I am trying to manually decrypt TLS live stream for experimentation. In order to do so, I have to use the private key and certificate on my client. I use FFplay to stream the video. Since the traffic is encrypted, FFplay has to use a private key and a certificate to decrypt the traffic. I assume that there exist a default path to the private key and the certificate. I've been searching for a while but in vain. Any suggestions please?
FFmpeg doesn't store the keyfile or the cert in files. They're saved in a structure as in here. In order to save them, we can modify the source code and compile as indicated here
Related
How do you transfer a Godaddy SSL certificate to the Google Cloud Platform?
I am trying to setup an HTTPS load balancer on Google Cloud. I have an SSL certificate from Godaddy, but I'm not sure how to input it into Google Cloud. Google has a form to enter a public key, a certificate chain, and a private key all in .pem format (see screenshot below). Godaddy provides me with three files: (1) a file called #####.crt, (2) a file called gd_bundle-g2-g1.crt, and (3) an RSA private key.
I've seen other SO questions on converting .crt to .pem, but I'm not sure what what to do with the .pem files when I have them or which of these three files go into which box in the GCE console below.
This happened to me, good to know I'm not alone!
Plain and simple answer: Godaddy will give you a certificate file and a bundle file. They all come already on PEM format (as long as it says BEGIN CERTIFICATE you know it's PEM).
Copy and paste the contents of the #####.crt file on the "Public key certificate" field, it should display the correct information on the right side of the field.
Copy and paste the contents of the certificate bundle on the "Certificate chain". This file usually has 3 certificates on it.
Finally, copy and paste the contents of your private key on the last field.
Double check that your certificate is working correctly on both desktop and mobile. If it works on desktop but not mobile try again, it means you made a mistake filling the "Certificate chain" field.
Hope this helps!
AFAIK you dont need to convert the file to PEM, quite sure it is already a PEM file, to be sure do file gd_bundle-g2-g1.crt or file #####.crt the output should be something like PEM certificate, you copy you private key into the "Private Key", you take .crt file and copy to the "Public key Certificate" once you do this some information will appear on the right side of these box, in my case, I copied the same .crt file on the "Certificate Chain".
I have an issue after I installed the SSL Certificate in WorldClient, MDaemon 12.
I followed the link in installing the SSL, SSL installation was fine. Then, I followed the link to use the SSL in WorldClient. I use 888 for TCP port and 443 for https port.
When I call the webmail (http://mail.mydomain.com.sg:888) in browser, it opens properly. But, if https://mail.mydomain.com.sg:888, Secure Connection Failed error message is shown.
Any Ideas, please? Thanks.
I have solved this problem.
If you read all instruction from the link you given in your post carefully until finished, you'll get the answer.
Note: MDaemon will only display certificates that have private keys
using the Personal Information Exchange format (PKCS #12). If your
imported certificate does not appear in the list then you may need to
import a *.PEM file, which contains both a certificate key and private
key. Importing this file using the same process outlined above will
convert it to the PKCS #12 format.
You should make a PKCS#12 file from generating the (certificate) .csr and private key (.key) you have. If you on windows, install the openssl first on your PC. After successful generate the PKCS#12 file, follow the instruction again to install the SSL certification on MDaemon.
If you success, you'll see the certificate appear in the MDaemon.
Remember to restart your server or webserver to apply the changes.
Regards
I've created a subdomain for my parse app and I need to protect the connection while logging and during my session.
Assume that I don't have any public domain name and I will still use just the url of (mysubdomain.parseapp.com) then is all I need to get buy a certificate and get the two files for:
SSL Public Certificate
SSL Private Key
and just upload it to parse through the settings page ? or will I need to do something else ?
Just need a confirmation that my understanding is correct.
Kind Regards,
Robear
The private key would come from the server. A Certificate Authority is only going to give you a domain cert. For example "mysubdomain_parseapp.com_crt" and yes you'll need to upload the domain cert, private key (which is generated during the CSR request), plus the CA's intermediate cert (the CA should advise which one and where to download it).
In order for a CA to issue out a cert. You need to own the root domain or have permission by the owner. In your case you would need to prove that your the owner or have permision to purchase an SSL cert with "parseapp.com"
We are migrating from Thales 8000 to Thales Payshield 9000. We generated an RSA Key Pair in 8000 (with EI - Generate a Public/Private Key Pair command). We stored the public key on the host and loaded the private key to the HSM's tamper-protected memory (with EK - Load a Private Key command).
The problem is we didn't keep the private key and we don't want to create a new key pair because we have to start a new certification process with the vendor if we do this. Is there a solution like storing this key on a smartcard and moving to the new version like LMK.
I read the Thales console - command reference and programmers manual but wasn't able to find a solution.
The private key that is returned from a Thales HSM keypair generation command (this is command EI on the Payshield 9000 that I have access to) is encrypted under LMK keypair 34-35. You will never see this in the clear i.e unencrypted form.
The only way you could extract this from the HSM would be if you knew that LMK keypair; you could then use this to decrypt it. This is often possible in a test environment where a set of known test LMK keypairs are sometimes used.
In a production environment, however, doing this would obviously compromise the security of the entire HSM and any system dependent upon it.
In your situation, you really have little option but to generate a new keypair and then store the encrypted private key bytes.
The problem, however, with only ever having the private key encrypted under this LMK key pair is that you need to use the HSM to sign a CSR, instead of an established tool like openssl.
I did this by using the EI command (generate an RSA keypair) to generate a keypair, storing the raw encrypted private key bytes returned in a file, constructing an unsigned CSR structure, sending that to the HSM with the private key bytes under command EW (Generate a signature), and then appending the signature to my CSR structure.
If you did not save the output (key block) of the EI command, then the chances of getting that key out of there are practically non-existant. Sorry!
Yes, on two conditions only you can Export an RSA Private Key from payshield 9000 HSM to another payshield 9000 HSM:
1st condition: by purchasing certain license which is HSM9-LIC016 and using the host command L8 which is used to export an RSA Private Key under ZMK. Please refer to
"1270A548-037 Card & Mobile Issuance LIC011,016" manual to see detailed steps of host command L8
2nd condition:You should have recorded the Private Key in a secure manner, which you firstly generated it by EI host command, it is generated encrypted under the old LMK, so you can document it securely for future usage like your critical situation you face now.
The Host command L8 function supports the export of an RSA Private Key from encryption under the LMK to encryption under a Zone Master Key.
The following security settings must be configured by console command CS to allow use of this command:
1- 'Enable import / export of RSA Private Keys?' MUST be set to 'YES' (defaults to NO).
2- 'Key export and import in trusted format only?' MUST be set to 'NO' (defaults to YES)
On the other HSM2:
Import an RSA Private Key using the Host command L6
Although, I can send you the steps in deep details if you want.
Refer to manual:
1270A548-037 Card & Mobile Issuance LIC011,016,018,023 v3.4 Release:October 2018
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.