I have a form that users can enter in a copy of their SSL certificate. Users tend to just enter comments instead of the actual certificate. What would the regex syntax be that I can use to ensure they are entering a valid certificate?
The below regular expression will help you to validate a custom field in WHMCS that requires a valid certificate structure.
/^(?:(?!-{3,}(?:BEGIN|END) CERTIFICATE)[\s\S])*(-{3,}BEGIN CERTIFICATE(?:(?!-{3,}END CERTIFICATE)[\s\S])*?-{3,}END CERTIFICATE-{3,})(?![\s\S]*?-{3,}BEGIN CERTIFICATE[\s\S]+?-{3,}END CERTIFICATE[\s\S]*?$)/
Simply paste that in to the Validation field.
I modified the regular expression found on the answer to this question.
The regular expression from that question can also be used if you have a custom field requiring a Certificate Signing Request:
/^(?:(?!-{3,}(?:BEGIN|END) NEW CERTIFICATE REQUEST)[\s\S])*(-{3,}BEGIN NEW CERTIFICATE REQUEST(?:(?!-{3,}END NEW CERTIFICATE REQUEST)[\s\S])*?-{3,}END NEW CERTIFICATE REQUEST-{3,})(?![\s\S]*?-{3,}BEGIN NEW CERTIFICATE REQUEST[\s\S]+?-{3,}END NEW CERTIFICATE REQUEST[\s\S]*?$)/
What would the regex syntax be that I can use to ensure they are entering a valid certificate?
There isn't one. Certificate validity depends on expiry date, the integrity of a digital signature, and the validity of the signer's own certificate. No regular expression can check all that.
If on the other hand you just want to reject outright garbage, see my comments under your question.
Related
We are writing a new server/client app and need to Verify self-signed certificates in OpenSSL 1.1.0 where CN field isn't important.
I tried to do the following but it doesn't seem to have an effect:
X509_VERIFY_PARAM *param = NULL;
param = SSL_get0_param(sslo.ssl);
X509_VERIFY_PARAM_set1_host(param, nullptr, 0);
How can I effectivly ignore all verification of this field?
Update after Shane's answer:
I tried setting verify_callback with SSL_CTX_set_verify .
In the callback I called X509_STORE_CTX_get_error_depth . The resulting error code was X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, which according to documentation means "the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates."
This error is very generic and not related specifically to CN, if I only change the CN field in the cert to appropriate value it doesn't happen.
Use the SSL_CTX_set_verify call to specify your own verification callback function where you can OK anything you wish about the certificate.
Read that page carefully and it should tell you everything you need to know, the page also includes a example you can base your handler on if you wish.
I am new in AWS and have little knowledge only for ssl. I have already bought certificate for ssl and they are like this. (file name). I buy from sslcertificate.com
But in aws panel, I saw like this to put pem value.
I am not sure which crt file I need to use. Do I need to use CSR file also? (the one that I use to have crt file).
To upload your own certificate to AWS Certificate Manager you need to provide three pieces.
Certificate Body
This is the certificate that was provided to you from your certificate authority that they have signed. This is the certificate that is unique to your website. This is what is returned to browsers when they make requests so this information is public.
In this case it is the www_test_io.crt file.
Certificate Private Key
The private key is something that you should have generated when you requested a certificate. This information must be kept secret. Keeping this secret is the key (pun intended) to how the connection is secured. Once you provide this to AWS they will never give it back to you so you may want to keep this safe on your own.
Your private key may be password protected, if it is you will have to use a command line tool to remove the password before you upload it here.
In this case the file that contains the private key was not listed, but this key is mandatory for you to be able to upload the certificate.
Certificate Chain
The certificate chain consists of the certificates that are "in-between" your certificate and the root certificate. All of this information is public, the same as your certificate. There may be zero, one, or multiple certificates in the chain. The chain is required so the clients can tie your certificate back to a root that it trusts. It is possible that not specifying a chain may work on some clients but not others so it is best to get this correct for compatibility reasons.
In this specific case you would want to put the content of the following two files in this order:
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
All you do is take the text content of the first, copy and paste it in, and then the text content of the second, and copy and paste it right below the first.
While it is possible to also include the root certificate as part of the chain and some people do include it, it does not need to be included and is considered best practice not to actually include the root itself.
Paste www_test_io.cert contents in to Certificate body. Open the other 3 files and merge them into one (copy and paste them together) and paste that block into the Certificate chain.
You should have the private key, which was generated when you made the request. Paste it into Certificate private key
I'm writing a script that loads IAM certificate to some ELB in order to check if it's valid.
When I tested it, I used an invalid private key on purpose to see if I could load it to the ELB.... and the problem - it gets loaded!
So my questions are-
How is this possible? I know for a fact that if you use AWS console you can't do something like that.
Is there a boto way to check if a cert is valid? (not using openssl, this is what I'm trying to avoid).
What exactly do you mean when you say "check if it's valid"? If you try to upload a malformed PEM file (the text of the cert isn't valid) then it will definitely throw an error since it can't decode the file. Also, if you try to upload a mismatched public & private key it will also throw an error. I just tested these sorts of cases myself and got the following error:
The private key did not match the public key provided. Please verify the key material and try again.
If you're referring to testing that a certificate is signed, authentic, and not expired, then the ELB isn't going to do any of that. According to the AWS documentation for ELBs it's perfectly fine to make use of self-signed certificates, and certs will also continue to work (whether CA signed or self-signed) even if expired. Both self-signed certs and expired certs are "valid" as far as operation of a secure SSL connection goes. Whether the cert is signed and unexpired or not is really just a means of providing authentication that it's a legitimate certificate.
If you are asking about testing if a certificate is properly signed and not expired then you would need to test for these sorts of things yourself, typically by leveraging something like openssl.
I am having two buckets https://almaconnect.dev.s3.amazonaws.com/ and https://almaconnect.s3.amazonaws.com/
The first one when I hit gives non-secure result and asks me to add an exception in the browser. The 2nd one works fine.
I am wondering what issue there can be.
Please, help me guys....
Thanks,
Amit Chaudhary
The server sends a wildcard certificate for *.s3.amazon.com.
This certifies all subdomains of the domain s3.amazon.com.
Certificate is valid for your working example almaconnect.s3.amazon.com but not for your second example **alamonnect.**dev.s3.amazon.com.
Create a bucket called e.g. alaconnectdev to work around this problem.
With the distribution of Firefox 3.5, all major browsers allow only a single level of subdomain matching with certificate names that contain wildcards, in conformance with RFC 2818.
In other words the certificate *.mydomain.com will work for one.mydomain.com or two.mydomain.com but NOT one.two.mydomain.com.
Resources:
Wikipedia Wildcard Certificates
RFC 2818 on IETF.org
I am using openssl in c to verify a certificate. Is there any way i can skip the self signed certificate error? I am getting that error for all the sites that has invalid/expired/mismatched url certificates and i am unable to detect any of the other errors.
And I use the function
SSL_CTX_load_verify_locations(ctx,0,CA_LIST)) to load CA_LIST. What does it exactly do?
The error self-signed certificate in certificate chain comes, when the root or self-signed certificate is present in the certificate list sent by the peer, but, the same is not loaded in your Trust Store.
The SSL_CTX_load_verify_locations(ctx,0,CA_LIST)) will try to load the CAs present in the path mentioned in CA_LIST.
The function prototype is int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
The OpenSSL Help Page Says:
"If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links.
The certificates in CApath are only looked up when required, e.g. when building the certificate chain or when actually performing the verification of a peer certificate."
You can get more information from the OpenSSL Page here.