I have cert.pfx file, I need to install to be used in Amazon Elastic Load Balancer.
How can I do it?
Extract private key without password. First command will request pfx password and prompt for a password for key.pem; a password for key.pem must be provided. Second command asks for key.pem password provided for 1st command.
openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
Extract certificate:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
Extract certificate chain:
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem
Certificate chain contains several items. You may need to remove item that refers to your certificate, it's on top and it's not needed. Give a try with/without removing top item.
After that the other items should be placed in reverse order.
server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.
Good luck!
you can easily convert the format of the certificate using the OpenSSL suite.
The process is very easy and a good guide is here: http://www.petefreitag.com/item/16.cfm.
About the different steps (taken from the link I reported above):
# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key
Now, if you have a linux distro, it is straight forward to install openSSL (yum install openssl on an rpm based distro).
If you don't have a linux distro installed, then the quickest would be to go for a live distribution (I personally love fedora https://getfedora.org/)
I hope this helps
First go to Certificate Manager and import your certificate [cert, key, chain], then create AWS LB with existing certificate.
Related
I am following this blog:
Essentially for the organizations which has very strict security requirements would like EMR nodes to communicate to each other following TLS custom certificate provider.
Certs - I am more of a beginner/intermediate level. Can follow the instructions and modify it with some logic but definitely not an expert.
Regarding this command
openssl req -x509 -newkey rsa:4096 -keyout inter-nodes.key -out inter-nodes.crt -days 365 -subj "/C=US/ST=MA/L=Boston/O=EMR/OU=EMR/CN=*.ec2.internal" -nodes
I cannot use the self signed certificates but have to use the certificates issued by CA for our organization which is root cert and another cert. Organization_Corp_Root_CA.cer and Organization_Corp_Issuing_CA.cer.
How i can change the above command to generate inter-nodes.key and inter-nodes.crt in my situation?
I can substitute -subj "/C=US/ST=MA/L=Boston/O=EMR/OU=EMR/CN=.ec2.internal" with -subj "/O=EMR/OU=EMR/CN=.ec2.internal" or only this -subj "/O=EMR/OU=EMR/CN=*.ec2.internal"
and substitute for req
-in arg input file with one of the certs(I am assuming)
-key file use the private key contained in file
but it's not working and I am getting all kind of errors.
Also -days 365 can be something else based on security requirements.
Any help?
on Ubuntu 14.04 with openssl 1.0.1f I create a certificate with public key only and put it into a pkcs#12 container.
In my c++ source I want to get the public key of the certificate and use PKCS12_parse() function.
Unfortunately - the PKCS12_parse() function returns the certificate only if a private key is also in the p12 file.
Could someone please tell me how to get the public key in c++ source out of the certificate packet in a p12 file without transmitting the private key as well?
Create a certificate in shell (password from stdin)
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -sha256 -subj '/C=XX/ST=XXX/L=XXXX/O=XX/OU=XX/CN=XX' -passout stdin -days 1 -set_serial 0x123
If I create a PKCS12 container with private key as well, then it works
$ openssl pkcs12 -export -in cert.crt -inkey key.pem -passin stdin -passout stdin -out cert.p12 -name "test"
If I create a PKCS12 container with public key only (-nokeys)
$ openssl pkcs12 -nokeys -export -in cert.crt -inkey key.pem -passin stdin -passout stdin -out cert.p12 -name "test"
then it does not work. Here is the c++ source code to get the public key out of the certificate
X509 *cert;
EVP_PKEY *privateKey, *publicKey;
if(PKCS12_parse( p12, password, &privateKey, &cert, nullptr ))
{
if(cert)
{
publicKey = X509_get_pubkey(cert);
}
}
If I look into FileViewer, I see the public key.
So what does FileViewer to get the public key, and how can I do it with c++ and openssl? Thanks.
I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work.
The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can I do that?
In my server program, I define keys as follows:
context_.use_certificate_chain_file("../sslkeys/server.crt");
context_.use_private_key_file("../sslkeys/server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("../sslkeys/dh512.pem");
I create/sign those keys/certificates using:
$ openssl genrsa -des3 -out server.key 2048
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
$ cp server.key server.key.secure
$ openssl rsa -in server.key.secure -out server.key
$ openssl dhparam -out dh512.pem 512
For my client program, I would like to create a certificate and sign it by my "server.key", because I think (and I could be wrong, please correct me if I'm) that's the way to do it. The client program requires a key using the command:
ctx.load_verify_file("../sslkeys/client.csr");
So I created a key, which I signed using the server key, with the following commands:
$ openssl genrsa -des3 -out client.key 2048
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -req -days 3650 -in client.csr -signkey ../sslkeys/server.key -out client.crt
Now when I run my client and try to connect the server, I get the error: Handshake failed: certificate verify failed
What is wrong in what I'm doing? And how can I achieve the model I mentioned?
If you require any additional information, please ask.
Thanks for any efforts.
Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here or here for more details.
Also, using only a 512 bit Diffie-Hellman reduces the security of the key exchange to 512 bit, which is exploitable today (see also Logjam attack). The 2048 RSA key does not help here. And using 512 bit might not even work if you use the latest version of OpenSSL which just increased the minimal size to 768 bits for security reasons.
I am using gsoap and openssl under Visual Studio C++, I created a client and a server on localhost (port 443).
I have a non explicit error without any description when using (from client side) the option:
soap_ssl_client_context(&soap, "SOAP_SSL_DEFAULT"...
but if I use it with the option:
soap_ssl_client_context(&soap, SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK, ...
it is working correctly (but insecurely I gess).
So I decided to check what is the error by checking packets on localhost (with raw capture), and I see that the communication ends by an Encrypted Alert (21) after terminating the handshake.
And I Wonder what I need to do, to get this application working properly and securely on localhost (for testing purpose).
More Info:
I have generated ssl certificates for server side with a batch:
echo CREATE SERVER CA and CA CERT
echo Generate Private Key (passwd protected)
openssl genrsa -des3 -out .\private\CA_key.pem 2048
pause
echo Generate server CA
echo use your server name for the 'common name' field!
openssl req -out ca.pem -new -x509 -key .\private\CA_key.pem
pause
echo Create certificate signing request for CA pub Key
openssl req -new -key .\private\CA_key.pem -out CA_csr.pem
pause
echo Sign it
openssl req -in CA_csr.pem -out CA_crt.pem -key .\private\CA_key.pem -x509 -days 3020
pause
echo FOR C++ SERVER ONLY
type .\private\CA_key.pem CA_crt.pem > server.pem
pause
And also for client side:
echo CREATE PUB/PRIV key pair and cert for client
echo Generate key pair
openssl genrsa -des3 -out client_key.pem 2048
pause
echo Create CSR for client pub key
openssl req -new -key client_key.pem -out client_csr.pem
pause
echo User ca to sign the request (need serial file with '01')
echo make sure your openssl.cnf is correct (path and right CA certificate file)
openssl ca -in client_csr.pem -out client_crt.pem -config openssl.cfg -days 1825
pause
echo CLIENT SPECIFIC FORMATING (optional)
echo for C++ clients ONLY
type client_key.pem client_crt.pem > LCC.pem
I used:
CA_crt.pem as "cacert file" in both soap_ssl_server_context and soap_ssl_client_context.
LCC.pem as client key, and server.pem as server key.
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
Can you help me please to find out what is missing to get it working with SOAP_SSL_DEFAULT only ?
Thank you
I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).
If the certificate works with gSoap with SOAP_SSL_SKIP_HOST_CHECK and does not work without it, then the CommonName for your certificate is not a hostname or IP address. Depending on the purpose for your certificate, you may not want your certificate CommonName to be the host ip/name and so using SOAP_SSL_SKIP_HOST_CHECK is fine.
If you want to quit using the SOAP_SSL_SKIP_HOST_CHECK flag, then regenerate your certificate to have the CommonName be the host name or ip address. (Note: You may run into conflicts with other certificates installed on your system - if one of them has an identical CommonName.)
I've created an SSL server using the sample code from the Qt documentation. I then connect to it using QSslSocket::connectToHostEncrypted.
The server fails, however, and this is in QSslSocket::errorString()
Cannot provide a certificate with no key,
error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
I set the certificate and private keys with this code:
serverSocket->setLocalCertificate("/home/user/Workspace/openssl/cacert.pem");
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I created the cacert.pem and privkey.pem using this command on Ubuntu:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
The error was because I didn't specify the password for the private key (the one that openssl asked me for during the certificate creation). So instead of
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem");
I now call
serverSocket->setPrivateKey("/home/user/Workspace/openssl/privkey.pem", QSsl::Rsa, QSsl::Pem, "mypassword");
and this fixes the problem.