using pyOpenSSL I want to create
a key pair for self-signing
a certificate signing request (csr)
a self-signed-certificate
When I use the openSSL command line tool I used the following commands to do that:
a key pair for self-signing
openssl genrsa -out pkey.pem 2048
openssl rsa -in pkey.pem -out public-pkey.pem -outform PEM -pubout
a certificate signing request (csr)
openssl req -new -key pkey.pem -subj "/C=US/O=XXX/CN=XXX" -days 365 -out csrrequest.csr
a self-signed-certificate
openssl x509 -in csrrequest.csr -req -signkey pkey.pem -days 365 -set_serial 0x12345 -sha256 -out selfsignedcert.pem
This works! Server accepts the self-signed certificate and returns a server-signed certificate.
For pyOpenSSL I use the following code:
a key pair for self-signing
psec = crypto.PKey()
psec.generate_key(crypto.TYPE_RSA, 2048)
a certificate signing request (csr)
csrrequest = crypto.X509Req()
csrrequest.get_subject().C = "US"
csrrequest.get_subject().O = "XXX"
csrrequest.get_subject().CN = "XXX"
csrrequest.set_pubkey(psec)
a self-signed-certificate
selfsignedcert = crypto.X509()
selfsignedcert.set_serial_number(12345)
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
selfsignedcert.set_subject(csrrequest.get_subject())
selfsignedcert.set_issuer(selfsignedcert.get_subject())
selfsignedcert.set_pubkey(csrrequest.get_pubkey())
selfsignedcert.sign(psec, "sha256")
This is not working! Server does not accept the self-signed certificate. The server is not able to sign and return a server-signed certificate.
By using pyOpenSSL, however, I miss the input of openssl x509 -in csrrequest.csr -req for the creation of the self-signed certificate...
Where is my fault? Does anyone know what I am doing wrong??
Thanks!
You need to sign the CSR with the private key (similar to a self-signed certificate, but the CA will replace this signature with its own signature in the final certificate).
Try csrrequest.sign(psec,"sha256")
What is it that is not working ?
I noticed that the times are set wrong
Instead of :
selfsignedcert.gmtime_adj_notBefore(0)
selfsignedcert.gmtime_adj_notAfter(365*24*60*60)
What if you tried
current_ts = int(datetime.datetime.now().timestamp())
selfsignedcert.gmtime_adj_notBefore(current_ts)
selfsignedcert.gmtime_adj_notAfter(current_ts + 365*24*60*60)
Related
Recently i have created self signed ssl certificates with the following commands
STEP 1: Create the server private key
openssl genrsa -out main.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key main.key -out main.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in tls.csr -signkey main.key -out main.crt
i haven't added ssl certificate info, in to my apache default file in : site-enabled config folder
but after an apache restart it took effect and i am able get https connection, but with a warning.
now i want to remove those self signed certificate. is that possible ?
i tried to revoke those certificates with this command - openssl ca -config /root/tls/openssl.cnf -revoke /certs/server-1.crt
but the above command didnt work .
i am currently very new to ssl certificate generation. any help is appreciated.
Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl
I've a user certificate (certname.pem) and user key (keyname.pem) which I've generated using the command below.
openssl req -newkey rsa:2048 -nodes -keyout keyname.pem -x509 -days 365 -out certname.pem
Also I've generated a CA key (ca.key.pem) and CA root certificate (ca.root.pem) using the command below.
openssl req -x509 -days 557 -newkey rsa:1024 -out ca.root.pem -keyout ca.key.pem
Now I want to sign the user certificate (certname.pem) with the CA key (ca.key.pem) but I am unable to do so using the command below.
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in certname.pem -out new-certname.pem
as this command gives error:
Error reading certificate request in certname.pem
139992806578040:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: CERTIFICATE REQUEST
Where as the contents of my certname.pem are as follows:
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIJALv1sRsVLIRgMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAmluMQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANs
a2oxDDAKBgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJs
ajAeFw0xODA3MDcxNDU1MzNaFw0xOTA3MDcxNDU1MzNaMGgxCzAJBgNVBAYTAmlu
MQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANsa2oxDDAK
BgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJsajCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJxh0L94MzQgjTodq4/Eha4HmX4c
PPsb7H5cUzk1b4N9tfGPoINZ68CY+HqTwXtBTtiwIvkvP/nKD5cp9PhpDB/AI4Zx
c83J72iBpMefn1KgWAUMBNnxnYkezK7SY3osotakBXAT+4tJI1BXL/TAV74VKe9a
7rXSEqCTxcj/H0kbW+2WR/N5yDXjJk68k1A4oQ4wSLiejC9ycqHkZluKZjJl8XNh
9QnEsTtZRiX59FbRa64A16Alv7tBSSTxyCFfQqPxSpgiORoU1vRQqWxD7IV5WXl7
fQLaxR07nmJKxYSK7fGRdcXLQBmkWA0V0pA3qreDAznSfElk3GNhtx0Erk0CAwEA
AaNQME4wHQYDVR0OBBYEFGDedvJ2pbkR2wFsu60fjDPocMFsMB8GA1UdIwQYMBaA
FGDedvJ2pbkR2wFsu60fjDPocMFsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAIIVz6Aiu1VwM71ecL7aNgyEuctAtfkiDfopKANtBA5yzLQZYlALSkjz
SIUD/vRkiT4C8ZOdfoWJkHxpk93uYH6xjDL8vsqthAA34FvDBMoecrOVNzJq5uBt
aJC4klj57uf1mPzW71yycS9IKFFGardqijjlHUyhgJVBs8kZbABT7ZedYA5UYdv+
SUNnzOU2Sm/ktPF5vWp8y4WjgujYnZQqj7pI4ucwYxb8WRW2EeeGpkbA6DuU7Tnv
frliIESdu9/UCQm7A5zxW47MKTBrVDfoRsbrbjFo9PiGCxG/7bglykFHovWVN2ez
uqLIdDOC2lNFBOJLPhf5w9s3fEGl8m8=
-----END CERTIFICATE-----
How to sign this certificate with the ca.key.pem?
Please help.
Reference for generating certificates - https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
Question originally answered by - https://stackoverflow.com/users/99027/john-deters
on https://security.stackexchange.com/questions/189148/sign-a-user-certificate-with-ca-key-openssl
You included -out certname.pem on your original request, which in this case instructed openssl to generate a self-signed root CA certificate named certname.pem. It is a certificate, but probably not the kind you want here.
I assume you instead want to use your newly minted CA to sign your public key and create a server certificate. You'll need to first generate a Certificate Signing Request (CSR) from your new key (the one in keyname.pem):
openssl req -out keyname.csr -key keyname.pem -new -days 365
You can then pass this CSR to request a certificate:
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in keyname.csr -out new-certname.pem
Your issue is - CA signs a CSR (certificate signing request) and as a result is a completely new certificate issued by the CA
I have some examples ready for myself https://pastebin.com/m9rzFJ9c
#create certificate signing request
openssl req -new -key ./sslCA/private/myserver.key -out ./sslCA/private/cakey.csr
#sign the signing request
openssl x509 -req -days 365 -in ./sslCA/private/cakey.csr -signkey ./sslCA/private/myserver.key -out
./sslCA/private/cacert.pem
I need to get a certificate from a certificate authority with .crt extension.
I used openssl commands but it generates a self-signed certificate which is not suitable for my use.
$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert
How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.
These are the steps you would need to do to get a certificate signed by a CA.
Generate a Asymmetric Key Pair.
openssl genrsa -out localhost.key 2048
Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.
openssl req -new -sha256 -key localhost.key -out localhost.csr
Send the above generated request to the CA (different CA's have different ways of receiving your request).
CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).
You can convert the above received PKCS#7 to PEM format
openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem
-print_certs
Associate the above PEM certificate chain to the private key you generated in the step 1.
openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name
sslCertificate -out localhost.pfx
You now have a PKCS#12 keystore that you can use to secure your server.
So to answer you question, this is how you could proceed with step 3.
There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).
Does anyone have a handy script to generate SSL certificates such that it generates the CA certificate and the server certificate. More importantly, create it in a way that I can import the CA certificate into my trusted root list (of my windows system) so that the browser does not flag the site as untrusted.
I used the following script to do it but I am not able to persuade my browser to trust the certificate.
I'd greatly appreciate any help here.
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
# Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Regards,
Kashyap
Your script is only generating one certificate, a self-signed certificate. Usually, the self-signed certificate is called the Root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed by the Root private key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:
Root -> CA -> Server
The CA and Root cert can go into the trusted certificate list. Then a browser that trusts that list will also trust any certificate signed by the CA or Root entities.
You don't have to have this hierarchy...you can use the Root certificate as the CA and skip the middle cert. You can also just use 1 self-signed certificate as the Root/Server certificate. See this article (Trusting self-signed certificates).
But assuming you do have this hierarchy, here are some OpenSSL commands to generate the necessary keys and certificates:
# 1. Create Root private key
openssl genrsa -out root.key 2048
# 2. Create self-signed Root certificate
openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256
# 3. Create CA private key
openssl genrsa -out ca.key 2048
# 4. Create CA CSR
openssl req -new -key ca.key -out ca.csr -days 5000
# 5. Sign and create CA certificate
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256
# 6. Create Server private key
openssl genrsa -out server.key 2048
# 7. Create Server CSR
openssl req -new -key server.key -out server.csr -days 5000
# 8. Sign and create Server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256
Change the key bits, # of valid days, serial numbers, and add V3 extensions as you see fit.
Also remember that different browsers have different lists that they trust. Chrome and IE use the Windows default list. Firefox has its own list.
Do you have a trusted CA certificate?
You are generating a self-signed certificate which is always considered as untrusted by browsers.