I'm trying to sign a configuration profile (CardDav) with my SSL certificate issued by networksolutions.com
NetworkSolutions.com should be one of the providers that's in iOS/OSX trusted ceritifcates according to this
I've also seen other configuration profiles signed by NetworkSolutions that were "Verified" just fine.
This is the Ruby code I use to sign the profile
ssl_key_str = File.read(Rails.root.join("config/ssl/server.key"))
ssl_key = OpenSSL::PKey::RSA.new(ssl_key_str)
ssl_cert_str = File.read(Rails.root.join("config/ssl/server.crt"))
ssl_cert = OpenSSL::X509::Certificate.new(ssl_cert_str)
signed_profile = OpenSSL::PKCS7.sign(ssl_cert, ssl_key, profile, [], OpenSSL::PKCS7::BINARY)
Also tried to sign with openssl:
openssl smime -sign -in apple_sync_profile-unsigned.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile server.crt -outform der -nodetach
Still getting "Unverified"
Digging deeper by trying to open the mobileconfig file on my Mac, it shows "this certificate was signed by an unknown authority"
I tried to compare with this other profile that I downloaded and shows up as Verified but could not come up with any meanigful difference.
Any recommendations?
Is there any tool I could use to sign profile other than openssl which might be able to provide more insight?
How to Sign and verify a .mobileconfig file in apple
Export certificate from the key chain
keychain access --> Certifcates(LeftPanel)--> right click the particular certificate and export the certificate.
convert .p12 file to PEM file (converting use this link www.sslshopper.com/ssl-converter.html)
Eg: InnovCertificates.p12 to InnovCertificates.pem
Download Apple Root Certificate and Apple Intermediate Certificate
(For my .mobileconfig file verification i am used Apple Inc. Root Certificate(Apple Root Certificate) and
Application Integration Certificate (Apple Intermediate Certificate) certificates.
you can also use these certificates or other certificates that have in the apple certificates www.apple.com/certificateauthority/)
The download file is combination of certificate and keys . (Read the certificate in Terminal commands are following link info.ssl.com/article.aspx?id=12149)
From this certificate file we need extract certificate.
extract certificate from Apple Root Certificate. Then extract certificate from Apple Intermediate Certificate
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.cer -out root.crt.pem
openssl x509 -inform DER -outform PEM -in AppleAAICA.cer -out Intermediate.crt.pem
open the two extracted file in text editor,
copy and paste the Intermediate.crt.pem to beginning of the root.crt.pem and save .then your root.crt.pem file is combination of two certificate.
Sign and verify the .mobileconfig file
Once you have all the files listed above, you will run a command like the following:
openssl smime -sign -in Example.mobileconfig -out SignedVerifyExample.mobileconfig -signer InnovCertificates.pem -certfile root.crt.pem -outform der -nodetach
The result .mobileconfig file is signed and verified.
Use full links:
renren.io/questions/637349/ios-mobileconfig-walkarounds
developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/smime.1ssl.html#//apple_ref/doc/man/1/smime
www.apple.com/certificateauthority/
www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
info.ssl.com/article.aspx?id=12149
www.sslshopper.com/ssl-converter.html
wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
stackoverflow.com/questions/9277426/ios-mobileconfig-walkarounds
stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files
discussions.apple.com/thread/2363234
My certificate was signed by a sub-CA and did not contain the full certificate chain. In order for the signing to be complete, you must provide a full server.crt certificate which contains the full chain of certificates.
Download the sub-certificates from your certificate provider (e.g: Startssl) and add them to your server certificate simply by cat server.crt ca-bundle.crt > server.crt)
Related
I need to create a custom certificate for my dynamics portal to use implicit grant flow. I create certificate with command
certbot certonly --manual --preferred-challenge dns
I then create pfx with the openssl command
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
However I get the error when trying to upload it to the power platform admin centre
The password entered is incorrect or the encryption method used by the
certificate is not supported.
So then tried the following command to create the pfx with triple des using
openssl pkcs12 -export -descert -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
But am still getting the same error. As far as I can see the certificate meets requirements of:
Signed by a trusted certificate authority.
Exported as a password-protected PFX file.
Contains private key at least 2048 bits long.
Contains all intermediate certificates in the certificate chain.
Must be SHA2 enabled; SHA1 support is being removed from popular browsers.
PFX file must be encrypted with TripleDES encryption. Power Apps portals doesn't support AES-256 encryption
The only thing I can think is the pfx isn't getting encrypted with 3des but looking at the openssl documentation the -descert command should take care of that. Am I missing something here?
I can't export domain signed certificate, with the command:
openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.pfx
It pops up for me:
Could not read private key from -inkey file from domain.key
FC210000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:..\crypto\store\store_result.c:151:
FC210000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:..\providers\implementations\ciphers\ciphercommon_block.c:124:
FC210000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:..\crypto\pkcs12\p12_decr.c:86:empty password
I have my own certification authority certificate which is valid. I would like to export my regular certificate and sign it with this CA. But I can't do that because I can't export domain signed certificate.
I use OpenSSL on Windows 11 Pro for home users. I know it should be done through the server but I don't want to install it additionally
I simply wanted to export the certificate with the private key to PFX via openssl. I received the error described exactly above:
Could not read private key from -inkey file from domain.key.
I was expecting a successful export and subsequent signing of the certificate (if I had to) by an existing self-signed (it's in the CA trusted certificate store) CA certificate
I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.
I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:
OpenSsl Pkcs12 -export -nokeys
-certfile mytrustedCertifcates.pem^
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.
I also tried options: (from OpenSsl command line utilities, also in -help)
-nocerts don't output certificates.
-clcerts only output client certificates.
Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.
BartonJs gave the answer in a comment (thank you BartonJs!):
leave out the --certfile parameter:
OpenSsl Pkcs12 -export -nokeys
-name some friendly name
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
nokeys: leaves out the PEM password
name: the friendly name that will appear in column friendly name of the winstore
inkey and in are the input certficate with its private key
out is the name of the file to produce.
After importing it in the windstore (command: certlm.msc), It propertly says:
Issued to:
Issued by:
Expiration date
Intended purposes
Friendly name:
For school we are currently studying SSL certificates.
For this week's assignment we had to install Fedora Workstation on VirtualBox and do some SSL-stuff.
One of the assignments was the following:
generate a public/private keypair and a CSR with the openssl command.
I generated a public/private keypair using the following command:
openssl genrsa -out Desktop/mykey.key 2048
After I generated the keypair I had to verify it. But how do you verify a key? What is really meant by that? Just get out the public key and check if it matches the private key? This is the first question.
I generated the CSR using the following command:
openssl req -new -key Desktop/mykey.key -out Desktop/myCSR.csr
This is the right way, right?
Checking/verifying the CSR file was done using this command:
openssl req -text -noout -verify -in Desktop/myCSR.csr
I think that's the right way too.
This was the "easy" part, now comes the harder part:
We had to use xca to create a database and a CA Root Certificate. Then we had to import the csr from above question and sign it. I signed it by right clicking on it and choosing sign. Then we had to export both the CA and the signed key and verify it. But what do they mean exactly? My guess is to verify that the certificate is signed by the CA, but I'm having problems with that.
We have to use openssl x509 for that, but it just isn't working.
When I right click the signed key and export it as a PEM file, in that file is the following:
----- BEGIN CERTIFICATE REQUEST -----
MIIC6......
----- BEGIN CERTIFICATE REQUEST -----
while the assigment says: export the signed certificate. But is this even a certificate?
And how do I verify it?
I used many commands, like
openssl x509 -in Desktop/exported.pem -text -noout
But the output I get is always something like this:
I have tried all sorts of commands and read all google pages, but nothing helps.
this is the second question
Hope you all can help, Thanks!
When you verify a certificate, you are checking whether it's CA is recognised, and it matches the CA's fingerprint. It doesn't look like you are providing the CA cert to the openssl command. Try specifying -CA <your CA cert file:
$ openssl x509 --help
...
-CA arg - set the CA certificate, must be PEM format.
I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)