I'm trying to convert a JKS cert to PKCS8 for Logstash v5.1.
I found an example here: https://stackoverflow.com/a/656559
keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 /
-srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
openssl pkcs12 -in foo.p12 -nocerts -out key.pem
openssl pkcs8 -in key.pem -topk8 -out p8key.pem
But it produces the following error when attempting to run logstash:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
I also tried to convert to pkcs8 with the -nocrypt flag, and receive this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
The cause of this error:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
is because ssl_key_passphrase => "password" was not set in the logstash input.
And this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
is because non-SSL/TLS traffic was attempting to go through the SSL/TLS port. In this case, the culprit was filebeat.
https://www.elastic.co/guide/en/x-pack/current/security-troubleshooting.html
Related
I have create .pem file from .cert file using the below line in openssl.exe :
OpenSSL> x509 -inform der -in C:\Certificate\Binary_Certificate_245568.cer -out C:\Certificate\Binary_Cert.pem
It worked without any issues.
Then when I try to generate the pfx file from .cert and .pem file using the following statement I get error:
OpenSSL> pkcs12 -inkey C:\Certificate\Binary_Cert.pem -in C:\Certificate\Binary_Certificate_245568.cer -export -out C:\Certificate\SGS_VS_CERT.pfx
unable to load private key
34359836736:error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:698:
34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:
error in pkcs12
Can anyone please advise what I am doing wrong as I need to generate .pfx file. Thanks
You can follow steps given below in order to create .pfx certificate by combining the external CA issued server(.cer), intermediate(.cer) and root(.cer) certificates into one file (.pfx) on redhat linux server using openssl tool :
A) To run below command for generating the CSR in linux using openssl tool -
[user#machine]$ openssl req -new -nodes -newkeys rsa:2048 -keyout myapp.mydomain.com.key -out myapp.mydomain.com.csr -sha256
Note : -nodes means 'NOT TO USE DES ALOGORITHM' and create multiple backup of this key file, which will be used again during certificate renewal.
B) To generate .pfx ( certificate chain sequence to be SERVER-CER --> INTERMEDIATE-CERT --> ROOT-CERT ) in linux using openssl.
SERVER-CERT myapp.mydomain.com.cer
INTERMEDIATE-CERT myintermediatecert.com.cer
ROOT-CERT myrootcert.cer
KEY FILE myapp.mydomain.com.key
STEP 1 - To combine all certificates in one pem certificate(myapp.mydomain.pem) using command 'cat' in redhat.
[user#machine]$ cat myapp.mydomain.com.cer myintermediatecert.com.cer myrootcert.cer > myapp.mydomain.com.pem (output pem cert)
STEP 2 - To convert PEM to PFX by importing the private key with password configured.
[user#machine]$ openssl pkcs12 -export -out myapp.mydomain.com.pfx -inkey myapp.mydomain.com.key -in myapp.mydomain.com.pem
Note : you will get an option to set the password to output .pfx file.
STEP 3 : To verify .pfx file using openssl by entering the password.
[user#machine]$ openssl pkcs12 -in myapp.mydomain.com.pfx -info
I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).
This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.
I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -
-----BEGIN CERTIFICATE REQUEST-----
MIID....
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MI...
-----END RSA PRIVATE KEY-----
When I'm trying to read the CSR.csr file, I get the following error :
$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I read that we get this error when the input file is in DER format, so I tried the following -
$ openssl x509 -inform DER -in CSR.csr -text -noout
but now I get the error -
unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509
And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.
Really confused how to go about it as I'm new to SSL. Please help!
In my case I was trying to read my cer file and was receiving the error stated above
openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I had to convert it to a crt file using openssl.
openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text
Here's the doc i used. I was able to read it using openssl after that
The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.
To show the content of a certificate request use
openssl req -in CSR.csr -text
To show the content of a certificate use
openssl x509 -in CERT.crt -text
This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format
In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'
After the file is able to be dumped using:
openssl x509 -in YOURCERT.crt -noout -text
or
openssl x509 -in YOURCERT.crt -text
I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.
is there a way to convert from a .key file to a .pfx file?
thank you.
EDIT: I only have the .key file but my hosting provider says that I could convert it to .pfx with just that file.
To check if your .key file has everything you need:
#check if file contains a valid certificate:
openssl x509 -text -in file.key
It should print out certificate details. If it prints an error including the text "unable to load certificate", then your file is not sufficient.
#check if file contains a valid key:
openssl rsa -text -in file.key
openssl dsa -text -in file.key
One of the above commands should print out valid key details. The other will give an error with the text "expecting an rsa key" or "expecting a dsa key".
If the error text says "bad decrypt", you have provided an invalid passphrase, or the file is damaged.
If the error text says "Expecting: ANY PRIVATE KEY", then your file is not sufficient.
If you got a key, and one certificate which matches the key (and optionally some other certificates), then you have enough to convert the file to a pfx. Then, as ISW said, it's just a matter of
#convert file containing key and certificate(s) to PKCS#12 pfx file.
openssl pkcs12 -export -out file.pfx -in file.key
and you're done.
You could try this
https://www.sslshopper.com/ssl-converter.html
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
According to the OpenSSL Command-Line HOWTO it should work using
# export mycert.key as PKCS#12 file mycert.pfx
openssl pkcs12 -export -out mycert.pfx -in mycert.key -name "My Certificate"
You can convert your .key file to .pvk using the tool http://www.chilkatsoft.com/p/p_347.asp and then use the instructions on GoDaddy to combine both .scp and .pvk into a .pfk. Just make sure you use a password when generating the .pvk file.