How do I specify intermediate certs in concourse ATC? - concourse

I have an arbitrary long cert chain that I want to use to verify my ATC, how do I do this?

In your cert file you can append your certs together to make a chain.
Example:
-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEbMBkGA1UEChMSVGhl
IFNhbXBsZSBDb21wYW55MRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEcMBoGCSqGSIb3
................................................................
<More of cert 1>
................................................................
FS5G13pW2ZnAlSdTkSTKkE5wGZ1RYSfyiEKXb+uOKhDN9LnajDzaMPkNDU2NDXDz
SqHk9ZiE1boQaMzjNLu+KabTLpmL9uXvFA/i+gdenFHv
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEbMBkGA1UEChMSVGhl
IFNhbXBsZSBDb21wYW55MRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEcMBoGCSqGSIb3
................................................................
<More of cert 2>
................................................................
FS5G13pW2ZnAlSdTkSTKkE5wGZ1RYSfyiEKXb+uOKhDN9LnajDzaMPkNDU2NDXDz
SqHk9ZiE1boQaMzjNLu+KabTLpmL9uXvFA/i+gdenFHv
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEbMBkGA1UEChMSVGhl
IFNhbXBsZSBDb21wYW55MRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEcMBoGCSqGSIb3
................................................................
<More of cert n>
................................................................
FS5G13pW2ZnAlSdTkSTKkE5wGZ1RYSfyiEKXb+uOKhDN9LnajDzaMPkNDU2NDXDz
SqHk9ZiE1boQaMzjNLu+KabTLpmL9uXvFA/i+gdenFHv
-----END CERTIFICATE-----

Related

Error while decoding a ecdsa (secp256k1) private key

I created a private key (pem) file using following command
openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem
here is the file content.
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEINpbPusf6E6YXk6E8Y0o56T35Pmyv4F6pIdjuxOsBeu/oAcGBSuBBAAK
oUQDQgAEHir/UGtp0N4xD5gKiMlgVS7infNl4fpq+CDPSRasA8jHSfACho5asgwv
0gZ4K9WMXPSGtI7Yflz5YXSYgAoUwQ==
-----END EC PRIVATE KEY-----
I tried to decode the above string sing this website. (https://redkestrel.co.uk/products/decoder/)
But getting an error:
Sorry, we were unable to fully decode the data provided

No certificate matches private key

I am trying to convert a .crt file to a .pfx file.
openssl pkcs12 -export -inkey privkey.pem -out my.pfx -in my.crt
The privkey.pem file is what I got when I created the .csr file.
When I execute the above openssl command I get that error:
No certificate matches private key
Interesting thing is that for another csr I request a certificate I could export the pfx.
But for this 2nd certificate its not possible.
Of course I created both csr in separated folders...
my.crt:
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
privkey.pem:
-----BEGIN PRIVATE KEY-----
stuff
-----END PRIVATE KEY-----
What is wrong?

Is there any way we can convert RSA private key to x509 format?

I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt

SSL Chain certificate: PEM_read_bio:no start line

How can I configure Jupyterhub to work with chain certificates? I have my certs from Entrust:
my_name.txt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Entrust_Root.txt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Entrust_L1Kroot.txt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
When I try to start Jupyterhub I get following error:
crypto.js:131
c.context.setKey(options.key);
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:131:17)
at Server (tls.js:1128:28)
at new Server (https.js:35:14)
at Object.exports.createServer (https.js:54:10)
at new ConfigurableProxy (/usr/lib/node_modules/configurable-http-proxy/lib/configproxy.js:158:35)
at Object. (/usr/lib/node_modules/configurable-http-proxy/bin/configurable-http-proxy:171:13)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
[C 2016-05-13 15:44:24.633 JupyterHub app:1119] Failed to start proxy
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/jupyterhub/app.py", line 1117, in start
yield self.start_proxy()
File "/usr/local/lib/python3.5/site-packages/jupyterhub/app.py", line 881, in start_proxy
_check()
File "/usr/local/lib/python3.5/site-packages/jupyterhub/app.py", line 877, in _check
raise e
RuntimeError: Proxy failed to start with exit code 8
My confiuration file:
c.JupyterHub.ssl_cert = u'/path/to/Entrust_L1Kroot.txt'
c.JupyterHub.ssl_key = u'/path/to/my_name.txt'
I have tried other assignments to the ssl_cert and ssl_key but they did not work neighter.
To prepare the full chain of certificates you need to concatenate all of them to single file:
cat your_name.txt Entrust_L1Kroot.txt Entrust_Root.txt > your_name-chained.crt
Then configure JupyterHUB:
c.JupyterHub.ssl_cert = '/path/to/your_name-chained.crt'
c.JupyterHub.ssl_key = '/path/to/my_name.key'
You can generate your
- self-signed SSL certificate for jupyterhub e.g.
- if you are using localhost (or without a real domain)
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout jupyterhub.key -out jupyterhub.crt

How to decode a self-signed certificate

When creating public-private key pair and certificate, usually we see that the certificate looks like this:
-----BEGIN CERTIFICATE-----
XXX
XXX
...
XXX
-----END CERTIFICATE-----
If I understand correctly, the certificate should contain a lot of information like issuer, time, algorithm, public key, etc.
Can anybody tell me how we can a browser decode this certificate?
Most programming languages will have functions to do this, or you can use the OpenSSL command line utility.
For example, in PHP, you could use the openssl_x509_parse() function,
Here's a list of OpenSSL commands for getting certificate info. Most programming languages let you call system commands like openssl.
Here's the linked info incase the page is removed:
# Using the -text option will give you the full breadth of information.
openssl x509 -text -in cert.pem
# who issued the cert?
openssl x509 -noout -in cert.pem -issuer
# to whom was it issued?
openssl x509 -noout -in cert.pem -subject
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
# the above, all at once
openssl x509 -noout -in cert.pem -issuer -subject -dates
# what is its hash value?
openssl x509 -noout -in cert.pem -hash
# what is its MD5 fingerprint?
openssl x509 -noout -in cert.pem -fingerprint
And here is the output of the -text full info option when run on the PayPal API public key:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Validity
Not Before: Feb 13 10:13:15 2004 GMT
Not After : Feb 13 10:13:15 2035 GMT
Subject: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:47:4e:dd:fc:44:cc:4b:5c:9c:8e:d9:29:92:
f8:d7:65:ef:64:fb:a0:a2:78:bb:8b:b0:fb:a6:b0:
9e:d0:0b:5a:1d:37:3d:ec:26:20:9b:b3:6c:02:d2:
72:c4:d2:e2:c6:68:4b:57:ca:72:20:46:a2:1d:75:
80:87:c7:cf:29:6f:91:d3:5e:fe:12:65:eb:af:d1:
1a:aa:e3:e6:b1:5b:d3:cb:00:00:13:53:cc:34:e2:
aa:a3:69:25:e0:6c:62:cf:dc:d9:a8:86:a3:3a:6d:
5f:64:65:9c:19:2d:1f:e4:94:36:90:1a:8d:6e:f6:
e0:db:f6:5a:f8:62:7f:ab:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
X509v3 Authority Key Identifier:
keyid:96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
DirName:/C=US/ST=CA/L=Mountain View/O=PayPal Inc./OU=live_certs/CN=live_api/emailAddress=re#paypal.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
81:5f:3a:56:9a:80:5a:e5:ef:5f:a3:ab:a3:8a:89:d6:d6:15:
21:3e:43:81:6a:44:eb:dd:80:83:8d:b6:1f:bc:91:22:bf:fd:
8f:f8:8a:1b:84:e1:89:af:ce:7e:5c:78:4d:d2:fe:20:52:41:
03:23:ca:f6:fe:b3:64:d6:6d:06:03:c1:ca:75:db:d3:8f:21:
b0:fd:7a:97:6b:e2:d2:4e:50:d8:92:a2:3c:3b:04:7c:18:46:
23:e1:e7:c4:b5:c4:69:45:80:71:57:c2:b1:01:6f:77:60:35:
b3:14:6b:eb:b8:a9:e7:2d:b0:c0:17:a5:51:e7:0f:dc:08:c9:
f9:87
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQ
YXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9h
cGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20wHhcNMDQwMjEzMTAxMzE1
WhcNMzUwMjEzMTAxMzE1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEG
A1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0B
CQEWDXJlQHBheXBhbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFH
Tt38RMxLXJyO2SmS+Ndl72T7oKJ4u4uw+6awntALWh03PewmIJuzbALScsTS4sZo
S1fKciBGoh11gIfHzylvkdNe/hJl66/RGqrj5rFb08sAABNTzDTiqqNpJeBsYs/c
2aiGozptX2RlnBktH+SUNpAajW724Nv2Wvhif6sFAgMBAAGjge4wgeswHQYDVR0O
BBYEFJaffLvGbxe9WT9S1wob7BDWZJRrMIG7BgNVHSMEgbMwgbCAFJaffLvGbxe9
WT9S1wob7BDWZJRroYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMw
EQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3
DQEJARYNcmVAcGF5cGFsLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBAIFfOlaagFrl71+jq6OKidbWFSE+Q4FqROvdgIONth+8kSK//Y/4ihuE
4Ymvzn5ceE3S/iBSQQMjyvb+s2TWbQYDwcp129OPIbD9epdr4tJOUNiSojw7BHwY
RiPh58S1xGlFgHFXwrEBb3dgNbMUa+u4qectsMAXpVHnD9wIyfmH
-----END CERTIFICATE-----
To answer my own question: It is just a Base64 encoding.