VSTO ClickOnce self signed certificate and Trusted Publisher - certificate

I have two certificates which looks the same to me but apparently not to ClickOnce deployment process. Both certificates are self-signed and both are in Trusted Root Zone on the machine where the application will be installed (thus they both don't have issuer, they are roots).
One of those certificates is generated using Visual Studio publish tab using "Create Test Certificate" button and the other one is generated by me using openssl cli
Here's how they look in cert preview
created with VS
created with opensll
Now, the one generated with Visual Studio appears as Trusted Publisher when I install the app whereas my certificate is shown as Untrusted (however when I check the certificate manually - it appears as trusted in Windows).
Here are cli commands I'm using to create certificate using openssl. Note that I'm using the default openssl config (version 1.0.2h)
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 999 -key ca.key -out ca.crt
openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12
I can't figure out why my certificate appears as untrusted, that is, what VS cert generator does more than I do in openssl. How can I see and compare the properties of both certificates to see what differs them that matters for ClickOnce installer.
I also tried to explicitly specify that the certificate is for Code Signing (in the Extended Key Usage) -- the result was still the same

Related

Sign Powershell Script with Cert from easy-rsa

I apologize if this has been answered elsewhere, but I couldn't find anything that quite fit what I'm trying to do here.
I have a CA set up already on a Linux server, and I use it for creating OpenVPN certs. I want to utilize this existing infrastructure if I can.
What I intend to do, is create the signing certificate on my Linux server using easy-rsa, import that into a Server 2012 R2 environment, and sign it from there. After that, I'd import the necessary certs on the servers I'm deploying my scripts to.
Is this possible? Are there limits to the key size? What algorithms can I use? Is EC supported? If so, which curves?
All the literature I've come across talks about creating the CA on a Windows Server, so I'm at a bit of a loss here.
It took 3 years and I asked the same question, and the answer is - Yes!
Requirements: easy-rsa, openssl
Step 1: Generate RSA private key.
openssl genrsa -out MySPC.key
Step 2: Make certificate request.
openssl req -new -key MySPC.key -out MySPC.req
Step 3: Import certificate request to easyrsa.
easyrsa import-req MySPC.req MySPC
Step 4: Sign certificate request, and make SPC certificate.
easyrsa sign-req code-signing MySPC
Step 5: Make PFX.
openssl pkcs12 -export -out MySPC.pfx -inkey MySPC.key -in MySPC.crt -certfile MyCA.crt
Last step: Import PFX file to Windows Keystore.
Import PFX file to Trusted Publishers Certificate Store.
Now you can use this certificate to sign your powershell scripts and other executables!

How can I introduce a cross signing certificate into a chain?

I maintain a java applet that is locally deployed. I recently purchased a code signing certificate from Go Daddy (it was inexpensive, and they already host our site). My certificate chain is as follows (all files are available at https://certs.godaddy.com/anonymous/repository.pki):
my company
gdig2.cer
gdroot-g2.crt
Unfortunately, this root is not installed by default on Windows 7 (used by IE) or the Windows JRE (used by other browsers, I think). Manually installing the root certificate is doable, but it requires my users to have administrator access or run unfamiliar commands (it also doesn't make much sense from a security standpoint to say "you can trust my applet, and to prove it, run this command on your computer").
I would like to change my certificate chain to
my company
gdig2.cer
gdroot-g2_cross.crt
gd-class2-root.crt
which seems to be more prevalent (for example, it is the one in the Windows JRE, and is used to validate https://www.godaddy.com, which gets it into Windows 7). Go Daddy is not able to do this for me ("our support for using one of our Code Signing Certificates is limited"), so I'm left doing this on my own.
Following this answer, my most promising approach has been the following (on Mac OS X 10.6):
Convert my certificate into pem format:
$ openssl pkcs12 -in myCert.p12 -out myCert.pem -nodes
Use a text editor to open myCert.pem, delete gdroot-g2.crt, and paste in gdroot-g2_cross.crt and gd-class2-root.crt (openssl appears not to care about the order of the certificates, but I put them in the order shown above)
Convert the certificates back to p12 format:
$ openssl pkcs12 -export -in myCert.pem -out combined.p12
Unfortunately, this doesn't quite work. Calling
$ keytool -list -storetype pkcs12 -keystore combined.p12 -v
shows that my certificate chain extends through gdig2.cer, and stops. The problem appears to be that gdroot-g2_cross.cer doesn't certify gdig2.cer:
$ openssl verify -CAfile gd-class2-root.cer gdroot-g2_cross.cer
gdroot-g2_cross.cer: OK
$ cat gd-class2-root gdroot-g2_cross.cer > gdRootCross.pem
$ openssl verify -CAfile gdRootCross.pem gdig2.cer
gdig2.cer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
error 20 at 0 depth lookup:unable to get local issuer certificate
But everything looks ok to me:
$ openssl x509 -in gdig2.cer -text -noout
. . .
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
X509v3 Authority Key Identifier:
keyid:3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
. . .
$ openssl x509 -in gdroot-g2_cross.cer -text -noout
. . .
Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=https://certs.godaddy.com/repository/, CN=Go Daddy Root Certificate Authority - G2
X509v3 Subject Key Identifier:
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
. . .
This leads me to think that I'm not using the cross certificate correctly, but I don't know what I'm doing wrong. (I've also tried appending the two new certificates to my original chain, to which openssl verify says error 18 at 0 depth lookup:self signed certificate.) I'm almost willing to believe that it's not possible to change the root certificate, but that seems to be the entire point of cross certificates. How can I introduce a cross certificate into my certificate chain in order to be verified by a different root certificate authority?
You don't. You just have one certificate signed by the first authority; and one certificate signed by the second authority - both are having the same public key / fingerprint and subject line. That's it.

Certificate issue: KEY or PFX from P7B and CRT

I'm new to the certificates, and this is a first time I bought it.
I generated CSR file (in IIS) and bought certificate using GoDaddy web site. They sent me two files: P7B and CRT. Since I will use the certificate for Azure Web role, I need PFX. How can I create it using only CSR, P7B, and CRT?
Finally I managed to do that. In IIS I selected Complete Certificate Request, installed the CRT certificate, and then used Export option to save it as PFX.
Since I will use the certificate for Azure Web role, I need PFX
Although my target server is Nancy, I'm posting the answer because it's relevant to the process of generating a PFX cert.
A Nancy-based project required a trusted cert. I found procedures to setup a self-signed using a PFX cert, Enabling SSL for Self Hosted Nancy, but it wasn't obvious how to proceed with GoDaddy certs. Digging around, I found an answer at a commercial SSL site.
So I created the CSR using OpenSSL, ordered and fetched my cert package from GoDaddy, and then managed to generate a PFX also using OpenSSL as described below.
As a side note for Nancy, I installed the PFX locally using the following
c:> certutil -importPFX certname.pfx
described here # https://stackoverflow.com/a/33351095/241296
Maybe it's possible to completely bypass local IIS for the Azure PFX requirements.
Create a .pfx/.p12 certificate file using OpenSSL # ssl.com
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Breaking down the command:
openssl – the command for executing OpenSSL
pkcs12 – the file utility for PKCS#12 files in OpenSSL
-export -out certificate.pfx – export and save the PFX file as certificate.pfx
-inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
-in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
-certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.
I used the -certfile option to specify the GoDaddy bundle:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt -certfile gd_bundle-g2-g1.crt
You can follow the steps provided on the support for installing SSL certificate.
Extracts from the above link.
Important Note: : To export the certificate in .pfx format you need to follow the steps on the same machine from which you have requested the certificate.

How to change the expiration date for a self created Certificate Authority in keychain

I'm trying to create a Certificate Authority in Keychain on Mac using stored public & private keys. The output CA has an expiration date of a year from the creation date.
I would like to increase the duration of the certificate validity.
I can do it on linux with this tutorial by the following command:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
The command will create a certificate authority that expires in 5 years.
Is it possible to do that using keychain or another method (changing some configuration files)? and HOW?
I found it on the first screen on the Certificate Assistant "Create Your Certificate Authority". Just click the "Let me override defaults". Click "Continue" and the next screen has a box to fill in the validity duration.
There you go.

How to convert .csr to .cer (or whatever usable on Windows)

I'm trying to figure out how to install .csr certificate under Windows but probably the only way is to convert it to some other format (maybe with openssl) but I have no idea how.
Do you have any suggestion?
CSR file is the Certificate Signing Request. It contains the information which is needed to generate a certificate based on your private key and information about the WebSite.
CER is the certificate itself (which you install into your Web browser). There is basically no way to convert directly from one to another as you need a key to sign the certificate, but what can do is to generate a self-signed certificate (e.g. certificate signed by the same key which was used to generate it):
openssl x509 -req -in server.csr -signkey server.key -out server.crt