We Keep Coding

Revoke PEM certificate

For testing purposes, I need a revoked PEM certificate.
So I created a certificate:
Generate CSR & KEY: openssl req -new -newkey rsa:4096 -nodes -keyout test.key -out test.csr
Generate PEM and self-sign with KEY: openssl x509 -req -sha256 -days 365 -in test.csr -signkey test.key -out test.pem
When I try to revoke with openssl -revoke a get an error variable lookup failed
How can I revoke this certificate?

Powershell convert PFX to PEM programmatically [duplicate]

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365

Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365

Running dev env with mongo + ssl

Background
I'm trying to run mongo locally in the same way that production will run, with full ssl verification enabled. Mongo is complaining about the certs being self-signed, but I'm specifying a ca.crt file, that I think should be treated as a root cert to validate against. If that's reasonable, then I think either my mongo config, or the cert generation is not correct.
SSL keys/certs/pem
To create the ssl stuff I'm running the following
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev#gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev#gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev#gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo DB config
The mongo config I'm then running with (inside docker), is the following. (Where /data/mongo is the location generated to above).
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
and running via
mongo --config config/location
Connecting to mongo
I then try to connect to the server using the mongo command line as follows.
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
And get the following output
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect#src/mongo/shell/mongo.js:229:14
#(connect):1:6
exception: connect failed

Got it! Basically it needed more data in the subject line, or CN needed to be ROOTCA for the CA. Anyone that could comment on why would be appreciated.
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Some related resources if anyone is having similar troubles
Answer was found/taken from
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication
https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
An stack exchange ticket almost identical to mine can also be found at
https://dba.stackexchange.com/questions/151251/mongodb-error-self-signed-certificate-in-certificate-chain?newreg=20bca440682842c085a8764dd7c91e96

Encoding of output artifacts from 'openssl req' command?

My question is simply: What is the encoding of the .pem and .csr file created by openssl using this command:
openssl req -nodes -newkey rsa:2048 -keyout key.pem -out some.csr \
-subj "/C=XY/ST=UVW/L=SOMETOWN/O=STH/OU=STHELSE/CN=my.cert.test"
I do past some information from which i do not know if they are of importance for the answer of this question:
I am working on a xterm under x11. I have a up to date linux distribution (opensuse leap 42.2) and use openssl in my shell to create a csr file. I have a setting in my env XTERM_LOCALE=de_DE.UTF-8.

You can set encoding by passing -outform DER or -outform PEM where der is binary file and pem is in base64.

How to specify CA private key password for client certificate creation using OpenSSL

I am building a command line script to create a client certificate using OpenSSL "mini CA" feature.
I have a CA certificate and CA private key encrypted with a password. With those things I am trying to create the client certificate and stumbled upon the command line syntax. How do I specify the password for the CA's private key?
So far, I have ...
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-CAkeypassin pass:client-caPK <-- does not work
-CAcreateserial
-out client.crt
-days 365
See the highlighted parameter. I expect something like this, but I cannot find it anywhere in the docs.
Corrected
Just for the records. The -signkey parameter is used for self signed certificates. CA's don't have access to the client's private key and so will not use this. Instead the -passin parameter refers to the CA's private key.
openssl x509
-req
-in client.csr
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:CAPKPassword
-CAcreateserial
-out client.crt
-days 365

Use -passin pass as shown below.
openssl x509
-req
-in client.csr
-signkey client.key
-passin pass:clientPK
-CA client-ca.crt
-CAkey client-ca.key
-passin pass:secret <-- try this
-CAcreateserial
-out client.crt
-days 365