I need to access an internal site protected via client side certificates. Therefore to use phantomjs I exported the certificate I use in Firefox to access the site and converted it into private key and certificate using openssl command line. I now what phantomjs to present that certificate to the ssl server when accessing a page on the server. How do I do it?
I've tried this
phantomjs --ssl-certificates-path=/etc/pki --ignore-ssl-errors=yes --proxy=myproxy:myport test.js
with /etc/pki being the path I've put the certificate and key
test.js is just this;-
page = require('webpage').create()
page.open('https://myprotectedsite/', function(status) {
console.log(status);
phantom.exit();
})
But it doesn't work. console.log(status) is always 'fail'
What do I need to do?
The feature it's implemented you can see on github project, the thing is that it's not already included in the actual stable release (2.0.0), however it's planned to be included on 2.0.1 release. Meanwhile you can download a 2.0.1 build from here (the link is from git discussion).
I try using 2.0.1 version and I can access to the site correctly passing the SSL client authorization with the follow command:
Finally new PhantomJS 2.1 version was released which includes this feature, you can download from here and test the SSL client authorization using the follow command:
phantomjs --ssl-client-certificate-file=C:\tmp\clientcert.cer
--ssl-client-key-file=C:\tmp\clientcert.key
--ssl-client-key-passphrase=1111
--ignore-ssl-errors=true
C:\tmp\test.js
Notes
I only test this on Windows.
I try to use a PKCS12 file as keystore but seems that with this format doesn't work, so using openssl I extract the certificate and the private key using the follow commands:
Extract cert for --ssl-client-certificate-file parameter
openssl pkcs12 -nokeys -clcerts -in a.p12 -out clientcert.cer
Extract key for --ssl-client-key-file parameter
openssl pkcs12 -nocerts -in a.p12 -out clientcert.key
Additionally I use --ignore-ssl-errors=true to avoid the configuration of the trust store for the validation of the server certificate.
As script I use test.js which contains the same has OP show on the question:
page = require('webpage').create()
page.open('https://myproject', function(status) {
page.render('C:/temp/connect.png');
console.log(status);
phantom.exit();
})
Client certificate support has actually has been implemented since the original accepted answer. I'm posting this in order to help others who will stumble upon this question as well. You can find the parameters for enabling X509/PKI certificate support in PhantomJS's CLI instructions:
phantomjs --ssl-certificates-path=/path/to/pki/rootCA.pem
--ssl-client-certificate-file=/path/to/pki/cert.pem
--ssl-client-key-file=/path/to/pki/cert.np.key
I look for the decision too. it isn't implemented
https://github.com/ariya/phantomjs/issues/10524
"--ssl-certificates-path" - It is used for the CA certificate
Related
Could not create script recorder - see log for details: >> keytool error: java.secuirity.KeyStoreException: jks not found <<
Command failed, code: 1
'keytool -genkeypair - alias : root_ca:-dname "CN= _JMeter Root for CA for recording (INSTALL ONLY IF IT S YOURS ), OU= Username: ujala , C=IN" -keyalg RSA -keystore proxyserver .jks -storepass {redacted}-keypass {redacted}-validity 7 - ext bc:c'
How to solve this error during the recording controller in JMeter???
If you properly installed JMeter and Java you should not see error like this, at least I have never faced anything similar.
The fact that keytool application cannot detect jks keystore type which is the default type indicates that something is wrong with your Java installation so I would recommend reinstalling JDK from scratch.
My expectation is that it should resolve your issue. If it doesn't - check whether you (or somebody else) amended any default Test Script Recorder certificate configuration. If the values differ from defaults - try reverting them (or even reinstalling JMeter)
Also be aware of an alternative way of recording a JMeter test: JMeter Chrome Extension, in this case you won't need to think about proxies and certificates
Firstly my exposure and experience with certificates is limited so I am trying to use this as a learning experience as well as obtaining an answer.
Using Jenkins I would like to be able to make a curl request as part of my build that uses a certificate (.p12) to authenticate.
Example
curl --cert /Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-1234
So I have a Desktop certificate (private key) which I have saved onto the machine where Jenkins runs, but I also understand that I need a CA certificate to authorise this private key (hope this is correct so far).
When I have run the curl command from the terminal on the Jenkins machine I had a popup that asked me did I want to use the cert within the keychain to authorise and I clicked always allow, so command line curl requests always work.
However when I run this as part of a Jenkins build I get
(58) SSL: Can't load the certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12" and its private key: OSStatus -25308
The path to the cert is correct as the directory structure is
develop-pipeline
certificates
dev_cert.p12
What I don't understand is that if I don't provide a password
curl --cert /Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12 https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-1234
I get the message:
SSL The certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/dev_cert.p12" requires a password
So it has found the certificate ?
Also providing an incorrect password yields
SSL: Incorrect password for the certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/dev_cert.p12" and its private key.
What do I need to do to get this working?
This Github comment helped me sorting out the curl issue on OSX. So in my case installing curl via Homebrew with OpenSSL flags did the trick.
I'm completely new to anything Secure Socket Layer related up until yesterday evening and today. I need to get a self-signed certificate to proceed with an app registration process so that I can implement OAuth in an app I'm writint. I went through a nice tutorial about how to generate certificates here. I'm an ubuntu user, if you didn't click the link to figure that out. I've been trying to generate a self-signed 1024 bit RSA key encoded x.509 certificate in PEM format. After setting up the configuration and doing everything as is on the tutorial (of course with the exception of specifying the environment-related data to my own environment). The commands to generate a new certificate and key after going through the configuration are:
forces SSL to look for configuration file in alternate location (the server configuration file):
export OPENSSL_CONF=~/myCA/exampleserver.cnf
Generate the certificate and key:
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
Following those two commands the following is displayed:
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'tempkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
I enter my pass phrase and the error I continually get is:
problems making Certificate Request
3074111688:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:
3074111688:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:285:name=organizationUnitName
I ran into a similar problem while following the same tutorial that you mentioned. In my case, the error was:
problems making Certificate Request
140098671105696:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2
So I figured out that I've written some string which should have been 2 characters long (maxsize=2), but happened way longer. I returned back to my config file and quickly found that I've wrote the long name of the country, instead of the 2-character code. This solved my problem.
not really familiar with the process but, it appears "invalid field name:x509name.c:285:name=organizationUnitName" means your Organization Unit Name is invalid.
According to digicert.com: The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
it depends on what is in your conf file, the openssl ca tool looks for sections in the file, those sections look for other sections, some of the section names are mandatory and some of the name/value pairs in sections are mandatory.. it's quite a big configuration space offered by this file
The error you mention comes up when openssl doesnt recognise a name inside a section in different scenarios, e.g. i've seen it when I was adding a custom oid for an end-entity cert, and also when customising contents of a ca cert.
if you post your configuration file and what you expect in the resulting ceritifcate then we can help. Also can you say what you intend to use the certificate for (e.g. secure a client session on a production webservice or something else)
I had the same problem, had C=USA instead of C=US
I had a similar issue. I followed the advice from GitHub using the countryName_default parameter. It seems like this parameter does not exist on my openssh.exe, contrary to the advice on GitHub.
Once I removed any xxx_default parameters from the [ req_distinguished_name ] section of the SSL xxx.conf file, the creation of the certificate succeeded.
This is working on Windows 10.
I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate
Copy server.key & server.orig.crt from DNSimple
Get root CA certificate with $ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
Concatenate into one file with cat server.orig.crt rapidssl_bundle.pem > server.crt
So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key. This gives the error
Key could not be read since it's protected by a passphrase.
The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:
1b. $ mv server.key server.orig.key
1c. $ openssl rsa -in server.orig.key -out server.key
However this gives the error
unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
Which I suspect means there is no private key found.
Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?
I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.
I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:
$ heroku certs:add server.crt bundle.pem server.key
no matter what I did, I got this error:
$ Adding SSL Endpoint to mysite... failed
! Key could not be read since it's protected by a passphrase.
! Read instructions on how to remove the passphrase on:
! http://www.madboa.com/geek/openssl/#key-removepass`
I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.
First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.
The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli
Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.
Struggled with this issue for days! Until I came across this thread and followed the upgrade advice. The first thing I had to do is
gem uninstall heroku --all
I answered 'Yes' to the keep executable question, because of another post I had read on stackoverflow. I then went to https://toolbelt.herokuapp.com/ and installed the toolbelt (even though heroku --version was saying that it was installed). Upgraded it to heroku-toolbelt 2.39.0. Retried the following command and it worked:
heroku certs:add cert.cer bundle.pem server.key
Maybe i'll finally get some sleep tonight :)
This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.
I used TextMate instead and everything is working fine.
An old toolbelt installation was my problem on windows.
Even though heroku update changed the version number from 2.30.1 to 2.39.0, a heroku version showed it wasn't updating correctly for some reason.
I reinstalled the toolbelt from https://toolbelt.herokuapp.com/ and tried it again, and everything worked.
heroku version now says this for me, and the certs:add works correctly:
heroku-gem/2.39.0 (i386-mingw32) ruby/1.9.2
I now got the same error, even with a recent heroku/7.47.6 (from npm).
The reason turned out to be that I got an elliptic-curve certificate from Let's Encrypt, the private key file contained:
-----BEGIN EC PRIVATE KEY-----
That's not supported according to https://devcenter.heroku.com/articles/acquiring-an-ssl-certificate:
Heroku only supports RSA keys for certs. Elliptic curve keys are not supported.
Once I obtained an RSA cert, it worked.
(specifically, dehydrated now defaults to --algo secp384r1, I had to provide --algo rsa. But the idea should be same with other tools/CAs, you need an RSA cert.)
To me the issue was that 1Password changed newlines in the certificates into spaces, and replacing spaces back into newlines helped (in the cert body, of course, not in the ----BEGIN CERTIFICATE---- part).
So check your cert/key contents, this may be very well an issue of formatting.
I'm making an cfhttp to connect to an encrypted page. Seems to work fine for some sites.
I/O Exception: Name in certificate `pro.test.com' does not match host name `go.test.com'
Is there a workaround to trust this certificate even if the host name doesn't match?
Think this is more Java question, and workaround should be affecting the JRE.
Not sure if this will work in your case, but possible solution is to import this certificate into the JRE keystore.
Generic description can be found at Sun website. Though process is pretty simple.
First you should navigate the needed HTTPS URL with your browser and export the cert using SSL properties (don't remember how it is done in IE, but in Firefox something like Security > View cert > Details > Save as -- still not sure because using non-English licalization), any X.509 type should work.
Next you should import it using keytool. Navigate to the current CF JRE's bin, execute the following command (replace arguments with your values) and restart CF:
keytool -keystore <path to keystore> -import -file <path to certificate> -alias <alias>
BTW, there is a UI tool for this, but I haven't used it so can't say if it works fine.
The sites that are probably working have a valid SSL Certificate from a trusted authority.
If you have control of pro.test.com, the preferred answer would be to get a valid cert for pro.test.com installed. But if that is not possible for some reason, I see two other options:
1) Do a try/catch where you try to connect via https, and fall back on http in the event of an SSL error. Obviously this would eliminate encryption for the failed connection.
or
2) Use Sergii's solution to import the key for that site into the Java keystore.
If go.test.com is just a development server, in that case you can create a self-signed certificate and import it into Java keystore. That way you can save up on cost by not paying to CA and get a quicker turnaround to resolve the issue