I am trying to create a self-signed certificate using my own CA.
All of the certificates and keys are currently in PEM-Format. In order to have the certificate accepted from my Android-phone I need to create a CA.crt-File in binary DER-Format.
I did create this file using openssl with
openssl x509 -in CA-cert.pem -inform PEM -outform DER > CA.crt
However, after installing CA.crt on my Android, a website´s certificate (www.example.com-cert.pem) signed with CA-cert.pem still shows as invalid in Chrome for Android. The cerificates are (at least as far as I understand it) created correctly and show no difference when converting back:
diff -u CA-cert.pem <(openssl x509 -in CA.crt -inform DER -outform PEM)
What am i missing here? Do I need to create another Version of the website´s certificate (e.g. www.example.com.crt) in DER-Format?
EDIT: don't know if this should work in the first place, but trying to validate the certificate against CA.crt fails with an error:
$ openssl verify -CAfile CA.crt www.example.com-cert.pem
Error loading file CA.crt
the same works well with the PEM-Version:
$ openssl verify -CAfile CA-cert.pem www.example.com-cert.pem
www.example.com-cert.pem: OK
Related
I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).
This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.
I have a problem. I become the error in the headline. I have a signed certificate from a recognized company. Now I want to create a second certificate.
I created the key with
openssl genrsa -des3 -out example.abc.key
then the CSR-File with
openssl req -new -key example.abc.key -out example.abc.csr
and removed the passphrase with
openssl rsa -in example.abc.key -out example.abc.key
Now I created the certificate signed by the other certificate I become from the recognized company with
openssl x509 -req -in example.abc.csr -CA signed.certificate.crt -CAkey signed.certificate.key -out example.abc.crt
After all, I create the PKCS12-File
openssl pkcs12 -export -in example.abc.crt -inkey example.abc.key -name "Example Client" -out example.abc.p12
If I call the website the webserver ask the client to identify and I can selected the imported certificate. The error in the headline appears and I didn't know how to solve it. I'm frustrated, because I googled, but didn't find anything which helps.
If I understand you correctly you got a signed certificate and you want to use it to sign another certificate. Since I'm pretty sure that you just got a normal certificate you might be able to sign another certificate, but this new certificate will not accepted by anybody. Only CA certificates can be used to successfully sign other certificates.
If this restriction would not be there then anybody could get a certificate for its own site (example.com) and then use it to sign a certificate for some other site like paypal.com. This would be indeed very bad if this would work.
If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.
You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Then, you can extract the expiration date from the certificate in the .pem file using the following command:
cat certificate.pem | openssl x509 -noout -enddate
You can make the first answer a one-liner without using the intermediate file:
openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Extract the client certificate from the pkcs12 file and print its end date:
openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate
If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.
Here's how you do it on Windows:
certutil -dump "file.pfx"
P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12
I'm trying to SSH into the server at my university in order to do an OpenSSL assignment. I have my self-signed certificate aasignedcert.pem, the private key it was signed with aaprivatekey.pem and my plaintext test.txt.
I first signed my message to create my testsigned.txt file with the command:
openssl smime -sign -signer aasignedcert.pem -in test.txt -inkey aaprivatekey.pem > testsigned.txt
Then, encrypted the file to make testsigned.txt.enc:
openssl smime -encrypt -in testsigned.txt -aes128 aasignedcert.pem > test.txt.enc
To make sure everything works, I decrypted that file and stored it in testsigned.dec.txt:
openssl smime -decrypt -aes128 -in test.txt.enc -inkey aaprivatekey.pem > test.dec.txt
The decrypted file indeed has the original plaintext. Finally, I attempted to verify it using my certificate that I signed it with:
openssl smime -verify -in test.dec.txt -CAfile aasignedcert.pem -certfile aasignedcert.pem
This, however, does not work. Even with fiddling with the parameters, I consistently get this error message:
Verification failure
139814549997256:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:unable to get local issuer certificate
I cannot figure out what I'm doing wrong. Does anyone have an idea?
How did you create aasignedcert.pem? Perhaps you self-signed it using a local CA that you created? If this is the case, I believe you need to pass the certificate of the CA to the -CAfile argument.
openssl smime -verify -in test.dec.txt -CAfile [certifcate of the CA] -certfile aasignedcert.pem
To suppress the checking of the key certificate when verifying a message you can supply the -noverify parameter to the verify command (though openssl smime verify -noverify does look a bit weird).