I need to write java code generate a X509 certificate by bcprov.jar.
My openssl.cnf is as below:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TURE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
basicConstraints = CA:true
I found the JcaX509v3CertificateBuilder with addExtension function will be ok, but I didn't know how the specify the desired section.
For example, I want to set basicConstraints in [v3_req] section to true, and set that in [v3_ca] to false, how can I specify the section?
addExtension function only accept the basicConstraints parameter, and doesn't have a parameter accept the section.
Related
Development certificate created by command dotnet dev-certs https --trust is works. I want to create a self-signed certificate for local IP in my LAN.
I've created a self-signed certificate by command:
New-SelfSignedCertificate -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(2) -Subject "192.168.1.100" -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage KeyEncipherment -FriendlyName "HTTPS development certificate" -TextExtension #("2.5.29.19={critical}{text}","2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.1","2.5.29.17={critical}{text}DNS=192.168.1.100")
Then I copied certificate in trusted folder in certificates store:
After this I edited appsettings.Development.json:
"Kestrel": {
"Endpoints": {
"localhostHttp": {
"Url": "http://192.168.1.100:5000"
},
"localhostHttps": {
"Url": "https://192.168.1.100:5001",
"Certificate": {
"Subject": "192.168.1.100",
"Store": "Root",
"Location": "CurrentUser",
"AllowInvalid": true
}
}
}
But no result:
Is possible to create certificate like this?
I have localhost with ssl and working fine on my local pc but ssl doesn't work across LAN. Because I'm using self-signed certificate I have to install certificate in every PC in which I'll open site but it's only working on PC in which website is hosted but not on other PC on LAN.
I don't want to host my website online because I'm in development mode.
My Local PC:
host file:
127.0.0.1 gofashion_chat.test
httpd-xampp.conf
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/gofashion"
ServerName gofashion_chat.test
ServerAlias *.gofashion_chat.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs/gofashion"
ServerName gofashion_chat.test
ServerAlias *.gofashion_chat.test
SSLEngine on
SSLCertificateFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.crt"
SSLCertificateKeyFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.key"
</VirtualHost>
Certificate in browser:
PC on LAN:
host file:
192.168.10.7 gofashion_chat.test
Certificate in browser on LAN PC:
In have installed server.crt on both PC
How do I solve ssl issue across LAN?
Edit:
This is my bat file which I used to generate certificate
#echo off
set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "
SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster#%FULL_DOMAIN%
SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%
(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo req_extensions = v3_req
echo x509_extensions = x509_ext
echo distinguished_name = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %FULL_DOMAIN%
echo:
echo [v3_req]
echo subjectAltName = #alt_names
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints = critical, CA:TRUE, pathlen:1
echo keyUsage = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [x509_ext]
echo subjectAltName = #alt_names
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints = critical, CA:TRUE, pathlen:1
echo keyUsage = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [alt_names]
echo DNS.1 = *.%FULL_DOMAIN%
echo DNS.2 = %FULL_DOMAIN%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf
C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf
echo.
echo -----
echo The certificate was provided.
echo.
pause
This is another I used to generate certificate.
#echo off
set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "
SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster#%FULL_DOMAIN%
SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%
(
echo [ req ]
echo default_bits = 2048
echo default_keyfile = server-key.pem
echo distinguished_name = subject
echo req_extensions = req_ext
echo x509_extensions = x509_ext
echo string_mask = utf8only
echo:
echo [ subject ]
echo countryName = Country Name ^(2 letter code^)
echo countryName_default = %COUNTRY%
echo stateOrProvinceName = State or Province Name ^(full name^)
echo stateOrProvinceName_default = %STATE%
echo localityName = Locality Name ^(eg, city^)
echo localityName_default = %CITY%
echo organizationName = Organization Name ^(eg, company^)
echo organizationName_default = %ORGANIZATION%
echo commonName = Common Name ^(e.g. server FQDN or YOUR name^)
echo commonName_default = %HOSTNAME%.%DOT%
echo emailAddress = Email Address
echo emailAddress_default = %EMAIL%
echo:
echo [ x509_ext ]
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid,issuer
echo basicConstraints = CA:FALSE
echo keyUsage = digitalSignature, keyEncipherment
echo subjectAltName = #alternate_names
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [ req_ext ]
echo subjectKeyIdentifier = hash
echo basicConstraints = CA:FALSE
echo keyUsage = digitalSignature, keyEncipherment
echo subjectAltName = #alternate_names
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [ alternate_names ]
echo:
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf
C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf
echo.
echo -----
echo The certificate was provided.
echo.
pause
This might be late but it is worth a try ^_^
Instead of specifying your localhost with gofashion_chat.test, just use computername.domain. This will save you time editing the hosts of each computer you want to access your website.
Create a folder inside apache. Folder name: crt
Create a file with the name of cert-template.conf and save it in crt folder. Below is the command for cert-template.conf.
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = TE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = TEST
localityName = Locality Name (eg, city)
localityName_default = TEST
organizationName = Organization Name (eg, company)
organizationName_default = TEST
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = computername.domain
emailAddress = Email Address
emailAddress_default = test#example.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = computername.domain
Create this file also: make-cert.bat and save it in crt folder. Below is the command of make-cert.bat.
#echo off
set /p domain="Domain Name: "
set OPENSSL_CONF=../conf/openssl.cnf
REM
REM Read the "cert-template.conf" file and replace all {{DOMAIN}} placeholders by the entered domain.
REM Write the result into a new file called "cert.conf".
REM
REM #see https://stackoverflow.com/questions/5273937/how-to-replace-substrings-in-windows-batch-file#20227248
REM
setlocal enabledelayedexpansion
set INTEXTFILE=cert-template.conf
set OUTTEXTFILE=cert.conf
set SEARCHTEXT={{DOMAIN}}
set REPLACETEXT=%domain%
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
for /f "tokens=1,* delims=¶" %%A in ( '"findstr /n ^^ %INTEXTFILE%"') do (
SET string=%%A
for /f "delims=: tokens=1,*" %%a in ("!string!") do set "string=%%b"
if "!string!" == "" (
echo.>>%OUTTEXTFILE%
) else (
SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
echo !modified! >> %OUTTEXTFILE%
)
)
REM
REM Create the target directory.
REM
if not exist .\%domain% mkdir .\%domain%
REM
REM Create the certificate and key files.
REM
..\bin\openssl req -config %OUTTEXTFILE% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt
REM
REM Delete the written file "cert.conf" as this file would only be used to create the certificate.
REM
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
echo.
echo -----
echo The certificate was provided.
echo.
pause
Run make-cert.bat, a command prompt will show and ask you for a domain name. Your domain name is your computername.domain. After that, there are question you need to answer and the most important question is the Common Name. Common Name = Computername.domain.
Install the certificate you created located at crt/computername.domain/server.crt. Install Certificate>Local Machine> Place all certificates in the following store> Browse> Trusted Root Certification Authorities> Next > Finish.
Insert this script in the bottom of httpd-xampp.conf
<VirtualHost computername.domain:8080>
DocumentRoot "C:/xampp/htdocs"
</VirtualHost>
<VirtualHost computername.domain:4433>
DocumentRoot "C:/xampp/htdocs"
SSLEngine on
SSLCertificateFile "crt/computername.domain/server.crt"
SSLCertificateKeyFile "crt/computername.domain/server.key"
</VirtualHost>
Restart XAMPP and try to access your localhost using https://computername.domain:4433.
That's all. I hope you get all of the steps.
Your screenshot shows that the used certificate is allowed for the purposes
All issuance policies
All application policies
But you want to use it an web server certificate, therefore the certificate requires the following purpose:
Ensures the identity of a remote computer
I assume on your computer it works as the web browser recognizes that the server is running on a local network interface - hence it is not a "remote computer" and therefore it works without this purpose allowed in the certificate.
I am currently trying to implement a ssl into my current Jhipster application.
So far i have generated a certificate using keytool -genkey -alias iroApp -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650 .
In application-dev.yml i changed the server options from:
server:
port: 8080
to:
server:
port: 8443
ssl:
key-store: keystore.p12
key-store-password: myPassword
keyStoreType: PKCS12
keyAlias: myApplicationName
In proxy.conf.json:
From
{
"*": {
"target": "http://localhost:8080",
"secure": false,
"loglevel": "debug"
}
}
To
{
"*": {
"target": "http://localhost:8443",
"secure": true,
"loglevel": "debug"
}
}
In webpack.dev.js i have changed the target ip ports(from 8080 to 8443) and the secure from false to true.
When i enter on the page i get the "This site can’t be reached.localhost unexpectedly closed the connection.ERR_CONNECTION_CLOSED"
Is there something i forgot to do?
Thank you
Your key-alias needs to be all lowercase. It fails silently if you have a capital letter in the alias. You also are missing an indentation in your config, and you shouldn't mix snake-case and camelCase config variables.
Your final config should look like:
server:
port: 8443
ssl:
key-store: keystore.p12
key-store-password: myPassword
key-store-type: PKCS12
key-alias: myapplicationname
This was reported and fixed recently in the generator code (issue link)
I'm using a block like below
- name: Ensure that the existing certificate has a certain domain in its subjectAltName
openssl_certificate:
path: /etc/ssl/crt/example.com.crt
provider: selfsigned
subject_alt_name:
- www.example.com
- test.example.com
To generate a selfsigned cert with Ansible, I'd like to use the ips in my inventory file as subject_alt_names something like
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:{{hostvars[item].ansible_host}}
So that I end up with
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:10.136.31.37
- IP:10.136.29.52
- IP:10.136.30.53
How do I get all my inventory ips to come under the subject_alt_name list?
I've tried using with_items but that creates a new cert per ip address and each iteration overwrites the last.
I know that I am not answering to your question directly but I had the same problem and I chose another approach, hopping it could apply to you too.
I created an openssl.conf file that is templated with Jinja:
[ req ]
prompt = no
distinguished_name = req_distinguished_name
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
req_extensions = req_ext
{% endif %}
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
O=Organization
L=Boston
ST=Massachusetts
C=US
CN={{ item }}
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
[ req_ext ]
subjectAltName = #alt_names
[alt_names]
DNS.1 = {{ item }}
{% set i = 2 %}
{% for domain in letsencrypt_sans_domains[item] %}
DNS.{{ i }} = {{ domain }}
{% set i = i + 1 %}
{% endfor %}
{% endif %}
Then I deploy the file using template module and call:
- name: "Generate CSR"
command: "openssl req -config openssl_req_{{ item }}.conf -nodes -new -newkey rsa:4096 -out {{ item }}.csr -keyout {{ item }}.key"
with_items: "{{ letsencrypt_domains | default([]) }}"
The variables letsencrypt_sans_domains and letsencrypt_domains point to:
letsencrypt_domains: [
"a.b.com"
],
letsencrypt_sans_domains: {
"a.b.com": [ "b.b.com", "c.b.com", "d.b.com" ]
}
}
Of course if letsencrypt is your use case, you'll need to answer the challenge for all SANs domain
This can be done via
- name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
subject_alt_name: "{{ item.value | map('regex_replace', '^', 'IP:') | list }}"
with_dict:
ips:
- 10.10.0.11
- 10.10.0.12
- 10.10.0.13
So I've been trying to implement ABAC authorization in the kubernetes API, with the following arguments in my kube-api manifest file.
- --authorization-mode=ABAC
- --authorization-policy-file=/etc/kubernetes/auth/abac-rules.json
And the following content in the abac-rulse.json file.
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": false}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": false }}
However, the kubelets can't seem to connect to the api servers. I read that the username is taken from the CN field of the -subject in the certificate used to authenticate the connection, see here. In this case that's the fqdn of the hose, i've tried that too with no luck.
Any ideas what i'm doing wrong?
Cheers in advance
Edit:
I'm using Kubernetes version 1.2.2, both kubectl and hyperkube docker image.
Figured out the answer, documenting here for anyone else having the same issue with ABAC.
The kubelet user is define in the worker configuration, which in my case is a yaml file which i store here - /etc/kubernetes/worker-kubeconfig.yaml, the content of which is shown below:
apiVersion: v1
kind: Config
clusters:
- name: default
cluster:
server: https://10.96.17.34:8443
certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/worker.pem
client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
cluster: default
user: kubelet
name: kubelet-context
current-context: kubelet-context
So the user it's connecting with is kubelet.
In my case I had create my certificates with the CN=${MINION_FQDN}, and since this did not match "kubelet" then the ABAC policies weren't met. I regenerated my certifcates with the following arguments and now the nodes authenticate succesfully :)
# Create worker key
openssl genrsa -out $OUT/${WORKER_HOSTNAME}/worker-key.pem 2048
#Creating Worker CSR...
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl req -new -key $OUT/${WORKER_HOSTNAME}/worker-key.pem -out $OUT/${WORKER_HOSTNAME}/worker.csr -subj "/CN=kubelet" -config $SSL_CONFIG
# Creating Worker Cert
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl x509 -req -in $OUT/${WORKER_HOSTNAME}/worker.csr -CA $CA/ca.pem -CAkey $CA/ca-key.pem -CAcreateserial -out $OUT/${WORKER_HOSTNAME}/worker.pem -days 365 -extensions v3_req -extfile $SSL_CONFIG
The important part of which is this:
-subj "/CN=kubelet"
Hope this helps someone else.