm" it says "PKCS #1 SHA-256 with RSA Encryption"
I'm still getting the same issue, it doesn't appear to be a caching issue as I've appended a timestamp to the url so that its not cached.
I'm not sure what else I need to do to resolve this. Anyone shed any light on this?
I have installed on my server IceCast with SSL. The program works perfectly but the SSL certificate is recognized as non-secure in the browser. I generated the certificate with the following code:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem
Page capture: http://i.imgur.com/V5V3zM4.png
Does anyone know how I can fix it?
PD: I´m running Apache2 Server and Debian.
Many Thanks.
You've got a self-signed certificate that is not contained in any trustchain. Hence, it is marked as insecure by your browser.
There is hardly any way to fix this with your existing certificate. You can try through the Let's Encrypt initiative.