I am trying to access a webservice.
Before when I was trying to run that webservice in my Chrome web browser, I was getting 403 error but when I imported Private.pfx file into chrome certificates, I could easily access the webservice.
Now with curl I am getting 403 forbidden error.
I followed this link
using-certificates-with-curl
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:
and made 3 certificates out of my Private.pfx file and try to run the command but I still get 403 error
Also webservice is accessible via this example link:
https://example:10443/soaplistener/eurisczech.asmx
This is my curl request:
curl -key key.pem -cacert ca.pem -cert client.pem -v -H "Content-Type: text/xml; charset=utf-8" -d #completeRequest.xml https://example:10443/soaplistener/eurisczech.asmx -ik
Related
1)I created myfile.csr using the below command
req -out myfile.csr -new -newkey rsa:2048 -nodes -keyout myfile-pr.key
I sent myfile.csr to 3rd party to have it signed
3rd party application signed and sent me serverfile.pem
Using these files would i be able to invoke a REST webservice using curl command. I tried the below command but it returned unauthorized error
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./myfile.csr --pass <password> https://serverpost:port/getEmployeeInfo
The --cacert is used to specify the file with the public certificate of the Certification Authority (CA). If you installed 3rd party CA certificate on your system, this option is not needed.
With the --cert you specify the signed client certificate which was issued to you based on your CSR. From man curl:
-E, --cert <certificate[:password]>
Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if
using any other engine. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the client certificate concate‐
nated! See -E, --cert and --key to specify them independently.
Currently, you are passing CSR (certificate signing request) via --cert parameter. Your command should look something like this:
curl --cacert ./3rd-party-ca-cert.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <password> https://serverpost:port/getEmployeeInfo
As I mentioned, the --cacert might not be needed if you already added this CA (e.g. on ubuntu https://superuser.com/a/719047).
Check serverfile.pem to make sure it contains only client certificate, and not 3rd party CA certificate chain as well.
... schannel: sending initial handshake data: sending ....
curl does not support client certificates on the command line with SChannel. See this bug report and this todo.
#SteffenUllrich: Sorry i should have formatted better.
Issue was i was trying curl in windows(curl 7.55.1). Not sure if it's version issue. Did the following command in Linux and it works
openssl pkcs12 -export -out combine.p12 -inkey client-cert-pr.key -in serverSelfSigned-cert.pem
openssl pkcs12 -in combine.p12 -out ile.key.pem -nocerts -nodes
openssl pkcs12 -in combine.p12 -out file.crt.pem -clcerts -nokeys
curl -E ./file.crt.pem --key ./file.key.pem https://thirdpartyserver.com/employee
Notes:
client-cert-pr.key: client private key
serverselfsigned-cert.pem: self signed certificate sent by 3rd party
The below other 2 options also works. Thanks #bagljas
curl --cacert ./serverfile.pem --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
curl --key ./myfile-pr.key --cert ./serverfile.pem --pass <passwrod> https://serverpost:port/getEmployeeInfo
Same command doesn't work in windows
I'm setting up an c++ class for handling tls connections (client and server).
It works except for the tls handshake :
I have generated my self signed root certificate and signed the rsa server key with it.
but i get a client error which is unknown CA
script to generate self signed CA (CA file and CA.pem file)
openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout CA -out CA.pem
script to generate and sign the server key (key file and key.pem file)
read -p "key and cert name :" x
openssl genrsa -out $(echo $x) 2048
openssl req -new -key $(echo $x) -out $(echo $x).csr
openssl x509 -req -in $(echo $x).csr -CA CA/CA.pem -CAkey CA/CA -CAcreateserial -out $(echo $x).pem -days 3650 -sha256
then I pass CA.pem to client using SSL_CTX_use_certificate_file, key to server using SSL_CTX_use_PrivateKey_file and key.pem using SSL_CTX_use_certificate_file
client is in mode SSL_VERIFY_PEER and server is in mode SSL_VERIFY_NONE so only client checks server certificate.
As the server key is signed using CA and client trust CA.pem it should be working but when handshake is negociated, i get this in wireshark (a message from client to server) :
Alert level Fatal, Description : Unknown CA
If you read OpenSSL's documentation, for a client SSL_CTX_use_certificate_file installs a client certificate. It does not specify the list of trusted CAs that may be used to verify a cert.
For that, on the client side, you want to use SSL_CTX_load_verify_locations:
SSL_CTX_load_verify_locations() specifies the locations for ctx, at
which CA certificates for verification purposes are located.
I have cert.pfx file, I need to install to be used in Amazon Elastic Load Balancer.
How can I do it?
Extract private key without password. First command will request pfx password and prompt for a password for key.pem; a password for key.pem must be provided. Second command asks for key.pem password provided for 1st command.
openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
Extract certificate:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
Extract certificate chain:
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem
Certificate chain contains several items. You may need to remove item that refers to your certificate, it's on top and it's not needed. Give a try with/without removing top item.
After that the other items should be placed in reverse order.
server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.
Good luck!
you can easily convert the format of the certificate using the OpenSSL suite.
The process is very easy and a good guide is here: http://www.petefreitag.com/item/16.cfm.
About the different steps (taken from the link I reported above):
# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key
Now, if you have a linux distro, it is straight forward to install openSSL (yum install openssl on an rpm based distro).
If you don't have a linux distro installed, then the quickest would be to go for a live distribution (I personally love fedora https://getfedora.org/)
I hope this helps
First go to Certificate Manager and import your certificate [cert, key, chain], then create AWS LB with existing certificate.
I am using gsoap and openssl under Visual Studio C++, I created a client and a server on localhost (port 443).
I have a non explicit error without any description when using (from client side) the option:
soap_ssl_client_context(&soap, "SOAP_SSL_DEFAULT"...
but if I use it with the option:
soap_ssl_client_context(&soap, SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK, ...
it is working correctly (but insecurely I gess).
So I decided to check what is the error by checking packets on localhost (with raw capture), and I see that the communication ends by an Encrypted Alert (21) after terminating the handshake.
And I Wonder what I need to do, to get this application working properly and securely on localhost (for testing purpose).
More Info:
I have generated ssl certificates for server side with a batch:
echo CREATE SERVER CA and CA CERT
echo Generate Private Key (passwd protected)
openssl genrsa -des3 -out .\private\CA_key.pem 2048
pause
echo Generate server CA
echo use your server name for the 'common name' field!
openssl req -out ca.pem -new -x509 -key .\private\CA_key.pem
pause
echo Create certificate signing request for CA pub Key
openssl req -new -key .\private\CA_key.pem -out CA_csr.pem
pause
echo Sign it
openssl req -in CA_csr.pem -out CA_crt.pem -key .\private\CA_key.pem -x509 -days 3020
pause
echo FOR C++ SERVER ONLY
type .\private\CA_key.pem CA_crt.pem > server.pem
pause
And also for client side:
echo CREATE PUB/PRIV key pair and cert for client
echo Generate key pair
openssl genrsa -des3 -out client_key.pem 2048
pause
echo Create CSR for client pub key
openssl req -new -key client_key.pem -out client_csr.pem
pause
echo User ca to sign the request (need serial file with '01')
echo make sure your openssl.cnf is correct (path and right CA certificate file)
openssl ca -in client_csr.pem -out client_crt.pem -config openssl.cfg -days 1825
pause
echo CLIENT SPECIFIC FORMATING (optional)
echo for C++ clients ONLY
type client_key.pem client_crt.pem > LCC.pem
I used:
CA_crt.pem as "cacert file" in both soap_ssl_server_context and soap_ssl_client_context.
LCC.pem as client key, and server.pem as server key.
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
Can you help me please to find out what is missing to get it working with SOAP_SSL_DEFAULT only ?
Thank you
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
If the certificate works with gSoap with SOAP_SSL_SKIP_HOST_CHECK and does not work without it, then the CommonName for your certificate is not a hostname or IP address. Depending on the purpose for your certificate, you may not want your certificate CommonName to be the host ip/name and so using SOAP_SSL_SKIP_HOST_CHECK is fine.
If you want to quit using the SOAP_SSL_SKIP_HOST_CHECK flag, then regenerate your certificate to have the CommonName be the host name or ip address. (Note: You may run into conflicts with other certificates installed on your system - if one of them has an identical CommonName.)
I've created an SSL server using the sample code from the Qt documentation. I then connect to it using QSslSocket::connectToHostEncrypted.
The server fails, however, and this is in QSslSocket::errorString()
Cannot provide a certificate with no key,
error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
I set the certificate and private keys with this code:
serverSocket->setLocalCertificate("/home/user/Workspace/openssl/cacert.pem");
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I created the cacert.pem and privkey.pem using this command on Ubuntu:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
The error was because I didn't specify the password for the private key (the one that openssl asked me for during the certificate creation). So instead of
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I now call
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem", QSsl::Rsa, QSsl::Pem, "mypassword");
and this fixes the problem.