I am trying to sign an ova file by following this link. I also generated the manifest file but I don't see any information in the signed file. Here is the command I am using:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:1024 -keyout myself.pem -out myself.pem
openssl sha1 *.ova > myself.mf
ovftool --privateKey=myself.pem sample.ova sample-signed.ova
When I run ovftool sample-signed.ova it has no manifest information. I tried unzipping the ova file and did exactly the same with ovf file but it didn't help either.
ovftool --version
VMware ovftool 4.1.0 (build-2459827)
OVA is a tar archive of
OVF (XML) file,
related resource files (e.g. disk VMDKs),
and that MF file containing hashes of files on the list above,
etc...? (e.g. CERT signature).
Signing process adds a CERT file (containing generated signature of the MF file, and the certificate). I'm note sure for now whether ovftool can operate on OVF or MF file itself. However, when running on the whole OVA archive, it also creates the MF file, if missing, into the new signed OVA (that's for ovftool-4.5.0-20459872).
Related
I am in step 3 of AWS OTA documentation https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html
I am able to do the first two steps but not able to make the certificate:
openssl req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt
I get the following error:
Can't open cert_config.txt for reading, No such file or directory
25968:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1k/crypto/bio/bss_file.c:69:fopen('cert_config.txt','r')
25968:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1k/crypto/bio/bss_file.c:76:
I have tried:
installing another version of ssl instead of using git bash but I ran into the same issue
I have tried elevated privleges as adminstrator
I have tried the full path to "cert_config.txt" with or without double quotations and to no avail
Any help is appreciated
I am an idiot, if I look at the full file it's cert_config.txt.txt
Try ./cert_config.txt in the parameter.
I'm trying to put all the different certificates in a single .pfx (PKCS12) file. I am able to import all the PrivateKeyEntry(s) in a master pfx file (also I verified the entries using keytool command - output snippet -
alias1, Sep 9, 2020,PrivateKeyEntry,
Certificate fingerprint (SHA1):<XX:YY:...>
alias2, Sep 9, 2020,PrivateKeyEntry,
Certificate fingerprint (SHA1):<AA:BB:...>
)
but when I'm using this pfx in Postman I'm getting "Error: MULTIPLE_PRIVATE_KEYS_IN_PKCS12"!
When I'm using certificates individually then everything is working fine in Postman. I checked already that multiple PrivateKeyEntry can reside in a single .pfx file - Can a .pfx file contain more than one private key?.
Instead of maintaining separate pfx files to connect separate systems I want to keep all certificate entries in a single file (pfx) so that can be used for all the different systems.
Is it possible?
Thanks in advance!
You can convert pfx certificate into another format. Crt+key works for me.
You can use OpenSSL to convert certificate:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -in certificate.pfx -nocerts -out key-encrypted.key
I have built libcurl for Windows x64 with OpenSSL. If I specify the CA Info with the libcurl command as shown below I am able to post my data via https.
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\\cacert.pem");
My question is regards to option 3 under the heading “Certificate Verification” found here: https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
Thanks!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL has the same settings for compile time. More accurately, they are Autotools options.
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
I build cURL on occasion for testing on older systems like CentOS 5. I find it is easiest to download an updated cacert.pem, and then use --with-ca-bundle.
If you want to use --with-ca-path, then that is the one where each certificate is hashed. So you will have a directory with 120 or 150 files in it. The files will have names like NNNNNNNN.0, NNNNNNNN.1 and so on. NNNNNNNN will be a hash, and collisions are resolved by incrementing the suffix.
I keep my script for building cURL online at Build-Scripts | build-curl.sh.
I'm currently working on expanding some python code a co-worker wrote to use X509 certificates with the OpenSSL library. I have managed to get all but a few of the OpenSSL functions working. The libraries / functions that I am using are
from OpenSSL.crypto import FILETYPE_PEM
from OpenSSL.crypto load_certificate, verify, sign, load_privatekey
I am currently creating certificates on my local machine with
openssl req -x509 -newkey rsa:2048 -out rootcert.pem -outform PEM -days 1825
and then "pushing" that to a server (also on local machine), which then returns me a 64 character long random alphanumeric string. I then take the string and sign it using
openssl rsautl -sign -inkey rootprivkey.pem -in string -out signedstring
When I push the signed random string to the server, it takes it to verify (using OpenSSL.crypto.verify) with the certificate I previously sent, the process fails. However, if I use the verify function on the command line (openssl rsautl -verify -inkey rootprivkey.pem -in signedstring), it works.
If I push the private key to the server and use the OpenSSL.crypto.sign (sign(private key, data, digest)) function to sign the same random string and put that into the verify (verify(certificate, signature, data, digest)) function, it works.
I've tried all of the different types of padding when signing the string, and none of those worked. I've also tried doing a digest hash of the string first and then signing that file, based on an old question on SO:
openssl dgst -sha1 -binary < string > digeststring
openssl rsautl -sign -inkey rootprivkey.pem -keyform PEM -in digeststring > signedstring
But obviously that did not work either.
I do not know if I am either generating the certificate and signing the string incorrectly, if I am using the OpenSSL.crypto library incorrectly (I have checked many times to make sure that I am passing the correct variables into the OpenSSL functions), or if the command line functions and the python functions are incompatible.
For reference:
Python 2.7.3
OpenSSL 1.0.1 (March 12)
Trying to do a certificate import into the cacerts story in ColdFusion10. I am able to run these commands and get the .cer file to import using these commands.
Manually import a certificate
Go to a page on the SSL server in question.
Double-click the lock icon. Click the Details tab.Click Copy To
File. Select the base64 option and save the file. Copy the CER file
into C:\ColdFusion9\runtime\jre\lib\security (or whichever JRE
ColdFusion is using). Run the following command in the same
directory
keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer
But when I try and do a cfhttp call it fails. I suspect that I am saving the certificate in the wrong format.
I am using X.509 .der which is the recommended format. Is this the same base64? Does anyone know the documentation for this on CF10? I did this successfully on CF9 but it does not seem to work on CF10.
I would suggest using Certman from riaforge just to ensure that everything is being imported correctly
http://certman.riaforge.org/
Are you sure that the import worked? Whenever I have imported certificates in the past (using CF9) I needed to supply the password for the cacerts keystore. I do not see that in your posted example. The command to import should be something like this:
keytool -import -v -alias giveUniqueName -file filename.cer -keystore cacerts -storepass thePassword
Here is the command line to verify an imported certificate:
keytool -list -v -keystore cacerts -alias giveUniqueName -storepass thePassword
I did not include the password here but am pretty sure you can Google it. If not, send me a message and I can give it to you.
And yes, I always export the certificate in DER format as well. That should work.
Also, you may need to supply pathing information depending on where you run the keytool commands from and where your certificate file resides.
Another note, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
Oh - and you have to restart ColdFusion after making the import.
UPDATE FOR CF10
I found a forum discussion (here) talking about installing certificates on CF10. The keytool commands appear to be slightly different in their example. In case it is a bit different than CF9, here is what they said:
keytool -importcert -alias giveUniqueName -trustcacerts -file filename.cer -keystore cacerts -storepass thePassword
Trust this certificate? [no]: y
It looks like the verification command line has not changed.