I would like to use svn server to share source code in a repository among computers on a home network. I have svnserver and openssl installed on the computer with the repository. Can someone give me step by step instructions on generating a certificate, incorporating into svnserver, putting the certificate on the other computers, and accessing the repository from eclipse.
The computers are running versions of windows.
I'm following the steps at
http://community.spiceworks.com/how_to/show/1469-how-to-become-your-own-certificate-authority-and-secure-spiceworks
and have put the following commands into a script file for cygwin
# Generate CA root certificate
openssl req -new -x509 -extensions v3_ca \
-keyout cakey.pem -out cacert.pem -days 3650
# Move to /etc/ssl
mv cakey.pem /etc/ssl/private
mv cacert.pem /etc/ssl/certs.
# Generate Secure and Insecure Keys
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
At this point, I think I copy the contents of server.key and server.key.insecure into the file
C:\Program Files (x86)\VisualSVN Server\certs\server.pem
but, I'm not sure about that. Also, what file do I copy to the other computers and how to connect eclipse to the repository.
Also, is there an easier way to do this besides using svnserver, since all the machines are on the same home network, and they are running versions of windows?
Related
After changing ssl = on in postgresql.conf, postgresql server can't run anymore. What settings are needed more to enable SSL. I am using postgresql on Windows Server 2012.
Here is my research
https://www.postgresql.org/docs/current/static/ssl-tcp.html#SSL-FILE-USAGE
As in the link, you need to create a Self-signed Certificate first.
To do that you need OPENSSL. I use apache 2.4.12 and it has OpenSSL 1.01.1m ver.
You can also download and install easily from internet.
Then go to the folder that Openssl install from cmd. In my case, "cd C:\Program Files\Apache Software Foundation\Apache 24\bin".
Then execute the command as in the above link says.
openssl req -new -text -out server.req
openssl rsa -in privkey.pem -out server.key
openssl req -x509 -in server.req -text -key server.key -out server.crt (In Windows OS you can only do those steps.)
Then copy server.key C:\ (Anywhere you want..)
copy server.crt C:\
Look for the files you copy (server.key & server.crt) and copy them to PostgreSQL data folder.
Then change ssl = on in postgresql.conf file.
Restart the postgresql service.
Done!!!
I want to create a MDM server to manage my iOS devices. I have enrolled in iOS Enterprise Developer program. And executed the following openSSL commands
"1. Creating Certificate Authority (CA)"
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
"2. Creating the Web Server private key and certificate request"
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
"3. Signing the server key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile ./server.cnf -extensions ssl_server
"4. Creating the device Identity key and certificate request"
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
"5. Signing the identity key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
"6. Generating keys and certs for plist generation"
openssl req -inform pem -outform der -in identity.csr -out customer.der
I uploaded the generated identity.csr and got an MDM certificate.
With customer.der, AppleWWDRCA.cer, AppleIncRootCertificate.cer, MDM.cer (obtained from iOS Enterprise Developer) and with Identity.p12 I created a Java code to generate encoded plist file. I used this file and got APNSPushCert. It worked fine.
Now the problem is that the IP address of the computer got changed and I don't want to create the new MDM Vendor certificate.
As I understand the only place I mention the IP is server.cnf. I changed the IP in server.cnf and executed all the commands except 4. I placed the identity.key and identity.csr in the same folder before executing. Now every thing works fine but when I upload the encoded plist file for getting APNSPushCert site says Certificate Signature Verification failed.
I really don't understand what went wrong.
This is something to do with the SSL certificate you are using. It always validates the common name in the device side. You have to use either you domain name or the ip address of your server under common name of SSL certificate. Make sure it doesnt change. If it changes binding it to a DNS will work.
I tried to copy the same .der (costomer.der) file too and recompiled the program again. Now it is working fine. Also, I used DNS resolvable name as URI. Now all these are working fine.
Is there any way to make your own signing certificate in order to sign files such as installation packages?
Is the problem that the certificate supplier has to be a trusted source with Windows otherwise you will get warning messages?
If you have basic knowledge about PKI and X.509 you can do it with openssl.
Openssl has preconfigured CA.pl or CA.sh script that may be used to setup your CA and generate certificates with minimal configuration.
The main commands are:
# generate CA (need to do it only once)
CA.sh -newca
# create certificate request
openssl req -new -keyout user.key -out user.req -config yourconf.cnf
# sign request by CA
openssl ca -policy policy_anything -config yourconf.cnf -out user.pem -infiles user.req
# convert it into PKCS#12 (pfx) container, that can be used from various soft
openssl pkcs12 -export -in user.pem -inkey user.key -out user.p12 -name user -caname your_ca_name -chain -CAfile ./demoCA/cacert.pem
yourconf.cnf is a main config file based on default openssl.cnf included with openssl.
To make your certificate suitable for code signing you should specify it in permitted key usage fields like this (it will limit your certificate to code-signing only):
[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
To use this certificate in windows your should install your CA certificate into windows certificate store as CA authority. You must do it on every workplace where you want to validate signs on your files.
after exporting to p.12 in MacOSX, can i run the following 3 step in Linux? Or i must get it done in the same machine where i export to P.12 before i upload to Linux server to use with my php script?
openssl pkcs12 -clcerts -nokeys -out apns-dev-cert.pem -in apns-dev-cert.p12
openssl pkcs12 -nocerts -out apns-dev-key.pem -in apns-dev-key.p12
openssl rsa -in apns-dev-key.pem -out apns-dev-key-noenc.pem
I am not sure but this might be helpful:
1) CertificateCreation
2) apple-push-notification-service-tutorial
I think there is no problem in use the openssl in a linux machine. The algorithm is the same.
I used this tutorial and works great: http://blog.boxedice.com/2009/07/10/how-to-build-an-apple-push-notification-provider-server-tutorial/
I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.
In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
Obtain your new CodeSign.spc certificate from GoDaddy.
Export a PEM-formatted private key from the expired PFX:
openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Convert the PEM-formatted private key into the PVK format:
pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk
Combine the PVK and SPC into PFX:
pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.
In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc
Sources:
http://www.tech-pro.net/export-to-pvk-spc.html
http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/
http://www.drh-consultancy.demon.co.uk/
https://www.sslshopper.com/ssl-converter.html
http://russenreaktor.wordpress.com/2010/06/10/solved-convert-signing-certificate-crt-to-spc/
The tools you will need:
OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010
I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View
Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.
You can create PFX with openssl only.
Export a PEM-formatted private key from the expired PFX:
openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Create PFX
openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx
The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.
For anyone else looking for similar information, here is what I ended up using...
Get the private key:
openssl pkcs12 -in certs-and-key.p12 -out privateKey.key
Get the certificatate:
Beware: This can give you the CA cert
openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys
Better: Use this command to print only the client cert
openssl pkcs12 -in MacCossLabUW.p12 -clcerts
Then copy the output between:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save it to a file named certificate.crt
Now check that the private key and certificate match with the commands:
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
Then generate a new CSR:
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Use the CSR to Re-Key the certificate.
Download the GoDaddy software publishing certificate (.spc) file.
Verify that the generated certificate matches the request private key:
openssl pkcs7 -inform DER -in certificate.spc -print_certs
Then copy the output between for your certificate (Note: the output will also contain CA certs):
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save to a file named certificate-new.crt
And run the command:
openssl x509 -noout -modulus -in certificate-new.crt | openssl md5
The output should match the previous call used with the private key and request certificate.
To finish the process, follow the steps outlined in the answer with pvk2pfx.
I also found the schematic diagram in this post quite helpful:
PVK2PFX Error 0x80070490 - Cannot find certificates that match the key
For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add winpty to the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:
Generate a private key and CSR using openssl
openssl req -newkey rsa:2048 -keyout private.key -out my.csr
Generate a PVK using the private key with openssl
openssl rsa -in private.key -outform PVK -pvk-strong -out codesign.pvk
Use the CSR in the generation of the code sign certificate on Godaddy
Download the Zip from Godaddy and extract the SPC file (as mentioned by OP)
Use pvk2pfx to combine the PVK and the SPC file into a code sign certificate. This was included in the same SDK (and directory) as signtool itself:
pvk2pfx.exe -pvk codesign.pvk -spc SPC_FILEPATH_HERE -pfx codesign.pfx -pi PVK_PASSWORD -po PFX_PASSWORD
If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request
- Open IIS
- Click on the top level node (Server node)
- Open the Server Certificates settings
- Click on "Complete certificate request" under actions on the right
- Import your spc file to the server.
From here you can then export to a PFX file