Cannot verify openssl smime verify over SSH - ssh

I'm trying to SSH into the server at my university in order to do an OpenSSL assignment. I have my self-signed certificate aasignedcert.pem, the private key it was signed with aaprivatekey.pem and my plaintext test.txt.
I first signed my message to create my testsigned.txt file with the command:
openssl smime -sign -signer aasignedcert.pem -in test.txt -inkey aaprivatekey.pem > testsigned.txt
Then, encrypted the file to make testsigned.txt.enc:
openssl smime -encrypt -in testsigned.txt -aes128 aasignedcert.pem > test.txt.enc
To make sure everything works, I decrypted that file and stored it in testsigned.dec.txt:
openssl smime -decrypt -aes128 -in test.txt.enc -inkey aaprivatekey.pem > test.dec.txt
The decrypted file indeed has the original plaintext. Finally, I attempted to verify it using my certificate that I signed it with:
openssl smime -verify -in test.dec.txt -CAfile aasignedcert.pem -certfile aasignedcert.pem
This, however, does not work. Even with fiddling with the parameters, I consistently get this error message:
Verification failure
139814549997256:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:unable to get local issuer certificate
I cannot figure out what I'm doing wrong. Does anyone have an idea?

How did you create aasignedcert.pem? Perhaps you self-signed it using a local CA that you created? If this is the case, I believe you need to pass the certificate of the CA to the -CAfile argument.
openssl smime -verify -in test.dec.txt -CAfile [certifcate of the CA] -certfile aasignedcert.pem

To suppress the checking of the key certificate when verifying a message you can supply the -noverify parameter to the verify command (though openssl smime verify -noverify does look a bit weird).

Related

Private Key doesn't Match Certificate

I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).
This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.

How to determine SSL cert expire date from the cert file itself(.p12)

If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.
You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Then, you can extract the expiration date from the certificate in the .pem file using the following command:
cat certificate.pem | openssl x509 -noout -enddate
You can make the first answer a one-liner without using the intermediate file:
openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Extract the client certificate from the pkcs12 file and print its end date:
openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate
If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.
Here's how you do it on Windows:
certutil -dump "file.pfx"
P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).

How to create P12 file using openssl

I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12

SSL Certificate conversion beetween PEM and DER formats

I am trying to create a self-signed certificate using my own CA.
All of the certificates and keys are currently in PEM-Format. In order to have the certificate accepted from my Android-phone I need to create a CA.crt-File in binary DER-Format.
I did create this file using openssl with
openssl x509 -in CA-cert.pem -inform PEM -outform DER > CA.crt
However, after installing CA.crt on my Android, a website´s certificate (www.example.com-cert.pem) signed with CA-cert.pem still shows as invalid in Chrome for Android. The cerificates are (at least as far as I understand it) created correctly and show no difference when converting back:
diff -u CA-cert.pem <(openssl x509 -in CA.crt -inform DER -outform PEM)
What am i missing here? Do I need to create another Version of the website´s certificate (e.g. www.example.com.crt) in DER-Format?
EDIT: don't know if this should work in the first place, but trying to validate the certificate against CA.crt fails with an error:
$ openssl verify -CAfile CA.crt www.example.com-cert.pem
Error loading file CA.crt
the same works well with the PEM-Version:
$ openssl verify -CAfile CA-cert.pem www.example.com-cert.pem
www.example.com-cert.pem: OK

terminal error in between connecting SSL certificate and private key to set up a secure connection:

i am trying to do push notification in my app and following this link
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
my system has been successfully connected with telnet but when i enter the query for connecting ssl certificate and private key then found a error
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
unable to load client certificate private key file
1301:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
any one can tell me what type of error and what's the solution of it?
Thanks in advance
The following command is good enough to verify the key/cert:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert push_development.pem
The key part is to select both certificate and private key when exporting the .p12 from Keychain Access (you will be asked for 3 passwords, one for the .p12, one for the cert, one for the private key).
To convert .p12 to .pem, follow the instruction from Apple:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
At first i was facing this problem too.
We have two files
1) one is aps_development.cer from apple
2) Another 1 is from the keychain access with the common name that we just created.
After that, both convert it to .pem files.
For example, cert.pem and key.pem.
After that combine this two files using below command
cat cert.pem key.pem > ck.pem
At first I openssl using below command.
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key key.pem
Which returns me the error you mentioned.
After that I try using
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key ck.pem
Then its working already. Hope this helps.
I was facing the same issue while I was generating a PEM file for Enterprise Distribution, but i figured out later that I generated a p12 file against the iPhone Distribution Certificate key though i should had generated the p12 against Apple Production iOS Push Servies key. Hope this may resolve the issue if any one had used the Distribution key.
Hello Please follow below commands.
step1
openssl pkcs12 -clcerts -nokeys -out developer_key.pem -in developer_key.p12
Note: just drag the file path on terminal...
step2
openssl pkcs12 -nocerts -out apns_key.pem -in apns_key.p12
step3
openssl pkcs12 -in developer_key.p12 -out developer_key.pem -nodes -clcerts
step4
openssl pkcs12 -in apns_key.p12 -out apns_key.pem -nodes -clcerts
step 5
cat apns_key.pem developer_ket.pem >developer.pem
DO the same step For Distribution certificates
After creating developer.pem and distribution.pem
Please verify both file in to below commands.
Step6
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert developer.pem -debug -showcerts -CAfile "Entrust.net.Certification Authority (2048).pem
A Notice is Pass Phrase must longer than 3 characters.
I have just fixed with pass Phrase is 1234 :D