Following the Wakanda SSL Documentation, I've set up a self-signed certificate to test before I engage a certificate authority. However, Firefox lets me know that my webserver is using a SHA-1 certificate (below), which is undesirable- I want at least SHA-256.
Is there a way to control this; do I have any options here?
Wakanda doesn't actually provide a certificate.
Wakanda uses the certificate you provide.
All you need to do is get a new certificate.
You can take your existing CSR to a certificate authority and purchase a signed certificate, and it will be SHA256. You can even use https://www.startssl.com and get a signed SHA256 certificate for free.
If you want to go self signed then just make sure to use the -sha256 parameter like this:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1024 -keyout key.pem -out cert.pem
Related
I am trying to generate self signed certificate. I notice that there are 2 ways of doing it.
The first way
generate a CA Cert
On the server
generate server private key
use server private key to generate a cert generation request
use cert gen request and CA Cert to generate server cert
The other way does not involve the CA Cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Just this line will generate both server cert and server private key.
May I know what is the different between this 2 ways of generate the server cert and key?
Sometimes I test an SSL website on my local machine. I was tired to use a self-signed certificate and add them to my KeyChain on Mac (Browser or other OS). Moreover, Chrome always complains about them. Moreover, this approach was a bit different from the one used in production.
I found this article very useful where you create once your own CA root certificate, add it once to your keychain and then you use the CA private key to sign thousands of SSL test certificate for my local websites.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
The tutorial works great but I would like to automate it. For the CA root certificate it was easy, I simply used the option -subj like this:
openssl req -x509 -new -nodes -key /certs/myCA.key -sha256 -days 1825 -subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_CITY/O=$CA_ORGANIZATION/CN=$CA_COMMON_NAME" -out /certs/myCA2.pem
where the environment variable (CA_COUNTRY, CA_STATE, CA_CITY, CA_ORGANIZATION, CA_COMMON_NAME) are read from an external file.
However, when I tried to replicate the same thing for the website certificate I wasn't able to get the same result. The command is this:
openssl x509 -req -in dev.deliciousbrains.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.deliciousbrains.com.crt -days 825 -sha256 -extfile dev.deliciousbrains.com.ext
It seems that the -subj option doesn't work. Is there a way to pass the info above to this command and avoid interactive questions?
The command you show openssl x509 -req -CA/-CAkey ... does not ask any questions except the key password if there is one (which if you followed the instructions at the linked page there is). It is the preceding command to create the CSR openssl req -new that prompts for the subject name, and for that (like the command for creating the CA cert which is also req but with -x509 -- note -x509 is not the same as x509) you can use -subj. The statement on that page that "your answers don’t matter" isn't quite correct; it is true that when you use SubjectAlternativeName in the leaf cert, as that page advises/directs, the value of Subject is ignored for (at least) HTTPS server identification, but it must (still) be different from the name used for the CA to allow certificate validation to work. Standards allow the Subject name in a leaf cert to be empty when SAN is used (and empty is always different from nonempty and a nonempty name is required in the CA cert) but OpenSSL doesn't handle that case.
Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl
I create self-signed certificate now my problem is Firefox,Safari and even IE will not allow me at all to visit my own page. I can't even click on ignore or similar. It will just block me from visiting mypage.io.
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT certificate is not valid for 81.33.34.123 (fake ip)
My openssl certificate key and crt creation was like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.crt
It prompts me to enter some more detail, and I think the problem is where it asks me about "Common Name (e.g. server FQDN or YOUR name)". I answered with www.mypage.io .
It's an unfinished project so I will not buy a certificate yet.
The trust is missing!
Please get a real certificate. You do net even have to buy on: https://letsencrypt.org/ provides them for free.
If you (for whatever reason) stick with your certificate:
IE: Import it to the trusted root certificate authority store (certlm.msc).
Mozilla: Look here
Alternatively please find information on how to generate your own trust chain with open SSL here: How to make browser trust localhost SSL certificate?
Google is trying to phase out use of SSL certificates using SHA1 hashing algorithm. As result I want to create a SHA2 compliant self signed certificate. I understand the SHA is a hashing algorithm, whilst RSA is an encryption algorithm. I found the following command for producing the key and certificate pair:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Will this produce a certificate using SHA-2 hashing algorithm?
After deploying the certificate, Chrome reports the following:
The hash algorithm used by the certificate issuer to sign a certificate request is unrelated to the certificate request itself. That means the CA might use SHA-2 for the 2048 bit key, but it might also use SHA-1. It might even re-sign the same certificate which was once signed with SHA-1 now with SHA-2.
Currently most (all?) public CA use SHA-2 because SHA-1 is phased out for security reasons.
In your case you use the openssl req command to create not only a certificate request but also sign it, i.e. create a self-signed certificate. Modern versions of openssl will use SHA-2 to sign this new certificate by default, older versions SHA-1. To enforce SHA-2 as the signature algorithm use the -sha256 argument.
I believe I have solved the issue. The command I have been using uses openssl's default hashing algorithm which is SHA-1. To create a SHA-2 hashed certificate one must specify an SHA-2 option. In this case I chose to use SHA-256. Following is the updated command:
openssl req -newkey rsa:2048 -sha256 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem