Which private key using for CSR generated by TPM2? - pkcs#11

I'm following guidline to generate CSR: https://github.com/irtimmer/tpm2-pk11/wiki
After get certificate which signed by server side, in my case, I have to use private key used for CSR generation to handshake with SSL connection with server. I tried to convert key.priv using base64 command but failed.
And my questions:
1) Can I use private key "key.priv" when created private key in TPM. If not which private key will be accepted?
tpm2_create -c po.ctx -g sha256 -G rsa -u key.pub -r key.priv
2) What are key.pub and key.priv used for?
Thank you very much.

Related

How to add a passphrase for ssh key after its been created?

Is generating a new one necessary, or is there a way to go back and add a passphrase?
I have generated an ssh key, but would like to go back and add a passphrase. I haven't linked it to my github yet. Is there any way to do this?
As explained here, you can add a passphrase to an existing private key with:
cd ~/.ssh
ssh-keygen -o -p -f keyfile
But you can also link that to GitHub immediately: adding a passphrase (encrypting the private key) does not change the public key you would register to your GitHub profile.
The public key will remain the same, before and after you add a passphrase to your local private key.

How do I know which ssh key is used in my github account?

When I go to the SSH keys page in my GitHub account, I see a key whose identity starts with "c5:42:08:9d:39:22..."
On my computer, in the ".ssh" folder, I have several files that look like public SSH keys, but none of them contains a string similar to the above. For example, one
of the files "id_rsa.pub" contains a string that starts with "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA..." there are other similar files that probably represent different keys.
How can I identify which of the files, if any, represents the actual key that is in my github account?
"c5:42:08:9d:39:22..." isn't the key, but rather the key's fingerprint. You can see your key's fingerprint using ssh-keygen:
ssh-keygen -lf ~/.ssh/id_rsa
Where
-l means we want to see the key's fingerprint
-f ~/.ssh/id_rsa is a path to the key whose fingerprint we want to see
On older versions of OpenSSH, you may need to also specify that you want the SHA256 fingerprint rather than another hash like MD5, since SHA256 is what GitHub shows in its web interface:
ssh-keygen -lf ~/.ssh/id_rsa -E sha256
You should get the same fingerprint from the public part as from the private part of the keypair.

haproxy - unable to load SSL private key from PEM file

haproxy does not start anymore, it shows the error
bind <ip>:443' : unable to load SSL private key from PEM file ...
We did not change anything on the certificates or configuration. Since the last start we only made normal updates to the system.
To find the error, I generated a completely new certificate (self signed) but the error still exists.
This is the structure of the PEM file:
-----BEGIN CERTIFICATE-----
MIIDXjCCAkY...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKC....
-----END RSA PRIVATE KEY-----
I also tried to convert the private key with
openssl pkcs8 -topk8 -inform pem -in server.key -outform pem -nocrypt -out server_new.key
but haproxy still shows the same error.
I'm trying for hours now but I can not find the reason. Please help! Thank you!
Update:
The problem has something to do with file access. The PEM file was stored at /data/ssl/domainname/domainname.pem. File rights are ok. When I move the PEM file to /etc/haproxy then everything is ok.
The order in which the cert and key files appear in the pem is important. Use the following to create the pem file.
cat example.com.crt example.com.key > example.com.pem
The problem I was running into on CentOS was SELinux was getting in the way. To test if SELinux is the problem execute the following as root: setenforce 0, then try restarting the haproxy. If it works, there is an SELinux problem. (You can re-enable SELinux now and try to fix the underlying problem with the command setenforce 1).
Since I have the certificates in the folder /etc/haproxy/certificates, the following command worked to get the right permissions on the files restorecon -v -R /etc/haproxy (depending on your OS and SELinux config this may or may not work).
For me the problem was caused by this line in combined PEM file:
-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----
After I split it I could start HaProxy and load it OK:
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
For the latest version of letsencrypt certbot,fullchain.pem and privkey.pem files will be generated for you in /etc/letsencrypt/live/example.com folder. They need to be combined in order to HAProxy to read it properly.
cat fullchain.pem privkey.pem > example.com.pem
In HAProxy configuraion /etc/haproxy/haproxy.cfg
bind *:443 ssl crt /etc/letsencrypt/live/example.com/example.com.pem
I also encountered this error. You might want to try to remove the passphrase from the private key before you begin ripping your hair out. It solved the problem for me. I think HAProxy is supposed to ask you for the password on restart, but it didn't in my case using 'sudo /etc/init.d/haproxy restart
To remove the password, try
'openssl rsa -in [PRIVATE_KEY_FILE] -out nopassphrase.key'
Is passphrase necesssary? There's a discussion in the link below.
https://security.stackexchange.com/questions/70495/ssl-certificate-is-passphrase-necessary-and-how-does-apache-know-it
Did you append your certificate's private key to the end of the file?
HAProxy requires a "full chain" - certificate, intermediate authority (if you have one), and then private key. E.g.:
cat cert.pem cert.key > /haproxy/certs/fullchain.pem
The problem for me was a strange character at the beginning of the key.
This character did not show up when I cated the file because the character was <feff> otherwise known as the UTF-8 BOM (Byte Order Mark). It only showed up when I opened the file in vim.
I wouldn't expect this to be very common, but hopefully it saves someone some headache.
Just for information, in my case I had space character in front of "-----BEGIN RSA PRIVATE KEY-----" sequence and that broke the pem file.
I'd like to add, for people which join here and have the same issue, that you have to keep your intermediate certificates in the chain as well...
So if you have a chain with some layers, don't only take the rootca but also the intermediate certificates into your pem file
SElinux was the problem for me as well. HAProxy reported it could not read the file due to permissions even though the permissions matched other pem files in the folder. Our process is automated which is likely why SELinux is involved. The solution that seems to work for me so far (leaving SELinux running) is:
#!/bin/sh
if [ "$2" == "add" ]; then
sudo touch /etc/haproxy/ssl/$1
sudo cat $1 > /etc/haproxy/ssl/$1
sudo chmod 644 /etc/haproxy/ssl/$1
fi
if [ "$2" == "delete" ]; then
sudo rm /etc/haproxy/ssl/$1
fi
echo "performed $2 on $1";

connecting to server through SSH using public key

I am working on one iPhone application on which we need to use SSH integration. I have demo that can connect server with password, but i can't get how to connect that using public key.
I can connect it via MAC terminal using below command.
ssh -i (KeyFilePath) username#(domainname or IP)
But unfortunately, I can't connect using Xcode.
Thanks,
You may want to consider first adding the private key (or keys) to the authentication agent. From that point and on, all ssh commands will re-use the cached key:
# Add a new key to the authentication agent
$ ssh-add <path to private key>
# List current keys
$ ssh-add -l
# Delete all loaded keys
$ ssh-add -D
# Add a new key and store the passphrase in your keychain
$ ssh-add -K <path to private key1>
$ ssh-add -K <path to private key2>
# After storing the private keys passphrase in the keychain,
# you can load them all, at any time
$ ssh-add -k
When the authentication agent has a private key loaded, you should be able to use Xcode to connect to (domainname or IP) with no problems.

Importing OpenSSH RSA Public / Private Key Pair into Apple's Keychain Access

As stated in the title, I would like to import a key pair into Keychain Access.
What I have done:
Obtaining an RSA public / private key pair by using OpenSSH
What I am going to do:
Importing the key pair into the "login" keychain of Keychain Access
Creating a CSR with OpenSSL
Send the CSR to Apple for obtaining a developer certificate
Any suggestions are welcomed.
Found the answer by myself:
Open Terminal.app:
$ security import developer_rsa_key -k login.keychain -t priv -f openssh2
1 key imported.
$ security import developer_rsa_key.pub -k login.keychain -t pub -f openssh2
1 key imported.