Getting "No certificate matches private key" - ssl

This is the sequence of commands I tried:
a. Extract an existing certificate key from the store:
keytool -v -importkeystore -srckeystore keystore -srcalias one -destkeystore temppp -deststoretype PKCS12 -srcstorepass passwordd -deststorepass passwordd
b. Extract the private key from the exported certificate:
openssl pkcs12 -in temppp -out csr_private.key -nocerts -nodes -password pass:passwordd
c. Generate csr using extracted key:
openssl req -nodes -sha256 -new -key csr_private.key -out request.csr -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla/OU=Bla/CN=BLAAAA'
d. Generate a self-signed certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -nodes -sha512 -days 4096 -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla Bla/OU=BLA/CN=FOOO' -out ca.pem
e. Sign the csr with the self-signed certificate:
openssl x509 -in request.csr -out signed_cert.pem -req -signkey ca_key.pem -days 1001
f. Export the signed certificate and csr key to one p12 file:
openssl pkcs12 -export -in signed_cert.pem -inkey csr_private.key -out file.p12 -name "one"
Result:
No certificate matches private key
What am I missing? Why isn't my last command legitimate?
I planned to do "keytool -importkeystore" file.p12 (that should have been generated in the last step) to replace the "one" privateKeyEntry in "keystore". As suggested in How to import an existing x509 certificate and private key in Java keystore to use in SSL?.
Basically I'm trying to edit that entry to have the same key, but a different certificate.

The fix is to add "-nodes" to the last command (f).
In the second command that key was exported with "-nodes" (no DES encryption), and it should be the same in the last command too.

Related

Why do I see different signatures when I create the same certificate twice?

First I do:
$ openssl genrsa -out root.key 2048
Then I do:
$ openssl req -new -key root.key -subj "C=../..."
Then I create a signed certificate in the following way:
$ openssl x509 -req -in root.csr -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey root.key
If I do the last command twice, I see a different signature in the certificate. Why is that?

Convert pem key to p12 when having 1 key and 1 pem

I'm having a hard time creating a p12 key. Here are the steps I did:
1: openssl genrsa -out priv.key 4096
2: openssl req -new -sha256 -key priv.key -out priv.csr
3: Converted the csr into a priv.pem file from a website specially for this (payment gateway).
And here I'm stuck. According to this website following code can be used:
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root
The problem for me is: I only have one pem key but the above requires two. So can I with only my pem key now convert it into a p12 key with password?

Update SSL Certificate Issuer value

I have created key, pem and exported certificate with the following commands
openssl genrsa -out Kumar.key 2048
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
openssl pkcs12 -export -name Kumar -in Kumar.pem -inkey Kumar.key -out Kumar.p12
When i installed certificate in machine personal store, it shows
Issue to Kumar and Issued by Kumar
I want to change Issued by value to localhost.
Should i change or use any other command to update the value of Issued by?
Thanks id advance.
To change Issued by to 'localhost', you will need to change this line
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
by this command
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem -outform PEM -subj /CN=localhost
However, this command "openssl req" will create the root certificate, hence, Issued By value will always be the same as the Issued To value
You need to generate a self-signed certificate from this CA certificate in order to have Issued by = localhost and Issued to = Kumar
See this article on how to create a self signed certificate, especially the section "Create a Certificate"
# openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
However, keep in mind that it doesn't make sense to have a CA name of 'localhost' as it doesn't define a specific entity but is rather generic.

OpenSSL x509 utility PEM to DER conversion fails with "PEM_read_bio:no start line" [duplicate]

This question already has answers here:
How to generate a self-signed SSL certificate using OpenSSL? [closed]
(23 answers)
Closed 6 years ago.
Trying to convert .pem file to .der file using below command.
openssl x509 -in public_key.pem -out cert.der -outform DER
getting below error
unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE
I have generated RSA private/public keys using below.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
You are creating a RSA key pair. And you are trying to convert the public key into DER format.
openssl x509 command requires public key inside the X.509 container.
Try this command to create the Private Key and Public Cert.
Create a self signed CA Cert:
openssl genrsa  -out CAkey.pem 2048
openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095
Now create another cert which is signed by the CA created above
openssl genrsa -out serverkey.pem 2048
openssl req -new -key serverkey.pem -out server.csr
openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01
Later convert the public cert in PEM to DER format.
openssl x509 -in server.pem -out server.der -outform DER

Unable to get local issuer certificate while processing chain

I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to create RA(Registration Authority) and sign it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA
SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root"
openssl genrsa -out ra.key 4096
openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem - set_serial 76964474 -out ra.crt
openssl rsa -in ra.key -text > ra_private.pem
openssl x509 -in ra.crt -out ra_cert.pem
openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem - chain -CAfile my_cert.pem -name "racert" -passout pass:password
You usually can't use a certificate issued by a public CA to sign anything but client or server traffic; you won't be able to use it for your RA.
The error message indicates that there is a problem with the intermediate certificates. Make sure that you add both of Digicert's certificates to the my_cert.pem file before exporting it to pkcs12