I have a desktop application created with signed binaries and a code signing certificate that expires in a year, just as a reminder I want to keep checking when the certificate expires. Is there a way I can automate this?
You can run openssl command line utility to print the expiration time of the certificate:
openssl x509 -enddate -noout -in <your certificate file>
The output is something line this:
notAfter=Feb 10 12:05:45 2023 GMT
Then you can create a script that will run periodically and will check this value
Related
How to find the existing certificates on my computer using the keytools command?
I have to take a copy of the existing certificates for renewal and run the following commands
on the certs:
keytool -list -alias <<your cert's alias>> -keystore.<<your .jks file>> -storepass <>
I am not sure how to go about figuring the certificates on my system and are these certificates
related to Java/Linux or something else?
Separately where do I found keystore? Once I have the keystore location I could
use the keytool list -v command on the keystore to get the serial number of the certificate
Windows 10 Pro x64
Mongodb 4.4
Compass GUI
I set up Mongodb as normal (no security) and verified everything was working. Now trying to add TLS/SSL. I followed the instructions at:
https://docs.mongodb.com/manual/appendix/security/appendixA-openssl-ca/
https://docs.mongodb.com/manual/appendix/security/appendixB-openssl-server/
No errors. Everything succeeded. Verified the pems with:
openssl verify -CAfile mongodb.pem mongodb01.pem
mongodb01.pem: OK
Updated my config file with:
net:
port: 27017
bindIp: mongodb01.xxx.com
tls:
mode: requireTLS
certificateKeyFile: C:\Program Files\MongoDB\Server\4.4\bin\mongodb01.pem
CAFile: C:\Program Files\MongoDB\Server\4.4\bin\mongodb.pem
The CA cert was created for *.xxx.com and the server cert was created for mongodb01.xxx.com. NOTE: mongodb01.xxx.com is faked in my hosts file to 127.0.0.1. I've done this many times before and the fake dns name trick does work when its all on the same machine.
I then run mongodb with:
mongod --config "C:\Program Files\MongoDB\Server\4.4\bin\mongod.cfg"
But when I try:
openssl s_client -connect mongodb01.xxx.com:27017
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
EDIT:
So I made SOME progress. I don't think MongoDB is picking up the CAFile. When I added the root cert and the intermediate cert into the mongodb01.pem (and all 3 signed with the same key), then the cert chain passes, but its returning a self signed cert error (as expected).
I haven't tried calling it from Java yet, I was trying to get it to work in Compass first. However, Compass complains about the self signed cert. I tried putting the certs in the my trusted store, but Compass still refuses to connect.
You need to provide the CA certificate to s_client, unless the certificate was issued by a well-known CA and its CA cert is in the bundle that ships with openssl (assuming such a bundle even exists).
Use -CApath or -CAfile options to specify the CA certificate.
openssl does not usually have any default root certification authorities.
Try passing your CA with the -CAfile option, like
openssl s_client -CAfile mongodb.pem -connect mongodb01.orionsoftware.com:27017
Note that mongodb.pem should not contain the private key for this usage.
I'm using FreeIPA version 4.5
My 3rd party domain certificate expired. Can I just copy the new crt & key files over the old ones (they have the same file names) and restart ipa?
Or do I need to use the ipa-server-certinstall command to install the new certificate?
The problem I ran into was that I could not start the ipa service because of an expired certificate. To get around this issue I completed the following steps:
Changed the server date to a date prior to the cert expiration date
by executing: date -s "1 FEB 2019 00:00:00"
Started the ipa service by executing: systemctl start ipa
Changed the server date back to the current date by executing: date
-s "17 FEB 2019 11:45:00"
After completing those steps I was then able to execute:
ipa-server-certinstall -p DMPassword -w -d /etc/pki/private/mycert.pem /etc/pki/public/mycert.crt
where the mycert.pem & mycert.crt files are the new key and cert.
Finally I restarted the ipa service by executing: systemctl restart ipa
IPA is now running as expected with the new certificates.
I'm trying to test API that requires a client certificate with postman.
Postman app that comes with google chrome built in app works fine as it loads the correct certificate from user local store.
But this built in app will be deprecated soon. I'm trying to get Postman standalone app. I keep getting
403 Invalid client certificate
It requires the certificate to be loaded manually:
Questions:
I only have pfx certificate loaded on to my local certificate store.
How do I generate CRT file and key file off pfx
How do I generate
passphrase
Thanks.
You can convert pfx certificate into cer and key files by using OpenSSL application (Windows installed can be found under https://slproweb.com/products/Win32OpenSSL.html).
Once OpenSSL is installed, run PowerShell and execute the following commands.
openssl pkcs12 -in test.pfx -nocerts -out test.key
You will be asked to provide password to pfx certificate and set passphrase.
Then execute the following commands and provide password to pfx certificate.
openssl pkcs12 -in test.pfx -clcerts -nokeys -out test.crt
In the case above, cer and key files will be stored under user's directory.
I have created CSR using openssl and I want it to be signed by the Microsoft CA using command line with template as webServer.
This is the way to generate. Got it! .. On a Microsoft CA server machine issue below command:
"certreq.exe -submit -attrib "CertificateTemplate:WebServer" certifcatesigningrequest.csr "