1)I created myfile.csr using the below command
req -out myfile.csr -new -newkey rsa:2048 -nodes -keyout myfile-pr.key
I sent myfile.csr to 3rd party to have it signed
3rd party application signed and sent me serverfile.pem
Using these files would i be able to invoke a REST webservice using curl command. I tried the below command but it returned unauthorized error
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./myfile.csr --pass <password> https://serverpost:port/getEmployeeInfo
The --cacert is used to specify the file with the public certificate of the Certification Authority (CA). If you installed 3rd party CA certificate on your system, this option is not needed.
With the --cert you specify the signed client certificate which was issued to you based on your CSR. From man curl:
-E, --cert <certificate[:password]>
Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if
using any other engine. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the client certificate concate‐
nated! See -E, --cert and --key to specify them independently.
Currently, you are passing CSR (certificate signing request) via --cert parameter. Your command should look something like this:
curl --cacert ./3rd-party-ca-cert.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <password> https://serverpost:port/getEmployeeInfo
As I mentioned, the --cacert might not be needed if you already added this CA (e.g. on ubuntu https://superuser.com/a/719047).
Check serverfile.pem to make sure it contains only client certificate, and not 3rd party CA certificate chain as well.
... schannel: sending initial handshake data: sending ....
curl does not support client certificates on the command line with SChannel. See this bug report and this todo.
#SteffenUllrich: Sorry i should have formatted better.
Issue was i was trying curl in windows(curl 7.55.1). Not sure if it's version issue. Did the following command in Linux and it works
openssl pkcs12 -export -out combine.p12 -inkey client-cert-pr.key -in serverSelfSigned-cert.pem
openssl pkcs12 -in combine.p12 -out ile.key.pem -nocerts -nodes
openssl pkcs12 -in combine.p12 -out file.crt.pem -clcerts -nokeys
curl -E ./file.crt.pem --key ./file.key.pem https://thirdpartyserver.com/employee
Notes:
client-cert-pr.key: client private key
serverselfsigned-cert.pem: self signed certificate sent by 3rd party
The below other 2 options also works. Thanks #bagljas
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
curl --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
Same command doesn't work in windows
Related
I want to convert the following curl into a Postman script:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
All three SSL parts are required, i.e. client cert, client key AND server cert.
In Postman settings - certificates, I can set the CLIENT crt and the client KEY....but how do I set the server cert that is also required otherwise the request will fail.
To resolve this I converted ca.crt, client.key and client.crt into a .pfx file using this command:
openssl pkcs12 -export -out certificate.pfx -inkey client.key -in client.crt -certfile CA.crt
This created a file called certificate.pfx
[You will be prompted whether you want to add a password for the file or not].
Open Postman – click on the settings cog and then choose Settings
Click on Certificates
Click on ‘Add Certificate’ to the right of Client Certificates
In the Host section set the url as required for your API
In the PFX file section click on Select File and browse to certificate.pfx
If you created a password for certificate.pfx - enter that in the Passphrase section
Click on ‘Add’
Close Settings
You should now be able to send the request to the API and get a successful response
I have been supplied 4 files from AWS IOT:
CA.pem
AWS-private.pem.crt
private.pem.key
public.pem.key
I have tried a multitude of methods to get these to work with Android Studio and Kotlin to connect to an MQTT service and have now lost direction.
Firstly are there any command lines that I need to run on the certs and keys before I use ?
Do I need to use a keystore ?
If so should that keystore be bouncycastle or spongycastle ?
I have tried to create a keystore by running the keytool and creating
openssl pkcs12 -export -out ks.p12 -inkey -in my.pem -name mykeystore
but when I try to import like so
keytool -importkeystore -srckeystore ks.p12 -srcstoretype pkcs12 -destkeystore ks.bks -deststoretype BKS --provider org.bouncycastle.jce.provider.BouncyCastleProvider -–providerpath ~/Downloads/bcprov-jdk16-1.46.jar
I get this error
keytool error: java.security.KeyStoreException: Unrecognized keystore format: null
So I can't even get testing my Kotlin to see if the BKS works.
I am trying to access a webservice.
Before when I was trying to run that webservice in my Chrome web browser, I was getting 403 error but when I imported Private.pfx file into chrome certificates, I could easily access the webservice.
Now with curl I am getting 403 forbidden error.
I followed this link
using-certificates-with-curl
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:
and made 3 certificates out of my Private.pfx file and try to run the command but I still get 403 error
Also webservice is accessible via this example link:
https://example:10443/soaplistener/eurisczech.asmx
This is my curl request:
curl -key key.pem -cacert ca.pem -cert client.pem -v -H "Content-Type: text/xml; charset=utf-8" -d #completeRequest.xml https://example:10443/soaplistener/eurisczech.asmx -ik
I have my Java code deployed on Tomcat in AWS and in Tier 1, I have a load balancer configured with public and private key generated using following commands.
openssl genrsa -out server_privatekey.pem 1024
openssl req -new -key server_privatekey.pem -out server_certificate_csr.pem
openssl x509 -req -days 3650 -in server_certificate_csr.pem -signkey server_privatekey.pem -out server_certificate.pem
Now, the main difficulty I'm facing is as follows:
I have android app which calls this REST API's, now I want to call the API from Android, but that would require me to pass some form of authentication to server. I'm unable to understand what would that be. If anyone could point me to specific resource that would be really helpful.
(Note: I have already posted this question on the AWS forum but there is no reply yet: https://forums.aws.amazon.com/thread.jspa?threadID=64432).
I was able to call the REST API using HTTPS. At client side, I downloaded the certificate and generated the trust store from it using following command
keytool -importcert -keystore secure.ts -storepass 12345678 -file <cert>
and then while calling my REST API using URL command, I used following property.
System.setProperty("javax.net.ssl.trustStore", "<trust store path eg: secure.ts from above command>");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");
I am using gsoap and openssl under Visual Studio C++, I created a client and a server on localhost (port 443).
I have a non explicit error without any description when using (from client side) the option:
soap_ssl_client_context(&soap, "SOAP_SSL_DEFAULT"...
but if I use it with the option:
soap_ssl_client_context(&soap, SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK, ...
it is working correctly (but insecurely I gess).
So I decided to check what is the error by checking packets on localhost (with raw capture), and I see that the communication ends by an Encrypted Alert (21) after terminating the handshake.
And I Wonder what I need to do, to get this application working properly and securely on localhost (for testing purpose).
More Info:
I have generated ssl certificates for server side with a batch:
echo CREATE SERVER CA and CA CERT
echo Generate Private Key (passwd protected)
openssl genrsa -des3 -out .\private\CA_key.pem 2048
pause
echo Generate server CA
echo use your server name for the 'common name' field!
openssl req -out ca.pem -new -x509 -key .\private\CA_key.pem
pause
echo Create certificate signing request for CA pub Key
openssl req -new -key .\private\CA_key.pem -out CA_csr.pem
pause
echo Sign it
openssl req -in CA_csr.pem -out CA_crt.pem -key .\private\CA_key.pem -x509 -days 3020
pause
echo FOR C++ SERVER ONLY
type .\private\CA_key.pem CA_crt.pem > server.pem
pause
And also for client side:
echo CREATE PUB/PRIV key pair and cert for client
echo Generate key pair
openssl genrsa -des3 -out client_key.pem 2048
pause
echo Create CSR for client pub key
openssl req -new -key client_key.pem -out client_csr.pem
pause
echo User ca to sign the request (need serial file with '01')
echo make sure your openssl.cnf is correct (path and right CA certificate file)
openssl ca -in client_csr.pem -out client_crt.pem -config openssl.cfg -days 1825
pause
echo CLIENT SPECIFIC FORMATING (optional)
echo for C++ clients ONLY
type client_key.pem client_crt.pem > LCC.pem
I used:
CA_crt.pem as "cacert file" in both soap_ssl_server_context and soap_ssl_client_context.
LCC.pem as client key, and server.pem as server key.
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
Can you help me please to find out what is missing to get it working with SOAP_SSL_DEFAULT only ?
Thank you
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
If the certificate works with gSoap with SOAP_SSL_SKIP_HOST_CHECK and does not work without it, then the CommonName for your certificate is not a hostname or IP address. Depending on the purpose for your certificate, you may not want your certificate CommonName to be the host ip/name and so using SOAP_SSL_SKIP_HOST_CHECK is fine.
If you want to quit using the SOAP_SSL_SKIP_HOST_CHECK flag, then regenerate your certificate to have the CommonName be the host name or ip address. (Note: You may run into conflicts with other certificates installed on your system - if one of them has an identical CommonName.)