I am generating a simple self-signed certificate via a simple PowerShell script leveraging openssl and then use the pfx certificate in a simple ASP.NET Core 2.0 application for enabling HTTPS)
function New-SelfSignedCertificate([string] $BaseName = 'localhost', $CommonName = 'localhost', [UInt16] $DayCount, [string] $Pass = 'somepassword')
{
&openssl req -new -x509 -newkey rsa:2048 -keyout "$BaseName.key" -out "$BaseName.cer" -days "$DayCount" -subj /CN="$CommonName" -passout "pass:$Pass"
&openssl pkcs12 -export -password "pass:$Pass" -passin "pass:$Pass" -out "$BaseName.pfx" -inkey "$BaseName.key" -in "$BaseName.cer"
Remove-Item -Path "$BaseName.key"
Remove-Item -Path "$BaseName.cer"
Remove-Item -Path '.rnd'
}
The problem of my certificate is that it triggers a lot of warnings on every browser: Chrome, Opera, Firefox (e.g. SEC_ERROR_UNKNOWN_ISSUER), IE11 (e.g. DLG_FLAGS_INVALID_CA) and Edge (DLG_FLAGS_INVALID_CA and DLG_FLAGS_SEC_CERT_CN_INVALID), is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Seems the issuer cannot be identified, I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."? (i.e. looking for convenience during development stage).
is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Either you don't understand the concept behind trusting a certificate or I don't understand your problem. The main idea behind the certificate validation is that the browser will detect if some hacker is diverting or intercepting your connection in order to impersonate some trusted site or to sniff sensitive (encrypted) data during a man in the middle attack.
If anybody could automatically add a CA or a certificate as trusted to the browser, i.e. without any notice to the user, then anybody could create a certificate for an arbitrary web site (like paypal.com, google.com..) and use this inside such an attack without the browser being able to detect the attack.
I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."?
This can not be set in any way by the certificate itself. Only the user or administrator or the developer of the system/browser can decide if a new CA should be considered trusted.
Related
I create self-signed certificate now my problem is Firefox,Safari and even IE will not allow me at all to visit my own page. I can't even click on ignore or similar. It will just block me from visiting mypage.io.
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT certificate is not valid for 81.33.34.123 (fake ip)
My openssl certificate key and crt creation was like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.crt
It prompts me to enter some more detail, and I think the problem is where it asks me about "Common Name (e.g. server FQDN or YOUR name)". I answered with www.mypage.io .
It's an unfinished project so I will not buy a certificate yet.
The trust is missing!
Please get a real certificate. You do net even have to buy on: https://letsencrypt.org/ provides them for free.
If you (for whatever reason) stick with your certificate:
IE: Import it to the trusted root certificate authority store (certlm.msc).
Mozilla: Look here
Alternatively please find information on how to generate your own trust chain with open SSL here: How to make browser trust localhost SSL certificate?
I'm using a Microsoft Certification authority to sign some certificates from a corporate network. Using the certreq utility everything works fine, but I didn't found the purpose of the template anywhere.
In my case, I need to create some certificates requests in a Linux server (using OpenSSL) and then sign it using the Microsoft CA in another server (Windows Server 2012). The proccess is basicaly described below:
Create the .csr file and key in a Linux server (openssl req -newkey rsa:1024 -keyout myKey.key -out myCsr.csr -subj /CN=mydomain.com/O=Organization/C=US/ST=ST/L=City);
Send the csr file to Windows Server where the CA is installed;
Call certreq utility to create the certificate itself (certreq -submit -attrib "CertificateTemplate:MyWebServerTemplate" -config DOMAINCA\CA1 myCsr.csr myCert.cer);
When needed, send the cert to Linux again and convert the .cer in a .crt with the command openssl x509 -outform DER -in myCert.cer -out myCert.crt. This is needed when certreq is used with -binary option
As far I know, the choose of the template is mandatory but anything changes no matter which I choose. I tried to select many templates, but apparently anything changes
update:
After some tests, I noted that some templates actually changes some original info from CSR, but my question still is: What is the purpose of the template, since the info is all in the CSR, and why is it mandatory? How can I force the MS CA to use the CSR info?
I'm new on this certificate administration thing. Am I misunderstood something in the process?
I have an existing MQ MQI connection (Server-Connection) between an HP Nonstop and a Windows server. I am working on configuring the queue manager for SSL on the Nonstop.
I have followed a couple sources available on net closely but am still confused about a few things.
The Stash.sth file, I have not gotten the following command to work:
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
I get an "Error unable to get local issuer certificate chain."
The SSLUpdate.pdf document that is delivered with MQ mentions creating the Stash.sth file using:
amqrsslc -s cert (cert being the trusted certificate store), and this DOES work for me.
However, it also says "The amqrsslc command will prompt for the private key pass phrase used when creating the certificate/key pair and will write a masked copy of that pass phrase to the Stash.sth file"
If I should have specified the same pass phrase earlier, where should I have done that?
When I created the private key? Should I have specified a -passin or -passout parameter? All I used was openssl genrsa -out privatekey.pem 2048 -sha256
Or, when I generated the certificate request? There is a prompt to enter an optional password.
Or neither? Is the pass phrase used when creating the Stash.sth file completely arbitrary?
Thanks for any help!
The error usually means the list of trusted certificates is not complete.
I think you need to be sure you certificate chain is complete.
Here is from the technote:
If the certificate request is signed by an intermediate certificate, the
certificate chain for the signed personal certificate will need to be
added to the trust.pem file. You need to add the root certificate and
the intermediate to the trust.pem file. Review create_trust_file.sh
script for the syntax.
I also think this presentation document may be helpful to you.
http://www-01.ibm.com/support/docview.wss?uid=swg27023472&aid=1
I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D
We need to provide a secure SSL on our intranet website. Could anyone please help me query below:
Is it possible to get Internal CA signed cert without a CSR?
If above is Yes, how do it generate a Internal CA signed Cert without a CSR.
What am I trying to achieve?
We don't have Production IIS setup. And production IIS will only be setup during the change window. During this change window no resource available to generate CA signed Cert. for a given CSR. Hence, we are trying to create CA signed certs before hand without having to setup the Prod IIS.
The Certificate Signing Request (CSR) is a tool for including a third party in the certificate creation process without divulging your private key. Its essentially a packet of encoded information (including the public key) which can be sent to the third party for signing. The third party receives the CSR, signs it with their intermediate or root certificate, and send back the certificate to you. Your new and shiny certificate file is now a keypair with your private key file. Even better, the third party never had access to your private key through the entire process.
Now to answer your question, yes it is possible. There is no requirement that a third party be involved. Its more a question of how to accomplish this with the cryptographic library of your choice. Check out my post here for a way to get OpenSSL running on windows without admin privileges.
Create a new key and certificate
openssl req -newkey rsa:2048 -nodes -keyout [filepath to key] -x509 -out [filepath to cert]
Create a certificate from an existing key
openssl req -key [filepath to key] -x509 -out [filepath to cert]
You should be able to use OpenSSL to create a CSR independently of IIS (see its req command).