I tried to use client certificate for authentication using swift XMPP client but not able to select certificate, although I already import certificate in Window client certificate.
Got below message from the client, click ok to continue exit the window certificate dialog.
You need to install certificate first in the OS then the list will show installed certificate in the system.
To install certificate create pfx certificate formate and double click to install the certificate.
To create PFX
openssl pkcs12 -export -out my_certs.pfx -inkey example.com.key -in example.bundle.pem -certfile ca.pem
Related
I've faced the problem with SSL connection to MongoDB (SSLContextService processors).
all certificates I've generated (Root, Server and Client). Server and Client certificates I've signed with my root certificate. Since my MongoDB-Sever has more then one IP-Address, I've include all IP-Addresses in the server certificate.
MongoDB is also configured for ssl connections (tls), the old version of tls (1.1, 1.2) are not disabled in MongoDB.
SSL-Connection with mongo-shell works without problems. I've also checked everything with openssl s_client and connection was there and also worked properly.
For Apache NiFi I've created keystore (PKCS12)
openssl pkcs12 -export -name client -in client.crt -inkey client.key -certfile ca.crt -out client.p12
and also truststore with server certitiface
openssl pkcs12 -export -name server -in server.crt -inkey server.key -out server.p12
and I've also tried
openssl pkcs12 -export -name server -in server.crt -inkey server.key -certfile ca.crt -out server.p12
ca.crt is my root certificate. client.crt and server.crt were sigend with this ca.crt.
I've used both services in NiFi:
StandardSSLContextService and StandardRestrictedSSLContextService. In the parameter Keystore I've put client.p12 and in truststore parameter server.p12. Both types PKSC12. TLS protocoll just TLS.
But anyway I get an error "PKIX path building failed".
I'm not sure what I've missed, but may be someone had such problem already.
Thanks in advance.
P.S. forgotten:
If I set in MongoDBControllerService parameter "Client Auth" to "NONE" then it works.
PKIX path building errors mean that NiFi cannot construct the trusted "path" between the certificate that is presented by the other endpoint (in this case MongoDB) and any of the certificates which are loaded in the respective truststore to identify trusted certificates.
If I am watching my niece tells me she's allowed to have all the candy she wants, I am not likely to agree. However, if she has a signed note from her parent confirming that, she gets candy. If she has a note signed by herself in crayon, not so much.
The likely solution is to concatenate the root public certificate and the node certificate into a single file (literally just cat server.pem ca.pem > combined_server.pem; make sure the node cert is first). That command assumes the certificate files are in PEM-encoded ASCII format (i.e. starts with -----BEGIN CERTIFICATE-----) and I prefer using .pem for the extension here, though .crt files can also contain this data. You can then verify that the chain is correct with
openssl verify -verbose -purpose sslserver -CAfile ca.pem combined_server.pem
For consistency, I'd repeat the process with the client cert and CA as well (use -purpose sslclient in the verification command). Then regenerate the PKCS12 keystore & truststore and load them into NiFi.
I am slightly confused by the fact that you say disabling client authentication in NiFi allows this to work, as NiFi should be acting as the client, and clients don't get to determine the client authentication level (the setting is literally ignored when acting as a client). It should only matter if NiFi is somehow acting as the server and MongoDB is the client. What version of NiFi and MongoDB are you using?
NiFi uses its own truststore which is either jks or pfx (p12) format, not concatenated pem files and not system files under /etc/pki/ca-trust/. As far as I can tell, you are not allowed to pass the tlsCAFile url parameter from a nifi processor which is confusing.
I am new to this concept of SAML certificates.
I am currently working on configuring an SSO for a website and need to know how I can generate a SAML certificate? The setup I am using for this website is not via Azure, but directly from the vendor site and they are requesting my SAML certificate. Do I need a special tool to do this? and does it need to be registered before sending it out?
Run the command below to create the certificate
e.g:
keytool -genkey -alias saml -dname "CN=mydomain.com, C=NO" -keystore saml-keystore -keyalg RSA -validity 730 -keysize 1024
Send the public certificate to the SAML Consumer party
The SAML Consumer needs to know the public part of your certificate. You may export the public part of the certificate and send this.
keytool -export -rfc -keystore saml-keystore -alias saml -file saml-cert.public
Here is whole details also it, Also there is some other online tool which helps in create certificate online like samltool
There's no such thing as SAML certificate. SAML uses self-signed X.509 certificates that can be generated manually using the openssl. There are number of tutorials on the web how to create such certificate.
Some identity provider will generate the public key and certificate for you.
Keycloak does this and will allow to copy it in the Realms settings.
I have a CA pairkey and I need to sign a client pairkey for client authentication. I am using keytool for this. Based on this I have created a .p12 pairkey for my client. Then I create a CSR and then I sign it to have a .cer file.
My problem is that I want to "update" the cert in the p12 with this signed certificate. Basically, I need to import the keypair into the Personal Certificates for client authentication, but Windows will accept the p12 (which is not signed) and not the .cer (since it has no private key).
How can I update the p12 with the new signed public cert? Thanks.
NOTE: I prefer not to have any intermediate cert and I don't want to use OpenSSL, I need to use keytool
EDIT - By the way, when I try to import the signed certificate into the .p12 I get a keytool error: java.lang.Exception: Failed to establish chain from reply
EDIT - This link and this link seem to address my problem, but it is using OpenSSL and other tools, not keytool.
We are trying to install a third party CA cert on our WSO2 ESB server (Linux). We are unable to install CA certificate. Always falling back to default certificate.
While the WSO2 service is started, it shows that the new cert is being referred and loaded, but at client browser, it gives error and shows the default inbuilt cert.
Can someone guide us to where we need to look for errors?
We followed the instructions from
http://wso2.org/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products
All steps are followed correctly,
Sreejith, the document you're following is correct. I've used the same to configure our servers.
you can get the certificate being used by your server by executing this from a consumer host (client):
echo -n | openssl s_client -connect esb.yourdomain.co.nz:8243 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.cert
Then you can see if the certificate being used is the one you expect.
To replace the default certificate, you'll need to replace the WSO_HOME$/repository/resources/security/wsocarbon.jks keystore and modify WSO2_HOME$/repository/conf/carbon.xml and $WSO2_HOME/repository/conf/axis2/axis2.xml with the new keystore (along with alias and passwords) whenever necessary.
According with my experience the keystore need to be replaced. You can not simply add your certificate to the existent keystore, you need to force wso2 server to use your certificate by making it the only certificate in the keystore. Also the certificate CN and alias must match your server hostname (as in the url) for this to work.
Then add the certificate to the WSO_HOME$/repository/resources/security/client-truststore.jks keystore.
And don't forget to restart the server after the changes.
Regards
Is there a way to create a self signed certificate from your own ios application?
Is this more what you're after?
How to use NSURLConnection to connect with SSL for an untrusted cert?
Certificate configuration:
You have to install the Self Signed Certificate or CA on the device in order for the device to trust it
then only device trusts the SSL connection.
In the case of installing self signed certificate make sure domain name of the URL is same as Common name of certificate.
If there is no domain name then IP address is fine.
Certificate installation:
You can just host it on the web server and try to access it from safari then iOS will prompt for the certificate installation in the iOS Device
Certificate Creation:
Here is the way to create self signed certificate so that you can fill all the details and host in web server.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 1001 -nodes
(Pay attention while entering the value for Common Name)