I am following this blog:
Essentially for the organizations which has very strict security requirements would like EMR nodes to communicate to each other following TLS custom certificate provider.
Certs - I am more of a beginner/intermediate level. Can follow the instructions and modify it with some logic but definitely not an expert.
Regarding this command
openssl req -x509 -newkey rsa:4096 -keyout inter-nodes.key -out inter-nodes.crt -days 365 -subj "/C=US/ST=MA/L=Boston/O=EMR/OU=EMR/CN=*.ec2.internal" -nodes
I cannot use the self signed certificates but have to use the certificates issued by CA for our organization which is root cert and another cert. Organization_Corp_Root_CA.cer and Organization_Corp_Issuing_CA.cer.
How i can change the above command to generate inter-nodes.key and inter-nodes.crt in my situation?
I can substitute -subj "/C=US/ST=MA/L=Boston/O=EMR/OU=EMR/CN=.ec2.internal" with -subj "/O=EMR/OU=EMR/CN=.ec2.internal" or only this -subj "/O=EMR/OU=EMR/CN=*.ec2.internal"
and substitute for req
-in arg input file with one of the certs(I am assuming)
-key file use the private key contained in file
but it's not working and I am getting all kind of errors.
Also -days 365 can be something else based on security requirements.
Any help?
Related
I have a project based on Google Cloud Platform which involves adding Raspberry Pi devices to Google IoT registry. What I need to do is to generate signed certificates both for registry and for devices in order to ensure that fraudulent devices are not registered.
I already tried generating signed X.509 certificates like this:
openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt
openssl genrsa -out device.key 2048
openssl req -new -days 365 -key device.key -out device.csr
openssl x509 -req -days 365 -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt
Notice that when promtped I put additional subj information like name, country, email, organisation which according to other SO question should make it work.
After invoking those commands I end up with following files:
ca.crt ca.key ca.srl device.crt device.csr device.key
So what I would do is to add ca.crt as registry certificate and then when I try to upload device.crt as device certificate (type RS256_X509) I get an error Certificate is not supported by Cloud IoT
What could I be doing wrong? I want to make sure that I create correct certificates and link them to registry and device.
I'm writing a custom client & server that I want to communicate securely over the public Internet, therefore I want to use OpenSSL and have both ends do peer verification to ensure that my client isn't mis-directed by a MITM, and likewise that an unauthorized client isn't able to connect to the server.
This is the error received from the server during the SSL_connect / SSL_accept phase:
15620:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl\record\rec_layer_s3.c:1528:SSL alert number 48
I'm running under Windows 10, using OpenSSL 1.1.1. I'm using the following batch file to create them. I enter the ca private key passphrase by hand for obvious reasons.
openssl genrsa -out -des3 ca.key.pem 2048
openssl genrsa -out server.key.pem 2048
openssl genrsa -out client.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar
openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256
openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256
The intent here is to create a self-signed CA, and then have that directly sign both the client and server keys.
ca.key.pem will be stored in a secure place: on an encrypted veracrypt volume.
Both client and server use the following call to enable peer verification:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
I'm fairly certain this is a certificate issue because the errors go away if I remove that line.
Answering this myself so that it can help anyone else that might arrive here looking for solutions to this problem. The answer was found in another SO question, but is worth repeating here: The Common Name for the CA cannot be the same as the Common Name for the client and server certificates.
So changing the fourth line of the batch file to this:
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
fixed the problem.
$ openssl req -x509 -new ... -addext basicConstraints=critical,CA:TRUE
This essentially creates a certificate which has 2 basic contrains CA:TRUE extensions:
$ openssl x509 -in ca.cert.pem -text
X509v3 extensions:
...
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Basic Constraints: critical
CA:TRUE
Trying to use the CA to verify the server certificate will not work:
$ openssl verify -CAfile ca.cert.pem server.cert.pem
C = XX, ST = XX, L = XX, O = XX, CN = CA
error 24 at 1 depth lookup: invalid CA certificate
error server.cert.pem: verification failed
Given that this simple check does not work, the client will also not be able to validate the server certificate, resulting in an unknown ca alert:
...:tlsv1 alert unknown ca:...
When skipping the -addext it will create a self-signed certificate as documented, which already has CA:TRUE
$ openssl req -x509 -new ...
...
$ openssl x509 -in ca.cert.pem -text
X509v3 extensions:
...
X509v3 Basic Constraints: critical
CA:TRUE
And using this to verify the server certificate works:
$ openssl verify -CAfile ca.cert.pem server.cert.pem
server.cert.pem: OK
This certificate should also be successfully validated by your client, thus no longer resulting in unknown ca.
I am following this AWS GUIDE on creating self-signed certificates.
But after creating my CA, I try to upload it to AWS IOT I get this error:
Command:
aws iot register-ca-certificate --ca-certificate file://CA_cert.pem --verification-cert file://verificationCert.crt
Error:
An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true
Any help appreciated!
I have also used AWS IoT and suffered same error, and I found the solution.
Reason of the error
The error occurs because basicConstraints extension in the CA certificate, which means that the certificate is CA so this certificate is able to sign other public keys to generate client certificates, is not set to TRUE.
Note that a client X's certificate contains X's public key signed by CA's private key. Other clients, for example Y, can verify the X's public key using CA's public key.
I think you had the error when you tried to generate CA certificate. The error message indicates that the CA's certificate is not allowed to sign other client public keys.
Below are how I did.
Solution
I assume that you already generate CA's key, rootCA.key.
We need a openssl config file, say rootCA_openssl.conf. Note that you can modify the values.
[ req ]
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
organizationName = Organization Name (eg, company)
organizationName_default = Deeply Inc.
Then generate CA's certificate using the config file, rootCA_openssl.conf.
openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr -config rootCA_openssl.conf
openssl x509 -req -days 3650 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem
Now we have CA's certificate, rootCA.pem.
Then you can follow the instructions in the AWS IoT documentation.
For example:
# Get the registration code for the use below:
# $ aws iot get-registration-code
openssl genrsa -out verificationCert.key 2048
openssl req -new -key verificationCert.key -out verificationCert.csr
# Put the registration code in Common Name field
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
#mctuna with this (from AWS):
Generate a key pair.
openssl genrsa -out rootCA.key 2048
Use the private key from the key pair to generate a CA certificate.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work.
The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can I do that?
In my server program, I define keys as follows:
context_.use_certificate_chain_file("../sslkeys/server.crt");
context_.use_private_key_file("../sslkeys/server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("../sslkeys/dh512.pem");
I create/sign those keys/certificates using:
$ openssl genrsa -des3 -out server.key 2048
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
$ cp server.key server.key.secure
$ openssl rsa -in server.key.secure -out server.key
$ openssl dhparam -out dh512.pem 512
For my client program, I would like to create a certificate and sign it by my "server.key", because I think (and I could be wrong, please correct me if I'm) that's the way to do it. The client program requires a key using the command:
ctx.load_verify_file("../sslkeys/client.csr");
So I created a key, which I signed using the server key, with the following commands:
$ openssl genrsa -des3 -out client.key 2048
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -req -days 3650 -in client.csr -signkey ../sslkeys/server.key -out client.crt
Now when I run my client and try to connect the server, I get the error: Handshake failed: certificate verify failed
What is wrong in what I'm doing? And how can I achieve the model I mentioned?
If you require any additional information, please ask.
Thanks for any efforts.
Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here or here for more details.
Also, using only a 512 bit Diffie-Hellman reduces the security of the key exchange to 512 bit, which is exploitable today (see also Logjam attack). The 2048 RSA key does not help here. And using 512 bit might not even work if you use the latest version of OpenSSL which just increased the minimal size to 768 bits for security reasons.
I've created an SSL server using the sample code from the Qt documentation. I then connect to it using QSslSocket::connectToHostEncrypted.
The server fails, however, and this is in QSslSocket::errorString()
Cannot provide a certificate with no key,
error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
I set the certificate and private keys with this code:
serverSocket->setLocalCertificate("/home/user/Workspace/openssl/cacert.pem");
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I created the cacert.pem and privkey.pem using this command on Ubuntu:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
The error was because I didn't specify the password for the private key (the one that openssl asked me for during the certificate creation). So instead of
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I now call
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem", QSsl::Rsa, QSsl::Pem, "mypassword");
and this fixes the problem.