We Keep Coding

Question about how to get openssl to work with Apache

So I need to create a self signed certificate for a web page I am making with Apache. I have looked up and followed different sets of instructions but I am missing something. I am a student and have never used ssl or apache. Apache is installed, the localhost page is up and showing the content of the html docs I've edited. OpenSSL is installed. So it's probably me missing something. I keep getting messages like this
C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -des3 -out server.key 1024 genrsa: Can't
open "server.key" for writing, Permission denied
C:\Program Files\OpenSSL-Win64\bin>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
mysitename.key -out mysitename.crt
Generating a RSA private key
..........................+++++
...................................+++++
writing new private key to 'mysitename.key'
req: Can't open "mysitename.key" for writing, Permission denied
any suggestions?

You are missing private key creation.
1 Private key creation
openssl genrsa -out server.key 2048
result
$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAr2E2AUJ+TbptdBVMxYHmUzRpOflP69SX03NyuKh75XIO4tp6
...
Fhe+gzT7QD7Dg9SdP45eQWy5jtDYu4HIcy/ha0sikBi9+8pSs6qo
-----END RSA PRIVATE KEY-----
2 Certification Signing Request creation with #1's private key
openssl req -new -key server.key -out server.csr
common needs localhost other options are default or your.
Common Name (e.g. server FQDN or YOUR name) []:localhost
result
$ cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
...
sDS9gxYfks/7zxvtBzOWR3ZZzjlenpyqqu4aYZyb
-----END CERTIFICATE REQUEST-----
3 Certification creation
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
result
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIIDOTCCAiECFB0jWF04/GTmwfh8Ph1Zqeulb0IuMA0GCSqGSIb3DQEBCwUAMFkx
...
nrp0uU09oePMMMEn5g==
-----END CERTIFICATE-----
4 local server code by python (file name is server.py)
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.end_headers()
self.wfile.write(b'Hello, world!')
httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="./server.key",
certfile='./server.crt', server_side=True)
httpd.serve_forever()
5 local server test
python server.py

Private Key doesn't Match Certificate

I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).

This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.

Does ingress TLS secret need a SSL private key for __INGRESS_SECRET__?

I'm trying to
kubectl create secret tls foo-secret --key /tls.key --cert /tls.crt
From keys and certs I've used made from LetsEncrypt. This processes makes sense with self-signed certificates, but the files made by LetsEncrypt look like this:
cert.pem
chain.pem
fullchain.pem
privkey.pem
I can convert those pem files, I don't know if --key want's a public key or a private key, and the only option here is privkey.pem. I assume cert is cert.
I can convert private.pem with:
openssl rsa -outform der -in privkey.pem -out private.key
And cert.pem with:
openssl x509 -outform der -in cert.pem -out cert.crt
Is this the right process? Since I'll be using this secret for ingress oauth in place of __INGRESS_SECRET__, is this ingress suppose to have a private key? This ingress is acting as a TLS terminator for other things.

You are correct, you will need to provide your private key for the tls.key portion. However it's a good practice to automate the letsencrypt certificate generate process, using cert-manager. Check out this tutorial. Dong so will automatically create the tls secret resource for you on the cluster.
Your tls.key file is the private key and begins and ends like the following:
-----BEGIN RSA PRIVATE KEY-----
... [your private key]
-----END RSA PRIVATE KEY-----
And your tls.crt is going to be the concatenation of cert.pem and fullchain.pem, and it will look like the following:
-----BEGIN CERTIFICATE-----
...
[your cert content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
[your fullchain cert content]
-----END CERTIFICATE-----

ssl : Unable to load certificate

I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -
-----BEGIN CERTIFICATE REQUEST-----
MIID....
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MI...
-----END RSA PRIVATE KEY-----
When I'm trying to read the CSR.csr file, I get the following error :
$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I read that we get this error when the input file is in DER format, so I tried the following -
$ openssl x509 -inform DER -in CSR.csr -text -noout
but now I get the error -
unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509
And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.
Really confused how to go about it as I'm new to SSL. Please help!

In my case I was trying to read my cer file and was receiving the error stated above
openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I had to convert it to a crt file using openssl.
openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text
Here's the doc i used. I was able to read it using openssl after that

The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.
To show the content of a certificate request use
openssl req -in CSR.csr -text
To show the content of a certificate use
openssl x509 -in CERT.crt -text

This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format
In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'
After the file is able to be dumped using:
openssl x509 -in YOURCERT.crt -noout -text
or
openssl x509 -in YOURCERT.crt -text

How can I convert a PFX certificate file for use with Apache on a linux server?

How can I convert a PFX certificate file for use with Apache on a linux server?
I created the PFX from Windows Certificate Services. The PFX contains the entire certificate chain. (Which is just a root and the main cert, no intermediate.)
Lead me, wise ones.

With OpenSSL you can convert pfx to Apache compatible format with next commands:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
First command extracts public key to domain.cer.
Second command extracts private key to domain.key.
Update your Apache configuration file with:
<VirtualHost 192.168.0.1:443>
...
SSLEngine on
SSLCertificateFile /path/to/domain.cer
SSLCertificateKeyFile /path/to/domain.key
...
</VirtualHost>

Additionally to
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
I also generated Certificate Authority (CA) certificate:
openssl pkcs12 -in domain.pfx -out domain-ca.crt -nodes -nokeys -cacerts
And included it in Apache config file:
<VirtualHost 192.168.0.1:443>
...
SSLEngine on
SSLCertificateFile /path/to/domain.cer
SSLCertificateKeyFile /path/to/domain.key
SSLCACertificateFile /path/to/domain-ca.crt
...
</VirtualHost>

To get it to work with Apache, we needed one extra step.
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
The final command decrypts the key for use with Apache. The domain.key file should look like this:
-----BEGIN RSA PRIVATE KEY-----
MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-----END RSA PRIVATE KEY-----

Took some tooling around but this is what I ended up with.
Generated and installed a certificate on IIS7.
Exported as PFX from IIS
Convert to pkcs12
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.
-----BEGIN PRIVATE KEY-----
Saved as certificate.key
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Saved as certificate.crt
-----END CERTIFICATE-----
Added to apache vhost w/ Webmin.

SSLSHopper has some pretty thorough articles about moving between different servers.
http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html
Just pick the relevant link at bottom of this page.
Note: they have an online converter which gives them access to your private key. They can probably be trusted but it would be better to use the OPENSSL command (also shown on this site) to keep the private key private on your own machine.