I need to get a certificate from a certificate authority with .crt extension.
I used openssl commands but it generates a self-signed certificate which is not suitable for my use.
$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert
How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.
These are the steps you would need to do to get a certificate signed by a CA.
Generate a Asymmetric Key Pair.
openssl genrsa -out localhost.key 2048
Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.
openssl req -new -sha256 -key localhost.key -out localhost.csr
Send the above generated request to the CA (different CA's have different ways of receiving your request).
CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).
You can convert the above received PKCS#7 to PEM format
openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem
-print_certs
Associate the above PEM certificate chain to the private key you generated in the step 1.
openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name
sslCertificate -out localhost.pfx
You now have a PKCS#12 keystore that you can use to secure your server.
So to answer you question, this is how you could proceed with step 3.
There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).
Related
I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie
I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).
This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.
using pyOpenSSL I want to create
a key pair for self-signing
a certificate signing request (csr)
a self-signed-certificate
When I use the openSSL command line tool I used the following commands to do that:
a key pair for self-signing
openssl genrsa -out pkey.pem 2048
openssl rsa -in pkey.pem -out public-pkey.pem -outform PEM -pubout
a certificate signing request (csr)
openssl req -new -key pkey.pem -subj "/C=US/O=XXX/CN=XXX" -days 365 -out csrrequest.csr
a self-signed-certificate
openssl x509 -in csrrequest.csr -req -signkey pkey.pem -days 365 -set_serial 0x12345 -sha256 -out selfsignedcert.pem
This works! Server accepts the self-signed certificate and returns a server-signed certificate.
For pyOpenSSL I use the following code:
a key pair for self-signing
psec = crypto.PKey()
psec.generate_key(crypto.TYPE_RSA, 2048)
a certificate signing request (csr)
csrrequest = crypto.X509Req()
csrrequest.get_subject().C = "US"
csrrequest.get_subject().O = "XXX"
csrrequest.get_subject().CN = "XXX"
csrrequest.set_pubkey(psec)
a self-signed-certificate
selfsignedcert = crypto.X509()
selfsignedcert.set_serial_number(12345)
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
selfsignedcert.set_subject(csrrequest.get_subject())
selfsignedcert.set_issuer(selfsignedcert.get_subject())
selfsignedcert.set_pubkey(csrrequest.get_pubkey())
selfsignedcert.sign(psec, "sha256")
This is not working! Server does not accept the self-signed certificate. The server is not able to sign and return a server-signed certificate.
By using pyOpenSSL, however, I miss the input of openssl x509 -in csrrequest.csr -req for the creation of the self-signed certificate...
Where is my fault? Does anyone know what I am doing wrong??
Thanks!
You need to sign the CSR with the private key (similar to a self-signed certificate, but the CA will replace this signature with its own signature in the final certificate).
Try csrrequest.sign(psec,"sha256")
What is it that is not working ?
I noticed that the times are set wrong
Instead of :
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
What if you tried
current_ts = int(datetime.datetime.now().timestamp())
selfsignedcert.gmtime_adj_notBefore(current_ts)
selfsignedcert.gmtime_adj_notAfter(current_ts + 365*24*60*60)
I have a problem. I become the error in the headline. I have a signed certificate from a recognized company. Now I want to create a second certificate.
I created the key with
openssl genrsa -des3 -out example.abc.key
then the CSR-File with
openssl req -new -key example.abc.key -out example.abc.csr
and removed the passphrase with
openssl rsa -in example.abc.key -out example.abc.key
Now I created the certificate signed by the other certificate I become from the recognized company with
openssl x509 -req -in example.abc.csr -CA signed.certificate.crt -CAkey signed.certificate.key -out example.abc.crt
After all, I create the PKCS12-File
openssl pkcs12 -export -in example.abc.crt -inkey example.abc.key -name "Example Client" -out example.abc.p12
If I call the website the webserver ask the client to identify and I can selected the imported certificate. The error in the headline appears and I didn't know how to solve it. I'm frustrated, because I googled, but didn't find anything which helps.
If I understand you correctly you got a signed certificate and you want to use it to sign another certificate. Since I'm pretty sure that you just got a normal certificate you might be able to sign another certificate, but this new certificate will not accepted by anybody. Only CA certificates can be used to successfully sign other certificates.
If this restriction would not be there then anybody could get a certificate for its own site (example.com) and then use it to sign a certificate for some other site like paypal.com. This would be indeed very bad if this would work.
I know their logical differences, their intended ways to use. What I want to know are, how both certificates differs in the procedure of generation, of their actual contents.
Suppose you'll generate a self-signed some certificate with following procedure:
generating a private CA certificate, assume that you've got "ca.crt".
generating a private key as openssl genpkey -algorithm RSA -out key.pem -outform PEM.
generating a CSR as openssl req -new -key key.pem -keyform PEM -out req.pem -outform PEM.
signing to the CSR as openssl ca -in req.pem -out cert.pem -cert ca.crt -keyfile key.pem -keyform PEM.
I searched the web a lot but I couldn't find out whether the procedure above and the contents of generated certificate get differed when I generate a server certificate and a client certificate.
Your answers are greatly appreciated. Thank you.
There is no difference in the format. Both are X.509 certificates with the use-for-SSL bit set.