I have been supplied 4 files from AWS IOT:
CA.pem
AWS-private.pem.crt
private.pem.key
public.pem.key
I have tried a multitude of methods to get these to work with Android Studio and Kotlin to connect to an MQTT service and have now lost direction.
Firstly are there any command lines that I need to run on the certs and keys before I use ?
Do I need to use a keystore ?
If so should that keystore be bouncycastle or spongycastle ?
I have tried to create a keystore by running the keytool and creating
openssl pkcs12 -export -out ks.p12 -inkey -in my.pem -name mykeystore
but when I try to import like so
keytool -importkeystore -srckeystore ks.p12 -srcstoretype pkcs12 -destkeystore ks.bks -deststoretype BKS --provider org.bouncycastle.jce.provider.BouncyCastleProvider -–providerpath ~/Downloads/bcprov-jdk16-1.46.jar
I get this error
keytool error: java.security.KeyStoreException: Unrecognized keystore format: null
So I can't even get testing my Kotlin to see if the BKS works.
Related
1)I created myfile.csr using the below command
req -out myfile.csr -new -newkey rsa:2048 -nodes -keyout myfile-pr.key
I sent myfile.csr to 3rd party to have it signed
3rd party application signed and sent me serverfile.pem
Using these files would i be able to invoke a REST webservice using curl command. I tried the below command but it returned unauthorized error
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./myfile.csr --pass <password> https://serverpost:port/getEmployeeInfo
The --cacert is used to specify the file with the public certificate of the Certification Authority (CA). If you installed 3rd party CA certificate on your system, this option is not needed.
With the --cert you specify the signed client certificate which was issued to you based on your CSR. From man curl:
-E, --cert <certificate[:password]>
Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if
using any other engine. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the client certificate concate‐
nated! See -E, --cert and --key to specify them independently.
Currently, you are passing CSR (certificate signing request) via --cert parameter. Your command should look something like this:
curl --cacert ./3rd-party-ca-cert.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <password> https://serverpost:port/getEmployeeInfo
As I mentioned, the --cacert might not be needed if you already added this CA (e.g. on ubuntu https://superuser.com/a/719047).
Check serverfile.pem to make sure it contains only client certificate, and not 3rd party CA certificate chain as well.
... schannel: sending initial handshake data: sending ....
curl does not support client certificates on the command line with SChannel. See this bug report and this todo.
#SteffenUllrich: Sorry i should have formatted better.
Issue was i was trying curl in windows(curl 7.55.1). Not sure if it's version issue. Did the following command in Linux and it works
openssl pkcs12 -export -out combine.p12 -inkey client-cert-pr.key -in serverSelfSigned-cert.pem
openssl pkcs12 -in combine.p12 -out ile.key.pem -nocerts -nodes
openssl pkcs12 -in combine.p12 -out file.crt.pem -clcerts -nokeys
curl -E ./file.crt.pem --key ./file.key.pem https://thirdpartyserver.com/employee
Notes:
client-cert-pr.key: client private key
serverselfsigned-cert.pem: self signed certificate sent by 3rd party
The below other 2 options also works. Thanks #bagljas
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
curl --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
Same command doesn't work in windows
I'm working on the SSL Configuration for WSO2 and currently following this article. Now i had a .pfx file which i converted to a .jks file using
keytool -importkeystore -srckeystore < pkcs12 file name >.pfx
-srcstoretype pkcs12 -destkeystore < JKS name >.jks -deststoretype JKS
The next step was to extract a .csr (Certificate Request Signing) from the .jks using
keytool -certreq -alias certalias -file newcertreq.csr -keystore newkeystore.jks
After having the .csr file extracted, the article asked to provide that .CSR file to the CA. For testing purposes, they preferred this to have a free SSL Certificate for 90 days.
The site asks for the content of the CSR file and gave me the following error
Your Domain Name may not contain a * Please purchase a Wildcard
Certificate if you wish to use a * in your Domain Name
Please note that my certificate is for a domain: *.domain.com, its pretty obvious that i'll have to purchase a wild card certificate for this but i'm currently trying to set up a TESTING ENVIRONMENT just to be sure before purchasing a particular domain certificate AND for that, i'm looking for alternatives to get the following files:
The Root certificate of the CA i.e. AddTrustExternalCARoot.crt
Intermediate certificates i.e. COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt
SSL Certificate signed by CA i.e. test_sampleapp_org.crt
I tried this and it gave me a domain.cer file which is not what i need. Any guesses? Thanks.
For development, you can export a self-signed certificate with this keytool command.
keytool -export -alias certalias -file test_sampleapp_org.crt -keystore newkeystore.jks
I'm attempting to set up TLS (SSL) with my domain hosted on AWS Bitnami so that users can access it over HTTPS. It is running on Apache Tomcat standalone and is not fronted by a LB.
To generate the Certificate Signing Request (CSR) I have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048
And entered all the correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Following that I have copied to the .csr file contents to the CA (ssl.comodo.com) & saved the resulting files: .ca-bundle and .crt file.
Following that I have uploaded the files to the Tomcat directory and loaded them into the Java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore KeyStore.jks
and the .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore KeyStore.jks
Tomcat is configured to use this keystore with the following config in server.xml:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/bitnami/KeyStore.jks" keystorePass="passwordhere" sslProtocol="TLS"/>
Then apache has been restarted. The browser errors that I receive are:
Chrome:
uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox:
no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
My thoughts
Based on this Stack Overflow question here I think this may have something to do with RSA - when I generate a new keystore with the -keyalg RSAparameter:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA and point the Tomcat server.xml SSL config to that the site loads over HTTPS and I get warnings in the browser telling me that it is a self-signed certificate.
If you want to generate using OpenSSL, you must then convert the PRIVATE KEY AND certificate chain, not just the certificate(s) alone, to a Java-usable keystore, either PKCS12 or JKS.
If you want to generate using Java, you do use keytool -genkeypair -keyalg RSA (and before j7 add -keysize 2048), then you use Java keytool to generate the CSR which you give to the CA (Comodo), and you use Java keytool to import the new cert and its chain from the CA.
See the options at (my) https://stackoverflow.com/a/37423399/2868801 and several additional dupes linked there.
I have my Java code deployed on Tomcat in AWS and in Tier 1, I have a load balancer configured with public and private key generated using following commands.
openssl genrsa -out server_privatekey.pem 1024
openssl req -new -key server_privatekey.pem -out server_certificate_csr.pem
openssl x509 -req -days 3650 -in server_certificate_csr.pem -signkey server_privatekey.pem -out server_certificate.pem
Now, the main difficulty I'm facing is as follows:
I have android app which calls this REST API's, now I want to call the API from Android, but that would require me to pass some form of authentication to server. I'm unable to understand what would that be. If anyone could point me to specific resource that would be really helpful.
(Note: I have already posted this question on the AWS forum but there is no reply yet: https://forums.aws.amazon.com/thread.jspa?threadID=64432).
I was able to call the REST API using HTTPS. At client side, I downloaded the certificate and generated the trust store from it using following command
keytool -importcert -keystore secure.ts -storepass 12345678 -file <cert>
and then while calling my REST API using URL command, I used following property.
System.setProperty("javax.net.ssl.trustStore", "<trust store path eg: secure.ts from above command>");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");
I have cert.pfx file, I need to install to be used in Amazon Elastic Load Balancer.
How can I do it?
Extract private key without password. First command will request pfx password and prompt for a password for key.pem; a password for key.pem must be provided. Second command asks for key.pem password provided for 1st command.
openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
Extract certificate:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
Extract certificate chain:
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem
Certificate chain contains several items. You may need to remove item that refers to your certificate, it's on top and it's not needed. Give a try with/without removing top item.
After that the other items should be placed in reverse order.
server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.
Good luck!
you can easily convert the format of the certificate using the OpenSSL suite.
The process is very easy and a good guide is here: http://www.petefreitag.com/item/16.cfm.
About the different steps (taken from the link I reported above):
# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key
Now, if you have a linux distro, it is straight forward to install openSSL (yum install openssl on an rpm based distro).
If you don't have a linux distro installed, then the quickest would be to go for a live distribution (I personally love fedora https://getfedora.org/)
I hope this helps
First go to Certificate Manager and import your certificate [cert, key, chain], then create AWS LB with existing certificate.