Use Case: client will create public/private keys and provide me the public key. I'm suppose to Encrypt(RSA) the message with public Key and send the message to Client. client will decrypt the message with private Key
Key Generation: Client was generated the public/private keys by using openssl. commands given below.
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Challenge: I'm suppose to save the public key somewhere. since we are already utilizing the Google KMS, is there a way I can maintain only the public key in Google KMS ?
I have gone through https://cloud.google.com/kms/docs/importing-a-key#create_importjob but
below command is failing with gcloud.kms.keys.versions.import) INVALID_ARGUMENT: Wrapped key is too short.
Import Command Used:
gcloud kms keys versions import \
--import-job {job_name} \
--location {location} \
--keyring {keyring} \
--key {key_name} \
--algorithm "rsa-decrypt-oaep-2048-sha256"\
--rsa-aes-wrapped-key-file public.pem
also I'm not able to convert public key to PCKS#8 DER format by executing below command. getting /crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER \
-in /path/to/publicKey.pem \
-out /path/to/publicKey_formtted.pem
Cloud KMS is designed around securing private or secret keys. In most cryptographic protocols, public keys are not confidential, so you can just store it as metadata for your system and do the encryption locally in your application.
Thanks for using GCP and Cloud KMS.
Related
I am new to AWS, and am trying to do the below steps:
Used below commands to generate a .csr and .key files:
openssl genrsa -out test.abcd.com.key 2048
openssl req -new -key test.abcd.com.key -out test.abcd.com.csr
Country Name: GB
State: London
Locality Name: London
Organization Name: abcd
Organization Unit: TSO
Common Name (eg, your name or your server's hostname) []:test.abcd.com
It created two file: test.abcd.com.csr test.abcd.com.key
I have sent the test.abcd.com.csr to client to get it signed and received the .pem files one is certificate body and the other is chain. I have used these two .pem files from client alongside the .key file that I had in step 1 to create a custom domain test.abcd.com. I have updated API Mappings for this custom domain and the APIs are accessible now using this domain name.
I used the public SSL .pem from step 2 and .key from step 1 alongside below commands to create client side .csr, .key and .pem files.
openssl genrsa -out my_client.key 2048
openssl req -new -key my_client.key -out my_client.csr
openssl x509 -req -in my_client.csr -CA test.abcd.com.pem -CAkey test.abcd.com.key -set_serial 01 -out my_client.pem -days 3650 -sha256
output of ls command:
test.abcd.com.key test.abcd.com.pem intermediate.pem my_client.csr my_client.key my_client.pem
I created truststore.pem using below command:
cat intermediate.pem test.abcd.com.pem > truststore.pem
and I have uploaded it to s3 bucket
I configured mutual TLS of the domain test.abcd.com in API Gateway using the above truststore.pem s3 URI and the imported Ownership verification certificate using pem and key files of test.abcd.com generated in step 1 and 2
But while adding the Ownership verification certificate, I get below error:
Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate.
If you clearly observe, I used public SSL pem and .key(from step 1) to provide the certificate and this error also states the same. Am I missing on anything here?
Thanks in advance!
I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:
I'm looking at "plugging in an existing CA" into my Istio environment as documented here:
https://istio.io/pt-br/docs/tasks/security/citadel-config/plugin-ca-cert/
I can see that the following command allows you to store a key, cert & chain to Kubernetes secrets, however it does not appear to provide an option for creating a CSR. Obviously, this would also involve first generating a private key.
Is this correct, or is there an option to do this?
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
--from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
--from-file=samples/certs/cert-chain.pem
The command You listed allows You to create a secret object in kubernetes for the CA certificate, key, chain etc. Which can be consumed by deployments and services for use. So assumption in documentation is that You already have a certificate ready for use.
I suggest following entire istio SDS secure gateway configuration guide.
To generate a private key and CSR using OpenSSL follow istio documentation guide:
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl
Create a root certificate and private key to sign the certificates for your services:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
Create a certificate and a private key for httpbin.example.com:
$ openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt
Additional information from istio documentation:
https://istio.io/docs/concepts/security/#pki
Hope it helps.
I cannot add my Comodo SSL certificate to aws cloudfront. I get the error:
I have received the following files from them:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAOrganizationValidationSecureServerCA.crt
STAR_myapp_com.crt
I also have the private key.
Following this blog: https://guillaumemaka.com/2015/05/06/install-your-comodo-certificates-to-amazon-aws.html
openssl x509 -in ./AddTrustExternalCARoot.crt -outform pem -out ./pem/AddTrustExternalCARoot.pem
openssl x509 -in ./COMODORSAAddTrustCA.crt -outform pem -out ./pem/COMODORSAAddTrustCA.pem
openssl x509 -in ./COMODORSAOrganizationValidationSecureServerCA.crt -outform pem -out ./pem/COMODORSAOrganizationValidationSecureServerCA.pem
openssl x509 -in ./cdn_guillaumemaka_com.crt -outform pem -out ./pem/cdn_guillaumemaka_com.pem
openssl rsa -in ./private.key -outform PEM -out private.key.pem
Now, I created the certificate chain using the commands:
$ cat ./pem/COMODORSADomainValidationSecureServerCA.pem > ./pem/CAChain.pem
$ cat ./pem/COMODORSAAddTrustCA.pem >> ./pem/CAChain.pem
$ cat ./pem/AddTrustExternalCARoot.pem >> ./pem/CAChain.pem
Finally, I uploaded the certificate using:
aws iam upload-server-certificate --server-certificate-name CDNServerCertificate --certificate-body file://cdn_guillaumemaka_com.pem --private-key file://private.key.pem --certificate-chain file://CAChain.pem --path /cloudfront/production/
When I try to add this to my cloudfront distribution, I get this error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 90ee29ae-068e-11e8-xxxx-62197a5115b7)
How do I create a valid certificate bundle?
How to solve this?
# I used this command to create the key with a password
$ ssh-keygen -b 2048 -t rsa -C "awsfrankfurt" -f ~/.ssh/awsfrankfurt
# Then when I try to import it into AWS EC2, the error appears:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material ~/.ssh/awsfrankfurt
An error occurred (InvalidKey.Format) when the ImportKeyPair operation:
Key is not in valid OpenSSH public key format
AWS only supports RSA keypairs, it does not support DSA, ECDSA or Ed25519 keypairs. If you try to upload a non RSA public key you will get this error.
This is documented here:
Amazon EC2 does not accept DSA keys. Make sure your key generator is
set up to create RSA keys.
The error message is misleading as you can upload a valid non RSA key and get the error:
Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
This answer should be useful for people who find this page after searching for this error message.
Create your key and then when calling aws's --public-key-material argument, call it with file:// in front of your key path.
Example:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material file://~/.ssh/awsfrankfurt # <-- this
This is a weird issue, because, file:// prefix is usually used for Windows, but, here with aws, it applies to unix based terminals as well.
I ran into the same situation when I was creating an aws keypair using pulumi. Strangely, it worked when I used the content of the public key rather than the .pub file.
So here is what I changed in my code.
from :
aws.ec2.KeyPair("keypair", public_key="~/.ssh/mykey.pub")
to:
aws.ec2.KeyPair("keypair", public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9u37J5tfzmeA8INBCcFSPKnUN8GIjYFdPOOCn8AjUC5iTJX/7TWd3pZ42Z++RCIlvBvKkH7LL1p"
Changed from path to .pub file to the content of .pub file