mod_nss with Apache public Certificate issue - apache

I have replaced mod_ssl with mod_nss for FIPS cryptography and it works great with Apache but now we have wildcard certificate which i want to import into NSS database but i don't know how do i import certificate private key?
I am using following command
certutil -A -d /etc/httpd/alias/ -n "GlobalSign" -t "CT,," -a -i wildcard_domain.crt
How do i import private key? or is there something i am missing?
[root#web01 ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
GlobalSign-Intermediate CT,,
GlobalSign CTu,u,u
alpha
u,pu,u

solution:
Convert crt file in PEM format
create pem file from original certificate.
openssl x509 -inform PEM -in ./ssl.crt/example.com.GlobalSign-2010.crt > /root/example.com.GlobalSign-2010.pem
openssl x509 -inform PEM -in ./ssl.crt/intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem
Concatenate PEM certificate in single file, Root crt and Chain crt.
cat /root/example.com.GlobalSign-2010.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign-2010.pem
Export PEM cert and private key in PKCS12 format
openssl pkcs12 -export -in example.com-GlogalSign-2010.pem -inkey ./ssl.key/example.com.GlobalSign.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign
Import PKCS12 (.p12) certificate in NSS DB
pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias
You can verify your certificate using following command
certutil -L -d /etc/httpd/alias -n Example-GlobalSign
Notes: put Example-GlobalSign nickname in nss.conf config file and Voila!!

Related

How to add certificate .crt automatically without specifying it everytime in curl?

I have .p12 certificate with some password and I can request to the server if I define the path to where my certificate is located:
this works:
curl --cert-type P12 --cert /path/to/my/certificate/certname.p12:mypassword -i -H 'Accept:application/json' -H 'Authorization:Basic dHerbnNhdmlhOlpiaftOVnLuVURGcWhJU01=' https://mycite.kz/ping
But how can I install this certificate on my computer so that I would not need to specify the path every time?
I already have converted it to .crt format:
openssl pkcs12 -in certname.p12 -clcerts -nokeys -out certname.crt
and copied this file to /usr/local/share/ca-certificates
then:
sudo update-ca-certificates
response said, that certificate was successfully added.
Is it possible to automatically add this cert to all requests?
I will be very much thankful for the answers and suggestions.

import keypair to an existing pkcs12 keystore under a new alias name

I am learning OAUTH2 and OpenID Connect and configuring multiply tomcat servers (a Client for the UI, and multiply Resource Servers for the APIs) to use SSL. So I have created a PKCS12 keystore with a self-signed certificate + private key the following way and then I pushed it under my 1st Tomcat:
(I know that the commands bellow can be simplify and combine into one (or two) but I deliberately keep tem separately because that way I can see and understand the steps better)
(1) The keypair was created with openssl this way:
openssl genrsa \
-des3 \
-passout pass:$phrase \
-out id_rsa_$domain.key $numbits
(2) Then I created a Certificate Signing Request with this command:
openssl req \
-new \
-key id_rsa_$domain.key \
-passin pass:$phrase \
-subj "$subj" \
-out $domain.csr
(3) After that I created a x509 certificate:
openssl x509 \
-req \
-days $days \
-in $domain.csr \
-signkey id_rsa_$domain.key \
-passin pass:$phrase \
-out $domain.crt
(4) Finnaly I have created a key-store in PKCS12 format:
pem=$domain.pem
cat id_rsa_$domain.key > $pem
cat $domain.crt >> $pem
openssl pkcs12 \
-export \
-in $pem \
-passin pass:$phrase \
-password pass:$keystore_pwd \
-name $domain \
-out example.com.pkcs12
rm $pem
At the end of this process I have the following files:
id_rsa_authserver.example.com.key: the private (and public) key
authserver.example.com.crt: the self signed certificate
example.com.pkcs12: the keystore
Inside the .pkcs12 file I only have one key-pair entry under the authserver.example.com alias. I have checked the result with KeyStore Explorer as well and everything looks fine and the 1st Tomcat works properly with that keystore.
Then I repeated the steps (1), (2) and (3) and I generated new files for order.example.com host machine and at the end I have two new files:
id_rsa_order.example.com.key
order.example.com.crt
Now I would like to add to my "root" example.com.pkcs12 keystore this new keypair + certificate under the order.example.com alias in order to I keep all certs that I use for my demo in one keystore. I can do it easily with the KeyStore Explorer tool via the tools > import key pair > openSSL > browse the private key and cert files, but this is not enough good for me. I would like to do the import via command line using OpenSSL.
Unfortunately I have not found the proper openssl command that I can use to ADD my 2nd key+cert to the existing keystore.
What is the command that I can use?

Fingerprint of certificate request (CSR)

I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does:
puppet:~# puppetserver ca list --all
Requested Certificates:
testbox (SHA256) 7C:8C:A2:2C:17:42:C1:B9:55:A0:1D:EE:0D:C1:B0:65:B0:B4:AF:83:68:77:A8:0D:C4:6C:B1:41:25:FF:E7:C2
This fingerprint value is printed on both testbox and puppet machines when bootstrapping testbox and only thing they both share is the CA certificate (private key of which is stored on puppet). So the algorithm shouldn't require any private keys on input.
I assume the algorithm is standard, but I don't know cryptographic formats and openssl enough to figure out how to get it, and I'd specifically like to use openssl or some other widely available command line utility (i.e. not Ruby).
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
unable to load certificate
139644407518336:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Here's the actual certificate request:
testbox:~# cat /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEVzCCAj8CAQAwEjEQMA4GA1UEAwwHdGVzdGJveDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAKAT6FPs6RkT30lnNk0wpfhLtjrrAr/YdyDCUVTjV5jL
23iuLLSHes7yog/gACitGqCOnSz7J95OUtfGV+ACV8AEcyNpQazOqHhcLh15CYa7
8fDyVsoLzHWUKDMXhNllYrJFOoEDU/IP/y5hdS6e56pPZCVwYRxg9pjtvOX/FyUA
vXFA94IvqAgR2HdD7Vbr11mSmVNJuP9bWimhizvpzG4g3Xacvz7BhEZC5v/tIuH6
zaQtKCoBoxTFQhlFhY1F0iIMIjbTFTUuzPjCh5pMhXMxm0rgpH0SkvJp8bzesCGX
34JIDCOo6R197IttvbPh+6J91nMReOrYl4WAIMFHMz9L2dEClKbT0qWKjTHSUB6E
Pkia6d/gQzM4UcfP2NGAPnaWv3HZJPy6LnOHFoaxkfiMVGMlKISqF8cbkhGEneX0
V3Q8z60BAdr1q2i2rmPQkhp0MLwCoOzEcH13I43GhZuF/V6YbBcLt0UcEI0DC+VR
vP1sIFXj/BzQkITgzE9q067vRtgYVb85CtfESvSbLdci8noPz076wuaiRme8qzHM
SovvAcq6QGPKaB7K7veKAUW7riOaXHRzR6WAxE2t4WlZDmT/9liLPlxT38Mbl2LE
mVRPNvb1IUyWY5SoE4Dl/9ZNMlIReMrT/XVD/Udt5zOlKxica2wSHPIRyBDm5ah9
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAAkqLZQQGf8cHPqX+MWmMu42sHETv
CSqRvKM1oLcli4OCPF15axLNUAXg7+wSPOLfUkznkqukSs+ZZKoKex232ZesrDRn
IG1kkVrYRWAO6kgHHTnQJx0HOawny1OObfIlkbq/PSiprlPK5OfjyTgjK4oIDqIy
50Vifqv2akgW4/HirgUe54dILuXRlntFJtDXyanMHcRhg/Vy+I7hfIbimuBoIWuF
Z/ULNcj25+/m0VjAYNJ4gkV/TgIcWhmRLvq7AFeFo3tmEsmrbnXJnBnt1RCpAOY4
CF3T5etAsG+6JfQ/erY3Kh6sGK5XOvLSQ6SautW8DzSGCV8XKv9jQYlbM/4c3HwX
4vzIxYueW+u2MlfJZcYfkr8RK9bmk4mJCa63AK3VgRtQK21IJqNOR9lgiP202b+T
9o8CmT+rxAnEZHIr9j2nDjPlaR63lAWpSKsS/HxXr6wh2JS/34+YuhbvZlSrxYoR
D8Ta3fZYkIX7aCEziSNqRgZgz+VGroxrQCjdvTYRzr2G6LUVrr0D4dUJnBt1DhZO
klV+pv2tFl5q9szTuu0dkLNyPYFOTjCTD3GxpsuMwmONMAzsMUT+ouLVoklmXxim
Ah3ZrRv4O/hnjRZM0+tV498b4G8ZZmyp80K1CTQwLJNewpk9n2I2K7RVGFtyXa9M
irfOVbUQKaBTrqg=
-----END CERTIFICATE REQUEST-----
If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does
The general notion of the fingerprint/thumbprint of a certificate is a digest of the DER-encoded (binary) representation of the certificate. You can do this with the openssl x509 command directly... or indirectly:
$ openssl x509 -in test.cer -noout -sha256 -fingerprint
SHA256 Fingerprint=3E:A9:CB:54:36:DB:CF:23:50:D1:6B:D8:06:25:DC:0E:37:23:3E:A7:50:A5:D1:F3:05:0F:26:33:4E:F8:66:7C
$ openssl x509 -in test.cer -outform der | sha256sum
3ea9cb5436dbcf2350d16bd80625dc0e37233ea750a5d1f3050f26334ef8667c -
So the algorithm shouldn't require any private keys on input.
That is correct.
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
Because the fingerprint/thumbprint is the digest of the signed certificate, it cannot be determined from the request. (The certificate has its validity information, the CA identifier, and the CA's signature... and probably extensions not present in the request.)
If you're trying to match a certificate to a certificate request, the only thing they're really guaranteed to have in common is the public key. If the -pubkey outputs match they're the same.
$ openssl req -in test.csr -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
$ openssl x509 -in test.cer -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
While I don't have an example offhand, just because they don't match doesn't mean they're different. This is because some algorithms, such as RSA, there are multiple different legal encodings for the key in SubjectPublicKeyInfo and the CA could re-normalize when signing the certificate.
For RSA you could open it with the openssl rsa command and then let OpenSSL re-normalize it (when writing it back out it won't remember which of the two representations were used)
$ openssl req -in test.csr -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
$ openssl x509 -in test.cer -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
IMHO, the answer of bartonjs didn't really answer woky's original question:
I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). [...] I'd like to get the same fingerprint as Puppet does
So the question was, how to get the same fingerprint of the CSR as puppet does internally.
This command should do the "magic" generating the same fingerprint.
openssl req -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem -outform der | sha256sum | awk '{ print $1 }' | sed 's/\(..\)/\1:/g; s/:$//; s/./\U&/g;'
awk limits output to the sha256 string and sed re-formats the string (insert colons, all letters capital, remove ending colon). This will give you a representation of the CSR fingerprint how puppet outputs it.
Note: I haven't been able to generate the same fingerprint as woky provided in his initial question using his CSR. But I'm able to reconstruct a correct fingerprint with any CSR I generate my self, so I'd guess woky's CSR doesn't match the fingerprint provided in the question.
This is an modification of lars answer:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c
Though this gives the checksum in lower case, so awk or tr is possibilities
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c|tr '[:lower:]' '[:upper:]'
Would be how i now would do this (i use the '-c' argument to openssl dgst's sha256)
Another method could be:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256|awk '{ gsub(/../,"&:", $2); gsub(/:$/,"", $2); print upper($2) }'

How to convert the .der file to .pub?

Late I convert the .pub file to .der file through
ssh-keygen -f ran.pub -e -m PKCS8 | openssl pkey -pubin -outform DER -out pub.der
and current I want to convert .pub file to .der
But here when I try .der file to .pem or other .pub it can't convert
I tried this
openssl x509 -inform der -in pub.der -out certificate.pem
But it will getting error
unable to load certificate
4601439852:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.200.4/libressl-2.6/crypto/pem/pem_lib.c:683:Expecting: TRUSTED CERTIFICATE
Here the solution
openssl rsa -in pub.der -pubout -out pub.pem

How to determine SSL cert expire date from the cert file itself(.p12)

If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.
You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Then, you can extract the expiration date from the certificate in the .pem file using the following command:
cat certificate.pem | openssl x509 -noout -enddate
You can make the first answer a one-liner without using the intermediate file:
openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Extract the client certificate from the pkcs12 file and print its end date:
openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate
If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.
Here's how you do it on Windows:
certutil -dump "file.pfx"
P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).