I'm using boost::asio to establish encrypted connection between client and server applications. I generated a private key file and self signed certificate in the following way:
openssl genrsa -out private_key.pem 2048
openssl req -new -key private_key.pem -out public_key.pem
The generated certificate is:
-----BEGIN CERTIFICATE REQUEST-----
MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
A1UEBwwFU29maWExDDAKBgNVBAoMA0VHVDEMMAoGA1UECwwDU0JTMRMwEQYDVQQD
DApJdmFuIEJvYmV2MSAwHgYJKoZIhvcNAQkBFhFib2JlZmZAZWd0LWJnLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2OyY0BvtnmtxbPw7tblSc+
2TOopefy1/voELFT+6SCfmmXhIkL7HXcbFekc0z3VtCaSpq64Tk7NMGPtm2XiVt7
Yzftw5pItsgyVwGuCk5sAMZ5qtDVjwTJv6m9TEV4hBA91ypYsXgcYBz4CIIw9Zm9
uSJVznEsnraQE8xFE87D6Z78BLSFej83A7YsGqxPRIbNCtismtj1GeLFegnX/u5l
PeyPa6A4bgXKgtWFoOEfdCQhWxZwxER0la16JAbMPuKmM+ZM0JJOPBhwdDmXEpv4
tvZ+LXgVo8v71jKK1eMTjvQA2e3bBqZFtpPi0gvYTENQE1yXoRE479wPDHqrum8C
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAypIZnsX/C63kdeRoQeMOVJa5CObWr
ALxtQIHdaR83SzY6K1Gg3SybHMnQ3wVUr71/tcuCYri6hJAzFKNYo676EdOxH8X4
IJSNQIHUPBRRvcaB2us+wmAEsHhFytzlBdsYNo1UM+QXgDArV/BeHt9R1GYaN9kz
C8ZSf5IYd/8vjDHRzpoeJ5+n4zMONOtCgXZU2WMEa7n9xbumfTnnZmaYGb3y3VVg
FHtEAFsM1K80zKDW7Nech1vLXnJVi/SS5ABl+jqLOdVVqM+WKaowJY6y+U786by4
q55Eoas7JZQIN+g6LeKywWj59CpYpeMczsp/WygKey6JkQ3qi1FiLaUB
-----END CERTIFICATE REQUEST-----
In my program code, I have the following initialization of SSL context structure:
...
, m_sslContext(ssl::context::sslv23)
...
m_sslContext.set_verify_mode(ssl::verify_peer | ssl::verify_fail_if_no_peer_cert);
m_sslContext.use_rsa_private_key_file("private_key.pem", ssl::context::pem);
m_sslContext.use_certificate_file("public_key.pem", ssl::context::pem);
...
But use_ceritificate_file method throws exception with message:
use_certificate_file: no start line
Why does the function fail and what is the correct way to establish a secure connection with boost::asio wrapper around OpenSSL?
As discussed in the comments, a public-key isn't a certificate. Your public_key.pem however isn't a public-key either. It's a certificate-request which you'd normally send to a certificate-authority to sign it for you. Since you want to sign it yourself, you can check out How to create a self-signed certificate with openssl? to see how to sign your request.
Related
i am trying to create a self signed certificate using openssl following the docs https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
i tried to add the generated private and public pem files to my NLB TCP listener as a self signed certificate and it is failing with the below exception.
Error creating listener The imported certificate's configuration is not compatible and will not appear in the list of available certificates for your listeners. Select or upload a different certificate and try again.
I saw that NLB allows RSA 2048 certs. Not sure why the console is showing the error display.
You need to generate a RSA 1024 or 2028 certificate. check the valid certificates that ACM supports. i used the below commands to generate the self signed certificate
openssl genrsa -out private-key.pem 1024
openssl rsa -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 3600
mention the country, state and domain name. I initially missed the domain name because of which NLB listener wasn't accepting the certificate.
I'm facing with a problem with mutual ssl authentication.
I have generated a csr and a private key, I gave the csr to the our customer CA that signed it and gave me back the certificate/public key with the a chain inside.
When I try to communicate with the server that require mutual SSL , using that certificate chain and my private key I have an error because the private key does not match the certificate. I'm using postman to do the call and I'm using openssl to verify the modulus :
openssl x509 -noout -modulus -in certificate.pem
openssl rsa -noout -modulus -in privateKey.key
openssl req -noout -modulus -in csr.csr
The last two match but the first one no. If I extract the single certificate from the chain the modulus will match but the resulting certificate, without chain, is not a trusted certificate but a self-signed one.
What I'm loosing, what I'm doing wrong? I'm sure there is something missing.
THanks to all.
For school we are currently studying SSL certificates.
For this week's assignment we had to install Fedora Workstation on VirtualBox and do some SSL-stuff.
One of the assignments was the following:
generate a public/private keypair and a CSR with the openssl command.
I generated a public/private keypair using the following command:
openssl genrsa -out Desktop/mykey.key 2048
After I generated the keypair I had to verify it. But how do you verify a key? What is really meant by that? Just get out the public key and check if it matches the private key? This is the first question.
I generated the CSR using the following command:
openssl req -new -key Desktop/mykey.key -out Desktop/myCSR.csr
This is the right way, right?
Checking/verifying the CSR file was done using this command:
openssl req -text -noout -verify -in Desktop/myCSR.csr
I think that's the right way too.
This was the "easy" part, now comes the harder part:
We had to use xca to create a database and a CA Root Certificate. Then we had to import the csr from above question and sign it. I signed it by right clicking on it and choosing sign. Then we had to export both the CA and the signed key and verify it. But what do they mean exactly? My guess is to verify that the certificate is signed by the CA, but I'm having problems with that.
We have to use openssl x509 for that, but it just isn't working.
When I right click the signed key and export it as a PEM file, in that file is the following:
----- BEGIN CERTIFICATE REQUEST -----
MIIC6......
----- BEGIN CERTIFICATE REQUEST -----
while the assigment says: export the signed certificate. But is this even a certificate?
And how do I verify it?
I used many commands, like
openssl x509 -in Desktop/exported.pem -text -noout
But the output I get is always something like this:
I have tried all sorts of commands and read all google pages, but nothing helps.
this is the second question
Hope you all can help, Thanks!
When you verify a certificate, you are checking whether it's CA is recognised, and it matches the CA's fingerprint. It doesn't look like you are providing the CA cert to the openssl command. Try specifying -CA <your CA cert file:
$ openssl x509 --help
...
-CA arg - set the CA certificate, must be PEM format.
I have been struggling for the last three hours trying to create an .pfx file using OpenSSL. I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header.
I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console.
I get the error: unable to load certificates
I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt.
I seem to get it no matter what I do.
Can someone please help?
I get the error: unable to load certificates
myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?
myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.
You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.
I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.
With the www-example-com.crt, my server certificate looks like:
$ cat www-example-com.crt
-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----
For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12
When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):
openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem
The command should complete with "Verify OK":
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 37E5AF0EE1745AB2...
Session-ID-ctx:
Master-Key: 7B9F8A79D3CC3A41...
Key-Arg : None
Start Time: 1243051912
Timeout : 300 (sec)
Verify return code: 0 (ok)
I have also tried this: x509 -text -in myserver.key and received the error...
x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.
keytool -importcert -alias yourdns -keystore /usr/lib/jvm/java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64/lib/security/cacerts -file pathcertificate/.crc
password default = changeit
I'm setting up a mysql server and am trying to have a mysql client connect to it over SSL. I'm going to be using a self signed certificate for the same. Reading the MySQL documentation on setting up SSL I see that I have to specify the path to the following files :-
the SSL root CA
the SSL certificate
the SSL private key
In this particular case, should I be setting both the root CA and the certificate to my self signed certificate?
Example of how to create properly a Self-Signed SSL Certificate.
Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates
Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.
Once you're done, you'll have the following files:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key, does not require a password when starting Apache
Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)