I don't know if this is the correct place to ask it, but I will try.
I am trying to run http.ListenAndServeTLS with ECDSA certificate generated from OpenSSL.
It fail with this error message: tls: failed to parse private key
Go understand elliptic.P256(), in the code it has this comment See FIPS 186-3, section D.2.3.
In this link: http://www.ietf.org/rfc/rfc5480.txt, it says it is also called secp256r1.
As you can see below, OpenSSL undestand this as prime256v1.
$ openssl ecparam -name secp256r1 -text -noout
using curve name prime256v1 instead of secp256r1
ASN1 OID: prime256v1
NIST CURVE: P-256
So what is wrong?
How can I generate ECDSA certificate from OpenSSL and use it on my Go code?
Using generate_cert.go to generate a P256 ECDSA certificate, my code works, but if I try to read the key file with OpenSSL it fail also.
$ openssl ecparam -text -noout -in key.pem
unable to load elliptic curve parameters
140377431725720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: EC PARAMETERS
I couldn't figured out what is the problem between OpenSSL and Go.
But my main problem is, how to generate ECDSA certificate to use with Go code!
Using CFSSL (https://cfssl.org/) I can generate ECDSA certificate and sign it with my internal CA certificate generated from OpenSSL. The certificate generated from CFSSL works fine with my Go code, so for me it solves my main problem!
I don't know if there is a format problem between OpenSSL and Go, but as CFSSL is written in Go, the certificate generated on it works fine in my code and in browser.
Here is an example of OpenSSL generated ECDSA keys working with Go.
https://play.golang.org/p/MS_FQ8cqqA8.
As clarified in this issue - https://github.com/golang/go/issues/23591, go does not recognize EC keys that are generated with the -param_enc explicit flag in Openssl.
# openssl ecparam -name prime256v1 -genkey -noout -out priv2.pem
# openssl req -new -x509 -key priv2.pem -out EC_server2.pem -days 365
Hope this solves your problem.
Run:
go run `go env GOROOT`/src/crypto/tls/generate_cert.go --host=localhost --ecdsa-curve=P256
This will generate cert.pem and key.pem in the current directory.
Related
thats my first post.
I will set up an Apache with ECDSA.
I generates this keys
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
and generate a self-signed certificate.
openssl ecparam -name secp256k1 -genkey -param_enc explicit -out rootCA.key
openssl req -x509 -new -nodes -key server.key -sha256 -days 1024 -out rootCA.pem
At the ssl.conf I set
SSLCipherSuite ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384
Wireshark shows me that the client supports the cipher and i looked at firefox config
The same cipher but with RSA cert works without problems.
I showed enough Tutorials but i cant find the problem.
www.ssllabs.com/ssltest/ this test fails also with "Assessment failed: Failed to communicate with the secure server"
Have someone ideas what I can do?
You cannot use ECDSA ciphers if you don't present an ECDSA certificate.
openssl ecparam -name secp256k1 -genkey -param_enc explicit -out rootCA.key
Great this should have created an ECDSA private key. Now you need to make it into a certificate (possibly a self-signed certificate).
But in your following commands, you never use rootCA.key to make a certificate. Most probably you have generated an RSA certificate not ECDSA. Try to use -key rootCA.key in your openssl req command.
For school we are currently studying SSL certificates.
For this week's assignment we had to install Fedora Workstation on VirtualBox and do some SSL-stuff.
One of the assignments was the following:
generate a public/private keypair and a CSR with the openssl command.
I generated a public/private keypair using the following command:
openssl genrsa -out Desktop/mykey.key 2048
After I generated the keypair I had to verify it. But how do you verify a key? What is really meant by that? Just get out the public key and check if it matches the private key? This is the first question.
I generated the CSR using the following command:
openssl req -new -key Desktop/mykey.key -out Desktop/myCSR.csr
This is the right way, right?
Checking/verifying the CSR file was done using this command:
openssl req -text -noout -verify -in Desktop/myCSR.csr
I think that's the right way too.
This was the "easy" part, now comes the harder part:
We had to use xca to create a database and a CA Root Certificate. Then we had to import the csr from above question and sign it. I signed it by right clicking on it and choosing sign. Then we had to export both the CA and the signed key and verify it. But what do they mean exactly? My guess is to verify that the certificate is signed by the CA, but I'm having problems with that.
We have to use openssl x509 for that, but it just isn't working.
When I right click the signed key and export it as a PEM file, in that file is the following:
----- BEGIN CERTIFICATE REQUEST -----
MIIC6......
----- BEGIN CERTIFICATE REQUEST -----
while the assigment says: export the signed certificate. But is this even a certificate?
And how do I verify it?
I used many commands, like
openssl x509 -in Desktop/exported.pem -text -noout
But the output I get is always something like this:
I have tried all sorts of commands and read all google pages, but nothing helps.
this is the second question
Hope you all can help, Thanks!
When you verify a certificate, you are checking whether it's CA is recognised, and it matches the CA's fingerprint. It doesn't look like you are providing the CA cert to the openssl command. Try specifying -CA <your CA cert file:
$ openssl x509 --help
...
-CA arg - set the CA certificate, must be PEM format.
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12
I have a SSL certificate. I want to check if the certificate is intact or corrupted. Are there any tool to check this?
Problem is we are unable to get this certificate working in Websphere 8.0 and I was thinking if this cert file could be corrupted.
Yes, you can check a certificate with openssl (available for windows and *nix).
openssl x509 -in certificate.crt -text -noout
Reference
Update
To be more precise, you can compare the modulus and public exponent of the key and certificate respectively to guarantee that certificate matches the key and that the certificate has not been corrupted.
openssl rsa -noout -modulus -in server.key.pem | openssl sha1;\
openssl x509 -noout -modulus -in server.crt | openssl sha1
Valid output would look like
7298b69426656f7a8ab3ef9686bc0a79588850e7
7298b69426656f7a8ab3ef9686bc0a79588850e7
After hand modifying the cert the output would be.
7298b69426656f7a8ab3ef9686bc0a79588850e7
bd439a18d2d3689470e209dbd45b85a41db7230c
The command
openssl x509 -in certificate.crt -text -noout
is used for verifying certificate chains but not checking for corruption. A hand modified certificate could return valid looking output but a problem with the RSA Public Key: (4096 bit) Modulus (4096 bit): part would only be detectable with the above check.
Another Reference
i am trying to do push notification in my app and following this link
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
my system has been successfully connected with telnet but when i enter the query for connecting ssl certificate and private key then found a error
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
unable to load client certificate private key file
1301:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
any one can tell me what type of error and what's the solution of it?
Thanks in advance
The following command is good enough to verify the key/cert:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert push_development.pem
The key part is to select both certificate and private key when exporting the .p12 from Keychain Access (you will be asked for 3 passwords, one for the .p12, one for the cert, one for the private key).
To convert .p12 to .pem, follow the instruction from Apple:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
At first i was facing this problem too.
We have two files
1) one is aps_development.cer from apple
2) Another 1 is from the keychain access with the common name that we just created.
After that, both convert it to .pem files.
For example, cert.pem and key.pem.
After that combine this two files using below command
cat cert.pem key.pem > ck.pem
At first I openssl using below command.
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key key.pem
Which returns me the error you mentioned.
After that I try using
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key ck.pem
Then its working already. Hope this helps.
I was facing the same issue while I was generating a PEM file for Enterprise Distribution, but i figured out later that I generated a p12 file against the iPhone Distribution Certificate key though i should had generated the p12 against Apple Production iOS Push Servies key. Hope this may resolve the issue if any one had used the Distribution key.
Hello Please follow below commands.
step1
openssl pkcs12 -clcerts -nokeys -out developer_key.pem -in developer_key.p12
Note: just drag the file path on terminal...
step2
openssl pkcs12 -nocerts -out apns_key.pem -in apns_key.p12
step3
openssl pkcs12 -in developer_key.p12 -out developer_key.pem -nodes -clcerts
step4
openssl pkcs12 -in apns_key.p12 -out apns_key.pem -nodes -clcerts
step 5
cat apns_key.pem developer_ket.pem >developer.pem
DO the same step For Distribution certificates
After creating developer.pem and distribution.pem
Please verify both file in to below commands.
Step6
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert developer.pem -debug -showcerts -CAfile "Entrust.net.Certification Authority (2048).pem
A Notice is Pass Phrase must longer than 3 characters.
I have just fixed with pass Phrase is 1234 :D