Hashi Vault: Attempting to set a PEM-encoded certificate and private key bundle, using the pki/config/ca endpoint. The bundle.pem is a concatenation of the ca and private key. The following is the command and output
vault write pki2/config/ca pem_bundle=#bundle.pem
What is the proper format for the pem_bundle?
Resolution attempted
1. Removed all blank lines in the bundle.pem
2. Also tried to convert pem files to a string that can be passed in json
awk 'NF {sub(/\r/, ""); printf "%s\n",$0;}' cert-name.pem
3. Also tried the UI as well as the api interface.
4. Reviewed similar items on github regarding 'no data found in PEM block'; did not resolve issue.
vault write pki2/config/ca pem_bundle=#bundle.pem
I expect the output to be:
Success! Data written to: pki/config/ca
The actual results are
PUT http://127.0.0.1:8200/v1/pki2/config/ca
Code: 400. Errors: * no data found in PEM block
After further research, there is an issue with the private key formatting.
The private key needs to be changed from pkcs8 to pkcs1
openssl rsa -in pkcs8.key -out pkcs1.key -outform pem
Then recreate bundle using the pkcs1 formatted private key.
Then the following command is successful.
vault write pki2/config/ca pem_bundle=#bundle.pem
Related
I am trying to use the new SPM Collection signing utility found at https://github.com/apple/swift-package-collection-generator/tree/main/Sources/PackageCollectionSigner
But I honestly don't know how to get the necessary files.
Here is the definition:
USAGE: package-collection-sign <input-path> <output-path> <private-key-path> [<cert-chain-paths> ...] [--verbose]
ARGUMENTS:
<input-path> The path to the package collection file to be signed
<output-path> The path to write the signed package collection to
<private-key-path> The path to certificate's private key (PEM encoded)
<cert-chain-paths> Paths to all certificates (DER encoded) in the chain. The certificate used for signing must be first and the root
certificate last.
I understand the input-path and output-paths arguments but where do I get the PEM encoded private key and the DER encoded path chains?
Sorry if I am being naive, but this is just an area I have no experience with.
Any help about how I get/generate these files would be helpful.
thank you.
The private key you can generate yourself on the command line
openssl genrsa -out private.pem 2048
chmod 600 private.pem
Once you have the key, you will need to request a certificate that uses it. This can also be done on the command line:
openssl req -new -key private.pem -out signing.csr
Once you have that, you can go to developer.apple.com and click on the "Certificates, Identifiers and Profiles" section, then click on the "Certificates" tab. Click the blue plus button, choose the "Swift Package Collection Certificate" option and click Continue.
It will ask you to upload a CSR, so click Choose File and select the signing.csr file you just created. Download the generated certificate and rename it to signing.cer and you should be ready to go.
*Once you're done this, you can delete the signing.csr file.
I want to update the APNs channel of an AWS pinpoint application. For that I have to create a APNSChannelRequest with the SSL certificate and the certificate password. The type of the both elements must be a string.
How can I convert the .p12-file to a string or how can I export the right key out of the .p12-file? (This step can be done manually and does't have to be done at runtime.)
Here is the (slightly extended) example of the developer guide from AWS SDK for Java:
APNSChannelRequest request = new APNSChannelRequest()
.withEnabled(enabled);
UpdateApnsChannelRequest updateRequest = new UpdateApnsChannelRequest()
.withCertificate("here comes the ssl-certificate string")
.withPrivateKey("pw123")
.withAPNSChannelRequest(request)
.withApplicationId("placeholder-for-the-appId");
UpdateApnsChannelResult result = client.updateApnsChannel(updateRequest);
I can't find anything in the documentation.
Thanks for your help.
This will require converting the contents of the p12 file to PEM format. This can be achieved via the command line using openssl as follows:
openssl pkcs12 -in certificate.p12 -nodes -clcerts
This will result in the CERTIFICATE and PRIVATE KEY values to be emitted in base64 format. Supply the string beginning with: "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----" as the Certificate value in the UpdateApnsChannelRequest. Supply the string beginning with "-----BEGIN PRIVATE KEY-----" and ending with "-----END PRIVATE KEY-----" as the PrivateKey value in the UpdateApnsChannelRequest.
I created a public and private key running ssh-keygen -t rsa -b 4096.
I then created a DNS entry dkim._domainkey of type TXT with this value:
v=dkim1; p=AAAAB3NzaC1yc2EAAAABIwAAAgEAvQ1GCaGx9CRKqW4wJUalTb6lGb6C1vm5iTUaus7b8EfurN8JWQouVa+n7V1YbbtAk14om7k+24i5ApbaULv8bhH5fGyano91ZQ4UpXTNxo9TrpgLntRCVQf0GlB1JNADiFMHetepf49xMDh5+NhPvgxzDBwGNqa2e4dR+SiruFKUNr5kBeLCzB9mcpzgI0jLj3PVfiB0c+SfeCcQUcGteWplurl3KLWdFAEAkTlMHPd61adt//mGRy9+XbKnVUVUNK6bn5k5pV+CSmx31pSbbFbUUjtmS4gUzPuqFDsJlVv0Sz5THNMgNiei4dSX3EqvJUmE13m+sKhImyqLoIFMTxD2Z2PxOVVqE2IqnEi9Hn+QluEiczi/g9/thWz8AnodDLlDv884LSQK7Dedie35ueyzUwgkeUsnebzSdqk1A0AqF/IcEBFiAyQyjepJ03Svv04job4cMjX90L4WoeznyCu2KTo9mTcoRRZJhLlDu0afcKavLOr6ydpJyaEsxgRzZURxFbPXUq8FGR3MbuOLszToHd6+CAOH5exRRll+Bs8O8I/dQsvJA6NqCQpynjXpNRwZ5e3RqshOR8RlZsNB4fuTk0SN2rNiozxAwQWoCl4dg+u/jfyki1GPD86qo1U1NWWXKIpXHZqYSx4FXI/CVkQ3KLI9LW1U1GxPwGVpqkU
Now when I test it using https://protodave.com/tools/dkim-key-checker/ it says:
Unable to properly parse the public key string and determine key length or the key is invalid. Tip: Make sure there aren't any special charaters or newlines pasted into your key in the TXT record.
I just copy pasted the complete key out of the file that was generated by ssh-keygen. Any tips on how I can figure out what went wrong?
I used openssl genrsa -out openssl.priv 1024 and openssl rsa -in openssl.priv -pubout >openssl.pub to generate the keys and now it works just fine.
You can and maybe should use keylength of 2048, it's in the DKIM spec.
That said, I heard of problems with mail servers hosted by AWS, insisting on 1024, but that was a few years back.
Create private key:
$openssl genrsa -out dkim_private.pem 2048
Pull out public key in der form, for encoding without LFs subsequently:
$openssl rsa -in dkim_private.pem -pubout -outform der -out dkim_public.key
Convert public key to base64 representation required:
$openssl <dkim_public.key base64 -A >p_equals
After this, the base64 encoded string in file p_equals is the string needed in your DNS TXT record (p=MI......AB ).
New to using jose4j. I have found examples like this to set private key from cert:
JsonWebSignature jws = new JsonWebSignature();
PKCS8EncodedKeySpec spec =
new PKCS8EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey pk = kf.generatePrivate(spec);
jws.setKey(kf.generatePrivate(spec));
But I get this error message
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
I think it is because the cert was created as SHA256 instead of RSA. Here is how I was told the cert was created:
openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt
Does anyone have any examples of how I could sign JWT with a SHA256 cert?
With additional info, that private key file is PEM but NOT PKCS#8, as a modern version of OpenSSL should have created for req -newkey. And the difference between PEM and "DER" (binary) which standard Java requires is not just removing (and adding) the BEGIN and END lines.
Your simplest solution if OpenSSL is available is to convert both of these, without encrypting:
openssl pkcs8 -topk8 -nocrypt -outform der -in private.pem -out good.der
Then read good.der (use better name if you like) as bytes, and put that in PKCS8EncodedKeySpec and use it as you posted. Aside: you don't need to fiddle with DataInputStream, which isn't really intended for "plain old" bytes; java.nio.file.Files.readAllBytes can open, allocate, and read for you.
The next more complicated alternative is to convert to PKCS#8 but still PEM: same as about but omit -outform der (and use a file name that indicates PEM, to avoid confusion). Then in Java read that file as characters (with a Reader, usually BufferedReader, not a Stream), discard the BEGIN and END lines, concatenate all the lines between, and convert them from base64 to byte[]: in Java8 you have java.util.Base64, before that you can use javax.xml.bind.DatatypeConverter.
To read the file you have in standard Java is harder. You could read the PEM-armored PKCS#1 and convert to binary PKCS#1, then "wrap" the PKCS#1 into PKCS#8 by building the DER encoding, but that's a good bit more complicated than what you've demonstrated familiarity with. Or you could parse the PKCS#1 and use the components to construct your own implemenation of RSAPrivateCrtKey and use that directly (no factory), ditto.
The other alternative is to use the third-party library from http://www.BouncyCastle.org which has more flexible features for handling PEM files than standard Java. But you need to learn their API as well as the standard one, and if your program will run anywhere else you need to ensure BC is deployed with or as part of your program.
i've a problem concerning the import of a .pfx certificate into a bouncycastle-keystore. The error message says that "...tampered keystore file or incorrect PKCS12 Password...". I've exported the certificates with Windows' CertMgr.
The certificates are exported as .pfx files. I want to import the certificates with their private keys in order to use them in combination with tls' client authentication.
I would appreciate for any help.
Windows's PFX files are just renamed PKCS#12 files, and you don't even need BouncyCastle to import them: you can use Java's built-in KeyStore API (which has no limitations on password length or composition -- if you want "no password" you can use the empty string).
Usually, PKCS12 / PFX import code looks something like this:
FileInputStream fis = new FileInputStream("your.pfx");
String password = "your-password";
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(fis, password.toCharArray());
String alias = ks.aliases().nextElement();
PrivateKey pKey = (PrivateKey)ks.getKey(alias, password.toCharArray());
X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
Not sure about your case - but a lot of tools have implied assumptions about having a password on the private key and/or the same on the PKCS#12 enclosure; it being the same and being 4 or 6 chars. I found that using something like 'abcd1234' is a fairly safe one to use across vendors (or a real one of course).