I want to convert the following curl into a Postman script:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
All three SSL parts are required, i.e. client cert, client key AND server cert.
In Postman settings - certificates, I can set the CLIENT crt and the client KEY....but how do I set the server cert that is also required otherwise the request will fail.
To resolve this I converted ca.crt, client.key and client.crt into a .pfx file using this command:
openssl pkcs12 -export -out certificate.pfx -inkey client.key -in client.crt -certfile CA.crt
This created a file called certificate.pfx
[You will be prompted whether you want to add a password for the file or not].
Open Postman – click on the settings cog and then choose Settings
Click on Certificates
Click on ‘Add Certificate’ to the right of Client Certificates
In the Host section set the url as required for your API
In the PFX file section click on Select File and browse to certificate.pfx
If you created a password for certificate.pfx - enter that in the Passphrase section
Click on ‘Add’
Close Settings
You should now be able to send the request to the API and get a successful response
Related
1)I created myfile.csr using the below command
req -out myfile.csr -new -newkey rsa:2048 -nodes -keyout myfile-pr.key
I sent myfile.csr to 3rd party to have it signed
3rd party application signed and sent me serverfile.pem
Using these files would i be able to invoke a REST webservice using curl command. I tried the below command but it returned unauthorized error
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./myfile.csr --pass <password> https://serverpost:port/getEmployeeInfo
The --cacert is used to specify the file with the public certificate of the Certification Authority (CA). If you installed 3rd party CA certificate on your system, this option is not needed.
With the --cert you specify the signed client certificate which was issued to you based on your CSR. From man curl:
-E, --cert <certificate[:password]>
Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if
using any other engine. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the client certificate concate‐
nated! See -E, --cert and --key to specify them independently.
Currently, you are passing CSR (certificate signing request) via --cert parameter. Your command should look something like this:
curl --cacert ./3rd-party-ca-cert.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <password> https://serverpost:port/getEmployeeInfo
As I mentioned, the --cacert might not be needed if you already added this CA (e.g. on ubuntu https://superuser.com/a/719047).
Check serverfile.pem to make sure it contains only client certificate, and not 3rd party CA certificate chain as well.
... schannel: sending initial handshake data: sending ....
curl does not support client certificates on the command line with SChannel. See this bug report and this todo.
#SteffenUllrich: Sorry i should have formatted better.
Issue was i was trying curl in windows(curl 7.55.1). Not sure if it's version issue. Did the following command in Linux and it works
openssl pkcs12 -export -out combine.p12 -inkey client-cert-pr.key -in serverSelfSigned-cert.pem
openssl pkcs12 -in combine.p12 -out ile.key.pem -nocerts -nodes
openssl pkcs12 -in combine.p12 -out file.crt.pem -clcerts -nokeys
curl -E ./file.crt.pem --key ./file.key.pem https://thirdpartyserver.com/employee
Notes:
client-cert-pr.key: client private key
serverselfsigned-cert.pem: self signed certificate sent by 3rd party
The below other 2 options also works. Thanks #bagljas
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
curl --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
Same command doesn't work in windows
I'm working on the SSL Configuration for WSO2 and currently following this article. Now i had a .pfx file which i converted to a .jks file using
keytool -importkeystore -srckeystore < pkcs12 file name >.pfx
-srcstoretype pkcs12 -destkeystore < JKS name >.jks -deststoretype JKS
The next step was to extract a .csr (Certificate Request Signing) from the .jks using
keytool -certreq -alias certalias -file newcertreq.csr -keystore newkeystore.jks
After having the .csr file extracted, the article asked to provide that .CSR file to the CA. For testing purposes, they preferred this to have a free SSL Certificate for 90 days.
The site asks for the content of the CSR file and gave me the following error
Your Domain Name may not contain a * Please purchase a Wildcard
Certificate if you wish to use a * in your Domain Name
Please note that my certificate is for a domain: *.domain.com, its pretty obvious that i'll have to purchase a wild card certificate for this but i'm currently trying to set up a TESTING ENVIRONMENT just to be sure before purchasing a particular domain certificate AND for that, i'm looking for alternatives to get the following files:
The Root certificate of the CA i.e. AddTrustExternalCARoot.crt
Intermediate certificates i.e. COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt
SSL Certificate signed by CA i.e. test_sampleapp_org.crt
I tried this and it gave me a domain.cer file which is not what i need. Any guesses? Thanks.
For development, you can export a self-signed certificate with this keytool command.
keytool -export -alias certalias -file test_sampleapp_org.crt -keystore newkeystore.jks
I'm attempting to set up TLS (SSL) with my domain hosted on AWS Bitnami so that users can access it over HTTPS. It is running on Apache Tomcat standalone and is not fronted by a LB.
To generate the Certificate Signing Request (CSR) I have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048
And entered all the correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Following that I have copied to the .csr file contents to the CA (ssl.comodo.com) & saved the resulting files: .ca-bundle and .crt file.
Following that I have uploaded the files to the Tomcat directory and loaded them into the Java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore KeyStore.jks
and the .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore KeyStore.jks
Tomcat is configured to use this keystore with the following config in server.xml:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/bitnami/KeyStore.jks" keystorePass="passwordhere" sslProtocol="TLS"/>
Then apache has been restarted. The browser errors that I receive are:
Chrome:
uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox:
no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
My thoughts
Based on this Stack Overflow question here I think this may have something to do with RSA - when I generate a new keystore with the -keyalg RSAparameter:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA and point the Tomcat server.xml SSL config to that the site loads over HTTPS and I get warnings in the browser telling me that it is a self-signed certificate.
If you want to generate using OpenSSL, you must then convert the PRIVATE KEY AND certificate chain, not just the certificate(s) alone, to a Java-usable keystore, either PKCS12 or JKS.
If you want to generate using Java, you do use keytool -genkeypair -keyalg RSA (and before j7 add -keysize 2048), then you use Java keytool to generate the CSR which you give to the CA (Comodo), and you use Java keytool to import the new cert and its chain from the CA.
See the options at (my) https://stackoverflow.com/a/37423399/2868801 and several additional dupes linked there.
I am trying to access a webservice.
Before when I was trying to run that webservice in my Chrome web browser, I was getting 403 error but when I imported Private.pfx file into chrome certificates, I could easily access the webservice.
Now with curl I am getting 403 forbidden error.
I followed this link
using-certificates-with-curl
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:
and made 3 certificates out of my Private.pfx file and try to run the command but I still get 403 error
Also webservice is accessible via this example link:
https://example:10443/soaplistener/eurisczech.asmx
This is my curl request:
curl -key key.pem -cacert ca.pem -cert client.pem -v -H "Content-Type: text/xml; charset=utf-8" -d #completeRequest.xml https://example:10443/soaplistener/eurisczech.asmx -ik
I am using gsoap and openssl under Visual Studio C++, I created a client and a server on localhost (port 443).
I have a non explicit error without any description when using (from client side) the option:
soap_ssl_client_context(&soap, "SOAP_SSL_DEFAULT"...
but if I use it with the option:
soap_ssl_client_context(&soap, SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK, ...
it is working correctly (but insecurely I gess).
So I decided to check what is the error by checking packets on localhost (with raw capture), and I see that the communication ends by an Encrypted Alert (21) after terminating the handshake.
And I Wonder what I need to do, to get this application working properly and securely on localhost (for testing purpose).
More Info:
I have generated ssl certificates for server side with a batch:
echo CREATE SERVER CA and CA CERT
echo Generate Private Key (passwd protected)
openssl genrsa -des3 -out .\private\CA_key.pem 2048
pause
echo Generate server CA
echo use your server name for the 'common name' field!
openssl req -out ca.pem -new -x509 -key .\private\CA_key.pem
pause
echo Create certificate signing request for CA pub Key
openssl req -new -key .\private\CA_key.pem -out CA_csr.pem
pause
echo Sign it
openssl req -in CA_csr.pem -out CA_crt.pem -key .\private\CA_key.pem -x509 -days 3020
pause
echo FOR C++ SERVER ONLY
type .\private\CA_key.pem CA_crt.pem > server.pem
pause
And also for client side:
echo CREATE PUB/PRIV key pair and cert for client
echo Generate key pair
openssl genrsa -des3 -out client_key.pem 2048
pause
echo Create CSR for client pub key
openssl req -new -key client_key.pem -out client_csr.pem
pause
echo User ca to sign the request (need serial file with '01')
echo make sure your openssl.cnf is correct (path and right CA certificate file)
openssl ca -in client_csr.pem -out client_crt.pem -config openssl.cfg -days 1825
pause
echo CLIENT SPECIFIC FORMATING (optional)
echo for C++ clients ONLY
type client_key.pem client_crt.pem > LCC.pem
I used:
CA_crt.pem as "cacert file" in both soap_ssl_server_context and soap_ssl_client_context.
LCC.pem as client key, and server.pem as server key.
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
Can you help me please to find out what is missing to get it working with SOAP_SSL_DEFAULT only ?
Thank you
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
If the certificate works with gSoap with SOAP_SSL_SKIP_HOST_CHECK and does not work without it, then the CommonName for your certificate is not a hostname or IP address. Depending on the purpose for your certificate, you may not want your certificate CommonName to be the host ip/name and so using SOAP_SSL_SKIP_HOST_CHECK is fine.
If you want to quit using the SOAP_SSL_SKIP_HOST_CHECK flag, then regenerate your certificate to have the CommonName be the host name or ip address. (Note: You may run into conflicts with other certificates installed on your system - if one of them has an identical CommonName.)