The service I need to connect to has provided me three files and I'm trying to figure out what I need to create the Cert=xxx.PEM file that STUNNEL needs
I have a "keystore.jks" file. Dumping that with keytool says it's a "Private key entry"
I have a "truststore.jks" file. Dumping that says it's a "trusted certificate entry". The alias is "server"
I also have a "xyz.cer" file. That seems to be a X.509 certificate
I've got OPENSSL and a Java program called "KeytoolUI".
Bottom line is I have a bunch of files and tools and with not much knowledge of SSL I feel like I can't see the wood for the trees. Do I need all those files? The existing PEM files I have for other services just have a "Certificate" section and a "RSA Private key" section.
Any advice appreciated. Thanks!
It sounds like your provider has provided your keypair (for client side authentication) as a java keystore, and (I'm guessing) the remote server's public certificate or CA certificate in PEM format.
That's some fairly heavy guesswork, but it's strange that they've sent you a private key if you aren't doing client side auth. (Let's hope they haven't sent you the private key for their server!).
As far as I'm aware, stunnel only uses PEM certificates, so you will need to convert your JKS files into two PEM files (one for the private key, one for the public certificate). One way to do this is to convert the JKS to a PKCS#12 (aka PFX) file using keytool, and then use OpenSSL to convert the PKCS#12 files into PEM private key/certificate files.
Once you have these two files, use them with the key and cert options in stunnel.conf.
For the final (mystery) PEM certificate that you have, I'm going to guess (again) that this is the remote CA, and therefore that you should configure this against the CAfile parameter in stunnel.conf. (If it's appropriate for you to post details here, edit to include output from openssl x509 -in <filename> -text to provide more clues).
No answer I'm afraid. In the end I got the company to just send me a PEM file.
I did find quite an authoritative looking tutorial here
http://www.herongyang.com/crypto/Migrating_Keys_keytool_to_OpenSSL_2.html
The problem is for somebody who doesn't do this everyday getting a bunch of free/open source software from various sources to work together. You can find scripts to do this on various sites, but when you run them, you'll see Java tracebacks, complaints about LIBEAY32.DLL missing ordinals, etc., etc.
If you get the exact right versions of KEYTOOL, OPENSSL, etc.,, installed in the correct place, with the exact right JRE version and all the other DLLs, the PATH correct, and all the stars exactly lined up you'll be fine. Until then it's just an exercise in frustration.
openssl x509 -inform der -outform pem < xyz.cer > xyz.pem
Related
I've currently encountered a unique issue. To help understand the predicament I'll provide some background. Our company hired a third-party to develop an application, apart of this web application package was the purchase of an SSL Certificate.
After they purchased the SSL they exported it into a Personal Information Exchange (.pfx).
The issue now occurs here...
Our company web-server utilizes the Plesk Panel 11. Which complicates matters for two reasons.
The first is that if I directly install the certificate Plesk will
not recgonize the certificate and will eventually overwrite the
contents in our Microsoft Certificate Store within the Windows
Server MMC Certificate Snap-In.
The second issue is sheer bad luck, Plesk doesn't recognize the .pfx extension. It apparently only understands the following:
Private Key (.key)
Certificate (.crt)
CA Certificate (-ca.crt)
So my original thought was to simply convert the file into a valid format, which resulted in an error. The second attempt was to follow a command line control to export the file format to the valid extension. The results are still disappointing:
Error: Invalid Certificate Format
Since the file installed was a .pfx it does not allow me to convert it to anything else. Unfortunately when utilizing Open SSL it only converted to a .pem. Which to my dismay is also unsupported-
Any assistance would be terrific.
Update:
I attempted to follow this question on Stack Overflow. Unfortunately Windows Server 2012 doesn't appear to do the conversion as well. It does convert it into a valid format, but then the Private Key can't be found.
In order to solve this issue I followed this blog here.
So I attempted to utilize Open SSL again, with these steps:
// Extract Private Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
// Extract Certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
// Encrypted Private Key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Again you need to enter an import password. This time you need to enter the new password that you created in step 1. After that you’re done. You decrypted your private key. In the folder you ran OpenSSL from you’ll find the certifcate (.crt) and the two private keys (encrypted and unencrypted).
That is how I solved my question.
We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I'm trying to install a GoDaddy SSL certificate on a new load balancer I'm setting up on Amazon AWS. I originally created the certificate at Godaddy using the keytool program for direct installation on a Glassfish 3.1 server (Amazon linux ami). I had no problems getting that setup directly on the server. I now need to move the certificate from the web server to the new load balancer. Amazon requires the private key and certs to be in PEM format, so I used the "rekey" tool at GoDaddy to create new certs. When I load those in the load balancer setup screen on AWS Mgmt Console, I get the error message: "Public Key Certificate and Private Key doesn't match."
Here is how I'm creating the keys:
$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr
I then submit the .csr file to GoDaddy during the "rekey" process. Once the rekey is complete, I download the 2 newly created certs (apps.mydomain.com.crt & gd_bundle.crt). I download them selecting (Apache) as the type of server (I've also tried "other" and "Cpanel" but the all look to be the same).
At this point, I remove the encryption from the private.key file by using the following command:
$ openssl rsa -in private.key -out private.pem
At this point, I go back into the AWS Mgmt console, create the load balancer, add the secure server redirect and put the contents of the following files in the respective fields on the screen where it asks to setup the ssl certificate:
private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain
When I click the "continue button" I get the error "Error: Public Key Certificate and Private Key doesn't match."
-Is there a way that I can test that I'm getting a valid error message from Amazon? It seems odd to me that the keys wouldn't match when I'm following GoDaddy's instructions pretty closely.
I've tried creating the private.key file without RSA encryption prior to creating the .csr and that doesn't seem to make any difference.
I'm also assuming that the .crt files I'm downloading from GoDaddy are in .PEM format, but I'm not sure how to verify this.
Any ideas?
For me, it was an easy two-step:
Convert the private key to PEM:
openssl rsa -in yourdomain.key -outform PEM
Convert the certificate and certificate bundle to PEM:
openssl x509 -inform PEM -in yourdomain.crt
openssl x509 -inform PEM -in bundle.crt
Just for the record and anyone else who is trying to figure it out:
yourdomain.key
-> terminal command: sudo openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem
-> private key
yourdomain.crt
-> public key
gd_bundle.crt
-> certificate chain
and you're good to go :)
Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box on a Windows 7 desktop; copy and pasting the values from a gedit screen into the browser running on the Windows box. Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host. Case closed.
We found an alternate solution to this problem. We were having the same symptoms with the same error.
Then we tried reentering the pem codes one more time, but this time we made sure to hit enter one time and make sure the cursor was on a blank line at the end of each window. Then we saved it.
IT WORKED.
This solved our problem, so it might solve it for others.
One little gotcha. I'm using a Windows box (Win 7 Pro) and when I used the windows port of OpenSSL, the outputted files had Unix style end-of-line characters (LF).
I had to convert the file to Windows style (CRLF) for the uploading of the private key.
I can suggest you with an alternative solution and an information to you folks.
Generally all certificates are of PEM file format. You can just open a notepad or any text editor and drag the files which you received in .crt file format. Which is normally called as .PEM file.If the certificate loaded in your keytool you can export the certificate as a pfx file from keytool. Then you can separate the pfx file from the private key from the pfx file. Because the pfx file is the combination of your certificate and the private key.So you can get separately the private key file and use it on your amazon aws.
I suspect there may be another way to install the certificate. May be you can contact the certificate authority and is there any way to get your certificate to be reissued.
While I know nothing about SSL or installing SSL Certificates, I'm sure one of the many results Google will give me for CentOS, SSL certs and Apache would help.
However, the certificate files which have been provided for this project are a .pfx file, .cer (the certificate) file and a .txt (apparently a certificate request) file, none of which are mentioned in the articles I'm finding.. they all talk of .crt and .key files.
Is there a particular way I should be converting these files, presumably via openssl, into something I can use in Apache?
.pfx files tend to be PKCS#12 files (which will contain the private key, the certificate and possibly the issuer certificate chain). They're sometimes called .p12. OpenSSL can extract private key and certificate from PKCS#12 files (via its openssl pkcs12 command), you should be able to find documentation to do this, via Google or other questions on SO.
I spent several hours yesterday trying to digitally sign a short file using an X509 certificate (one of the "freemail" certificates from thawte). I finally got openssl to sign it as an SMIME message, but I can't successfully verify it, AND it's in the SMIME format -- I don't have access to a "sendmail" program which can actually send out the SMIME file.
I just want to create some file that is "excerptable" via plain cut & paste, like:
===BEGIN SIGNED DOCUMENT===
===BEGIN DOCUMENT===
blah blah blah this is the plaintext ...
===END DOCUMENT===
===BEGIN SIGNATURE===
AFab12121abadAF ...
===END SIGNATURE===
===END SIGNED DOCUMENT===
Alternatively I guess I could make a .zip file that contains the original file and also the signature.
so I guess my requirements are:
input plaintext = arbitrary file
input signkey = from X509 certificate
output = something I can easily email to someone else by cut&paste or by attaching a single .zip file
program = something that is free & open source like openssl or gpg
program != a magic GUI where I don't understand what's going on
ability to easily use the program to generate output from inputs
ability to easily extract the plaintext from the output (e.g. either directly by eye or as a component of the .zip file)
ability to verify that the plaintext was signed by the grantee of the X509 certificate (i.e. me) and that the grantor (CA) of the certificate is a Well-Known CA... assuming that I am a rational person who keeps the certificate secure from use by other parties (otherwise someone could sign things as me).
Is there a good tutorial for X509 certificates & how they are used in practice for this stuff? I have the 2nd edition of Schneier's "Applied Cryptography" & have a fair amount of experience with cryptographic algorithms + protocols, but don't know much at all about X509 and I'm really confused as to what a certificate actually is in practical terms. (In other words, "a certificate is a cryptographic assertion by the issuing party CA that the party X named in the certificate is an identity known to the CA?" AND "a certificate enables its bearer to _____")
When I get one it shows up in Firefox's "Your Certificates" tab of the Certificate Manager, and I can export it and read it with openssl, but I want to make sure that it's not stored in any way that someone else can use it w/o knowing the cert. passphrase -- and I get really confused because it seems like some certificates only have the public key & others have encrypted private keys.
Is there a good, simple GUI wrapper around openssl that allows you to have it explain what it's doing?
edit: thawte doesn't easily let you use certificate requests directly; instead it talks to web browsers (I use Firefox) & that generatese the private key and handles all the certificate protocol. So I can export that as a PKCS12 file but am not exactly sure how to use that.
So I can export that as a PKCS12 file but am not exactly sure how to use that.
If you use the openssl tool, you can use the command
openssl pkcs12 -in file.p12 -out file.pem
to convert it to pem-format.
EDIT:
I'm having trouble figuring out what PEM and PKCS12 and all these things do differently from each other
A PKCS#12 file is just a container for certificates and keys. If you want to see what it contains (at least except for the encrypted parts), you can use a tool such as dumpasn1. The PKCS#12 file that you export from your browser will contain your private key in an encrypted format, your certificate as well as the CA certificates that are necessary to form a chain up to a trusted CA.
Likewise a PEM file can contain certificates and keys. In a PEM file the certificates and keys are base64 encoded and placed within some text delimiters (a PKCS#12 file uses a binary encoding named ASN.1 to structure the file - you can think of ASN.1 as a binary form of XML. Most cryptographic structures you encounter will have been encoded using ASN.1). Except for that, the only real difference between the formats is that PKCS#12 contains an integrity check - otherwise the formats are equivalent.
OpenSSL works best with PEM, while most browsers and emailapplications will expect PKCS#12, but you can freely convert between the formats.
First you probably need to read up on the difference between a private key, a public key and a certificate. A certificate is a signature with a CAs private key on the statement "The public key XX belongs to the person YY". If you sign something with your private key, the signature can be validated with your public key, and a third party that trusts the CA can conclude that the signature was signed by you.
If you generate a S/MIME message and attach it as a file with the extension .p7s, most mail programs will probably be able to verify it.
If you want total control over what you are doing, my experience is that the tooling around the PGP-format gives you better control (compared to the mail-programs implementing the S/MIME protocol).