Hi I am a little new to all this openSSL and PEM stuf, so I thought I would ask you people here. I have a certificate in text(X509) format like this for example
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:19:f6:de:35:dd:63:a1:42:91:8a:d5:2c:c0:ab:12
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA"
Validity:
Not Before: Fri Dec 18 00:00:00 2009
Not After : Sun Dec 18 23:59:59 2011
Subject: "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=Californ
ia,C=US"
............................................
............................................
How do I convert this into a .pem file for openssl to understand, so that I can verify certificates? Any ideas/help/suggestions would be greatly appreciated. Thanks a lot in advance to all.
Regards
Hari
If all you have is the certificate in text form (hopefully with the details of the public key modulus and exponent, and signature), you're going to have to rebuild the ASN.1 structure and its DER format (the PEM representation is the base-64 encoding of the DER form).
You'll also have to rebuild the exact list of extensions in the certificate. Most text forms I know (for example, the output of openssl x509 -text or the browser's display tool) will convert the OIDs and values of the extensions into a more human-readable format, based on the specifications describing these extensions, if known to the developers of these tools.
Doing it in the reverse order systematically more or less implies reading a large number of specifications describing the potential extensions and working out what the human-readable text coming out of these tools was representing. The PKIX RFC is one of these specifications, and it's not going to be an easy thing to read, especially if you're beginning in the field.
On top of this, you might not be able to form the ASN.1 structure in the exact same order as it was in the actual certificate. You need to be able to reconstruct the exact binary structure if you want to be able to verify the signature of the certificate.
In the general case, I'd say doing this successfully is unlikely.
EDIT: Considering what you said, you seem to be using LibNSS's certutil:
Try:
certutil -L -r -n "the-cert-nickname" -d . | openssl x509 -inform DER -outform PEM
I am not sure what you are presenting in your post.
This seems the visualization of an existing certificate.
Are you viewing it via windows? I.e. opening a .der or .cer file?
If this is the case if you go in the details tab, press copy to file and save it as pem.
If you need to save it that format that is.
Related
I have the following files:
filename.key (RSA PRIVATE KEY)
filename.pem (CERTIFICATE REQUEST)
certificate.cer (CERTIFICATE)
CertificateChain.p7b
I have received these files from the CA including the certificate chain.
I need to generate 'keystore.p12' to configure SSL for spring boot application with the following information.
server:
port: 443
ssl:
key-store: keystore.p12
key-store-password: <your-password>
keyStoreType: PKCS12
keyAlias: <my alias>
Can anyone please help me to generate the 'keystore.p12'?
File extensions do not actually control the format or contents a file, although usually they should provide at least partial description. Similarly basenames (before the extension) should describe what is in the file, but do not always do so correctly. What matters is what is in the files.
.key is usually used for a lone privatekey, but look at it to make sure, and also to determine what format it is in because there are many. You should never get your privatekey from a CA; it should be generated locally, usually on the machine where it will be used and at least by the 'owner' or admin of that machine. There might be a sort-of exception if you are talking about a CA internal to a company, organization, agency, or office -- in that case the person running the CA may be the same person who is responsible for security on all the machines -- or vice versa, depending on your perspective -- and it may make sense for them to generate both the key and the cert.
.pem is used for lots of things in PEM format, and what the contents of that file is (or are) matters more than the fact of it being PEM. Look at the first line -----BEGIN (somewords)----- and see what the word(s) is(are). That should be followed either immediately or after a few header lines by data in base64 (a solid block of letters, digits, and the special characters + / =), then a matching -----END (somewords)----- line. If the END line is followed by a another similar block, or several, look at all of them.
.cer is commonly used for certificates in either 'DER' (binary) or 'PEM' (as above) format. .p7b is similarly used for 'dummy' PKCS7 messages containing certificates -- especially certificates used in a chain -- in either DER or PEM. More significantly, p7b is sometimes used for the whole chain including the end-entity (server) cert, and sometimes the rest of the chain excluding the EE cert, and it matters which. If you have OpenSSL -- or can get it (e.g. by installing a package, or for Windows I recommend the installer from http://www.slproweb.com/products/Win32OpenSSL.html ) or can move your data to a machine that has it -- then do:
# if the p7b file is in PEM format (you can see ----BEGIN PKCS7----- line)
openssl pkcs7 -in file.p7b -print_certs
# if the p7b file is in DER format (looks like garbage in a text editor or display)
openssl pkcs7 -in file.p7b -inform der -print_certs
# for now look only at the subject= and issuer= lines to see
# for each cert in the file who it is for, and if/how they chain
Then:
if the .key file is a privatekey in one of the PEM formats supported by OpenSSL you can use that; else if .key is a privatekey in some other format, or .pem is or includes a privatekey in some format, you'll need to convert and/or extract it: tell us more about what those files look like.
if the .p7b file is in PEM or DER format, put its expanded output (from above) in a file. If this includes the EE cert skip the next step.
if the .p7b file does not include the EE cert, but the .cer file is that cert, if in PEM format just append it to the file containing the .p7b output; if in DER format convert it with openssl x509 -in file.cer -inform der and append that.
if you now have the privatekey in one of the PEM formats supported by OpenSSL, and the cert chain including the EE cert in PEM format, do
openssl pkcs12 -export -in chain.pem -inkey key.pem -out newfile.p12 [-name x]
# the -name option provides the 'alias' used by Java
# if not specified it defaults to the numeral 1 (one)
I have 4ec7049585ebc7.crt and gd_bundle.crt files. I want to convert it into pem format. I need two files one certificate and key in pem format. what is the openssl command for it.?
Check out Paul Heinlein's OpenSSL Command-Line HOWTO. Its got lots of recipes.
Do you know what format the files are currently in? They are probably already in PEM format. If not, you can simply try -inform ASN1, -inform PEM, etc until you find something that does not error.
More than likely, you are going to have to breakout gd_bundle.crt with a script because its going to be full of PEM encoded certificates concatenated together.
I'm trying to verify detached PKCS#7 signature. A file generated using WIN32 CryptoAPI function CryptSignMessage(). File is signed on client side, but it must be validate on server side FreeBSD. So I cannot use CryptoAPI.
Please help me to determinate how to use OpenSSL for this kind of task. Now I have two files FILENAME.xml and FILENAME.xml.sig which contains a signature information. According to specification this file include "a hash of the specified content, signs the hash, and then encodes both the original message content and the signed hash." As I figured out it also contains certificates. With openssl i can retrieve public key and certificate from this file but I have no idea how to retrieve signature information?
So I'm trying to retrieve information from this file such as public key and signature to use it with openssl command
openssl dgst -verify PUBLIC_KEY_FILE -signature SIGNATURE_FILE -md_gost94 FILENAME.xml
Verification Failure
Also there is service which can read all information from this file. http://notary.cryptopro.ru/Detached.aspx
Information about EDS:
Algortim hashing:
Name:
GOST R 34.11-94
ID:
1.2.643.2.2.9
Algortim public key:
Name:
GOST R 34.10-2001
ID:
1.2.643.2.2.19
Value:
2DEA 8713 5AS2 69AA 34E0 B333 EF61 3773 5CF1
3BC4 BAD0 1745 0DDD 9577 FFAE BA4A A9EB A8CF
64B9 C338 1513 8BDB C478 BA3A 5409 6419 03A6
DD3A 04D2 D132 3319 8031
Serial Number: 1F11 EF05 0001 0000 1032
Maybe I dont understand something. Please help.
Is it posible at all?
If you used CryptSignMessage() function, you have the certificate for this public key. So, you can use openssl cms service (in some distros openssl is built without it, in this case you can recompile them with enable-cms option).
The sample command is:
openssl cms -verify -nointern -noverify -certfile CERTIFICATE_FILE -inform DER -in SIGNATURE_FILE -content CONTENT_FILE -out /dev/null
where CERTIFICATE_FILE is a certificate in Base64 form.
P.S. I'm not sure about GOST algorithms support. Try sha1RSA first.
I spent several hours yesterday trying to digitally sign a short file using an X509 certificate (one of the "freemail" certificates from thawte). I finally got openssl to sign it as an SMIME message, but I can't successfully verify it, AND it's in the SMIME format -- I don't have access to a "sendmail" program which can actually send out the SMIME file.
I just want to create some file that is "excerptable" via plain cut & paste, like:
===BEGIN SIGNED DOCUMENT===
===BEGIN DOCUMENT===
blah blah blah this is the plaintext ...
===END DOCUMENT===
===BEGIN SIGNATURE===
AFab12121abadAF ...
===END SIGNATURE===
===END SIGNED DOCUMENT===
Alternatively I guess I could make a .zip file that contains the original file and also the signature.
so I guess my requirements are:
input plaintext = arbitrary file
input signkey = from X509 certificate
output = something I can easily email to someone else by cut&paste or by attaching a single .zip file
program = something that is free & open source like openssl or gpg
program != a magic GUI where I don't understand what's going on
ability to easily use the program to generate output from inputs
ability to easily extract the plaintext from the output (e.g. either directly by eye or as a component of the .zip file)
ability to verify that the plaintext was signed by the grantee of the X509 certificate (i.e. me) and that the grantor (CA) of the certificate is a Well-Known CA... assuming that I am a rational person who keeps the certificate secure from use by other parties (otherwise someone could sign things as me).
Is there a good tutorial for X509 certificates & how they are used in practice for this stuff? I have the 2nd edition of Schneier's "Applied Cryptography" & have a fair amount of experience with cryptographic algorithms + protocols, but don't know much at all about X509 and I'm really confused as to what a certificate actually is in practical terms. (In other words, "a certificate is a cryptographic assertion by the issuing party CA that the party X named in the certificate is an identity known to the CA?" AND "a certificate enables its bearer to _____")
When I get one it shows up in Firefox's "Your Certificates" tab of the Certificate Manager, and I can export it and read it with openssl, but I want to make sure that it's not stored in any way that someone else can use it w/o knowing the cert. passphrase -- and I get really confused because it seems like some certificates only have the public key & others have encrypted private keys.
Is there a good, simple GUI wrapper around openssl that allows you to have it explain what it's doing?
edit: thawte doesn't easily let you use certificate requests directly; instead it talks to web browsers (I use Firefox) & that generatese the private key and handles all the certificate protocol. So I can export that as a PKCS12 file but am not exactly sure how to use that.
So I can export that as a PKCS12 file but am not exactly sure how to use that.
If you use the openssl tool, you can use the command
openssl pkcs12 -in file.p12 -out file.pem
to convert it to pem-format.
EDIT:
I'm having trouble figuring out what PEM and PKCS12 and all these things do differently from each other
A PKCS#12 file is just a container for certificates and keys. If you want to see what it contains (at least except for the encrypted parts), you can use a tool such as dumpasn1. The PKCS#12 file that you export from your browser will contain your private key in an encrypted format, your certificate as well as the CA certificates that are necessary to form a chain up to a trusted CA.
Likewise a PEM file can contain certificates and keys. In a PEM file the certificates and keys are base64 encoded and placed within some text delimiters (a PKCS#12 file uses a binary encoding named ASN.1 to structure the file - you can think of ASN.1 as a binary form of XML. Most cryptographic structures you encounter will have been encoded using ASN.1). Except for that, the only real difference between the formats is that PKCS#12 contains an integrity check - otherwise the formats are equivalent.
OpenSSL works best with PEM, while most browsers and emailapplications will expect PKCS#12, but you can freely convert between the formats.
First you probably need to read up on the difference between a private key, a public key and a certificate. A certificate is a signature with a CAs private key on the statement "The public key XX belongs to the person YY". If you sign something with your private key, the signature can be validated with your public key, and a third party that trusts the CA can conclude that the signature was signed by you.
If you generate a S/MIME message and attach it as a file with the extension .p7s, most mail programs will probably be able to verify it.
If you want total control over what you are doing, my experience is that the tooling around the PGP-format gives you better control (compared to the mail-programs implementing the S/MIME protocol).
The service I need to connect to has provided me three files and I'm trying to figure out what I need to create the Cert=xxx.PEM file that STUNNEL needs
I have a "keystore.jks" file. Dumping that with keytool says it's a "Private key entry"
I have a "truststore.jks" file. Dumping that says it's a "trusted certificate entry". The alias is "server"
I also have a "xyz.cer" file. That seems to be a X.509 certificate
I've got OPENSSL and a Java program called "KeytoolUI".
Bottom line is I have a bunch of files and tools and with not much knowledge of SSL I feel like I can't see the wood for the trees. Do I need all those files? The existing PEM files I have for other services just have a "Certificate" section and a "RSA Private key" section.
Any advice appreciated. Thanks!
It sounds like your provider has provided your keypair (for client side authentication) as a java keystore, and (I'm guessing) the remote server's public certificate or CA certificate in PEM format.
That's some fairly heavy guesswork, but it's strange that they've sent you a private key if you aren't doing client side auth. (Let's hope they haven't sent you the private key for their server!).
As far as I'm aware, stunnel only uses PEM certificates, so you will need to convert your JKS files into two PEM files (one for the private key, one for the public certificate). One way to do this is to convert the JKS to a PKCS#12 (aka PFX) file using keytool, and then use OpenSSL to convert the PKCS#12 files into PEM private key/certificate files.
Once you have these two files, use them with the key and cert options in stunnel.conf.
For the final (mystery) PEM certificate that you have, I'm going to guess (again) that this is the remote CA, and therefore that you should configure this against the CAfile parameter in stunnel.conf. (If it's appropriate for you to post details here, edit to include output from openssl x509 -in <filename> -text to provide more clues).
No answer I'm afraid. In the end I got the company to just send me a PEM file.
I did find quite an authoritative looking tutorial here
http://www.herongyang.com/crypto/Migrating_Keys_keytool_to_OpenSSL_2.html
The problem is for somebody who doesn't do this everyday getting a bunch of free/open source software from various sources to work together. You can find scripts to do this on various sites, but when you run them, you'll see Java tracebacks, complaints about LIBEAY32.DLL missing ordinals, etc., etc.
If you get the exact right versions of KEYTOOL, OPENSSL, etc.,, installed in the correct place, with the exact right JRE version and all the other DLLs, the PATH correct, and all the stars exactly lined up you'll be fine. Until then it's just an exercise in frustration.
openssl x509 -inform der -outform pem < xyz.cer > xyz.pem