Error when creating HTTPs key and cert in prompt - apache

Using Apache 2.2, SSL is configured. I am creating the key and temporary cert in command prompt. When I use
openssl genrsa -des3 -out server.key 1024
I am returned this output :
WARNING: can't open config file:
z:/strawberry_libs/build/2013Q3_/ssl/openssl. cnf error on line -1
of C:\Program Files\Apache Software Foundation\Apache2.2\conf\o
penssl.cnf
and then it creates the key.
So good and fine. The error is bothersome. Then I try to make the cert with
openssl req -new -key server.key -out server.csr
Now it shows an error and wont create it.
C:\temp>openssl req -new -key server.key -out server.csr WARNING:
can't open config file:
z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf Unable to load
config info from z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf
Not exactly sure how to proceed at this point as I can't get past this step for my assignment without the certification. If there is another way, or a way to correct the error that would be great.

Related

PFX import always gives Incorrect password error

I tried to generate a private key and certificate using OpenSSL v3.0.1 on x64 using the command:
"C:\Program Files\OpenSSL\bin\openssl.exe" req -x509 -sha256 -days 7300 -newkey rsa:2048 -keyout ProductPrivate.key -out ProductCertificate.crt
Then I try to package the key and certificate into a single PFX file using the command:
"C:\Program Files\OpenSSL\bin\openssl.exe" pkcs12 -export -out KeyPackage.pfx -inkey ProductPrivate.key -in ProductCertificate.crt -passout pass:superevil -passin pass:secret
Here is the actual screenshot, you can see all steps completes successfully and that you can see the password I set it up with.
I verified that all three files are created:
Next I took the pfx and try to import it into a certificate store of couple of machines, however everywhere I tried, I got the same password incorrect error. I used this same instruction 5 - 6 years ago and everything worked so I don't know what changed? do you happen to know?
The screen below proof that I have the right password for the pfx entered.
I found the answer, this is only issue if I use openssl v. 3.0.1. I test the same steps against openssl 1.1 and the import works.

Error during creation self-signed SSL with openSSL

I want create restAPI with self-signed SSL.I install openSSl and want generate key with this command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
but I get error.
Can't open "C:\Program Files\OpenSSL-Win64\bin openssl.cfg" for reading, No such file or directory
202E0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto\bio\bss_file.c:67:calling fopen(C:\Program Files\OpenSSL-Win64\bin openssl.cfg, r)
202E0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:75:
I try
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin openssl.cfg
but it dont solve my problem
If the openssl.cfg is in ....\bin then the setting should be set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg, i.e. the last space in your setting should be instead a\

Local SSL certificate returning errors "result too small", "problems getting password"

I'm trying to install an SSL certificate on XAMPP, Windows 10 but no matter what I do I get this error:
22632:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 511 characters
22632:error:0906406D:PEM routines:PEM_def_callback:problems getting password:.\crypto\pem\pem_lib.c:116:
22632:error:0907E06F:PEM routines:DO_PK8PKEY:read key:.\crypto\pem\pem_pk8.c:130:
unable to load Private Key
18224:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:707:Expecting: ANY PRIVATE KEY
server.csr: No such file or directory
Could Not Find c:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.
Press any key to continue . . .
makecert.bat:
#echo off
set OPENSSL_CONF=./conf/openssl.cnf
if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr
move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key
pause
It looks like server.crt, server.csr, and server.key were created and they sit in the conf/sll... as stated in makecert.bat , I have also tried other passwords with no success.
Setting set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf didn't help either, nor did changing openssl.cnf to openssl.cfg (like some people suggest on other related SO questions).
I'm spamming google with this question for hours and no Stack Overflow answers seemed to help either.
EDIT: Adding an image to show that this issue is happening even with a completely new pem file. (the pem file name was changed to privkey77.pem by me for testing purposes, I get the same error obviously).
png
EDIT #2: Even creating a new key with password with openssl genrsa -des3 -out mykey.pem 2048 returns: 27492:error:28069065:lib(40):UI_set_result:result too small:.\crypto\ui\ui_lib.c:830:You must type in 4 to 1023 characters.
So I basically cannot create pem files with passwords for some reason.
Can anyone please help?
I've managed to avoid this error by passing the -nodes arg to the line that triggers the error, as suggested here.
My makecert.bat file, in line 7, looks like this:
bin\openssl req -new -out server.csr -nodes
This parameter disables the authentication completely. I don't know if this had any side effects in the certificate, since I haven't managed to make it work and I don't know why. (Maybe is because of this, or maybe is something else)

Error creating an SSL Certificate

During the creation of a SSL certificate this error occurs:
problem creating object tsa_policy1=1.2.3.4.1
13964:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\objects\obj_dat.c:690:
error in req
This is what I've done
set RANDFILE=c:\certificate\.rnd
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
C:\openssl-win64\bin\openssl.exe
genrsa -des3 -out server.key 1024
I've entered a passphrase and then:
req -new -key server.key -out server.csr
and then It shows me the error.
Can someone help me?
Figured It out. Don't install OpenSSl version 1.1.0
Try to upgrade OPENSSL Version to 1.0.2o
Follow this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/

SSL Certificate For AWS Load Balancer

I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr
openssl genrsa -out mykey-private-key-file.pem 2048
openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey
openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem
But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985
openssl genrsa -des3 -out mykey-private-key-file.pem 2048
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
We got our approval response with the x.509 Web Server Certificate and Intermediate CA.
When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:
"Error creating certificate
Unable to parse key; the body is encrypted."
I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?
Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).
This process assumes you already know how to request a certificate from your favorite certificate issuer.
You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.
# to generate a certificate request
openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr
# Sumbit the CSR. When the CRT file comes back...
# Open the cert in a text editor...
# create a new file
vi yourDomain.crt
# press 'i' to start insert mode
# paste the contents of the CRT file you received
# prese ESC, then 'wq', then enter. This saves the file and exits VIM
# convert the CRT you just wrote to disk into the PEM format expected by ELB
openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM
# convert the private key to PEM format expected by ELB
openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key
# display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB
cat yourDomain.pem.key
cat yourDomain.pem
Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.
But I did have to to run this step from the geekpete link.
openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key