I am working on a project to automate extracting a public key DER encoded certificate from a users smart card, and convert it to ssh-rsa public key form. The ssh-rsa public key would then be published as a user attribute in AD. From there puppet would grab the ssh public key using an ldap query and place it in the authorized_keys file for the user in question.
The problem I am running into is that in Windows there doesn't seem to be a way to make the conversion from DER encoded .cer file to a ssh-rsa key. If the certificate is moved to the users home directory then it is possible to run:
openssl x509 -inform pem -in username.cer -noout -pubkey > username.pub
Then ssh-keygen can create the ssh-rsa public key using:
ssh-keygen -f username.pub -i -m PKCS8
So does anyone know of a way for windows to make this conversion? If you need more information please let me know.
You need to convert the DER encoded file to PEM first. Here is what you would need to do:
openssl x509 -in <your DER encoded File> -inform DER -out username.crt -outform PEM
There is a way, you need to use:
Import-Certificate
To import the certificate into the users/local machine store. You can then get the public key like so (well this gets the public key for every cert that has one, so change it to suite your needs):
((get-childitem cert:\LocalMachine -Recurse) | Where-Object{$_.PublicKey}).GetPublicKey()
This is using PowerShell 3.
Related
I need to get the public keys of a secured website programmatically with swift
In openssl i can get public key with this command:
openssl s_client -connect the.host.name:443 | openssl x509 -pubkey -noout
How can do this in swift code?
ps: I need .der file
I am currently working on converting CER to PEM.
I am working on building a script to convert multiple certs into a different format using Openssl. I am running PowerShell 7 and Openssl 1.1.1e. When I run my script, I get some Openssl errors, however it does still seem to convert the certificate as I still get a .pem file afterwards. Below are the errors:
Can't open Folder\Path for reading, Permission denied
17956:error:02001005:system library:fopen:Input/output error:..\crypto\bio\bss_file.c:69:fopen('C:\Users\localadmin\Desktop\PowerShell\Testing Environment\Folder\Path','r')
17956:error:2006D002:BIO routines:BIO_new_file:system lib:..\crypto\bio\bss_file.c:78:
unable to load certificate
Can't open Folder\Path for reading, Permission denied
19560:error:02001005:system library:fopen:Input/output error:..\crypto\bio\bss_file.c:69:fopen('C:\Users\localadmin\Desktop\PowerShell\Testing Environment\Folder\Path','r')
19560:error:2006D002:BIO routines:BIO_new_file:system lib:..\crypto\bio\bss_file.c:78:
unable to load certificate
unable to load certificate
17960:error:0909006C:PEM routines:get_name:no start line:..\crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate
16568:error:0909006C:PEM routines:get_name:no start line:..\crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate
21500:error:0909006C:PEM routines:get_name:no start line:..\crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate
15500:error:0909006C:PEM routines:get_name:no start line:..\crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
I don't have any errors using Openssl to make the CSR or private key. Below is the code I'm using for the conversion:
if($CertType -eq "PEM") {
Get-ChildItem $ScriptPath\$Kit -Recurse -Force | ForEach-Object {
$OutFile = $_.FullName.ToString().Replace(".cer",".pem")
openssl x509 -in $_.FullName -outform PEM -out "$Outfile"}
}
The default openssl x509 command format is pem, so your command line is converting from pem to pem.
So the errors are that openssl does not understand the file format, as it's expecting a pem formatted file.
I assume you want to convert DER format to PEM format.
So what you want to do is:
openssl x509 -in {infilename} -inform der -out {outfilename}
That will expect a DER formatted file on input and output as a PEM formatted file.
or you can explicitly specify both sides like:
openssl x509 -in {infilename} -inform der -out {outfilename} -outform pem
From the manual:
-inform DER|PEM
This specifies the input format normally the command will expect an
X509 certificate but this can change if other options such as -req are
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer
lines added. The default format is PEM.
-outform DER|PEM
This specifies the output format, the options have the same meaning
and default as the -inform option.
Was able to figure it out. In my code for converting the CER file to PEM, When recursing through my folders I added the line to include only the CER files and not the Key files in there as well. Below is the edited code.
if($CertType -eq "PEM") {
Get-ChildItem $ScriptPath\$Kit -Recurse -include "*.cer" | ForEach-Object {
$OutFile = $_.FullName.ToString().Replace(".cer",".pem")
openssl x509 -in $_.FullName -outform PEM -out "$Outfile"}
}
I have an X509 certificate (chain) and private key in PEM format. I need to convert them to GPG format so I can use them for signing. How can I do that?
I tried gpgsm, but the keys still don't appear on gpg list of keys.
Please, advise.
From my article
Steps
Break the pfx (p12) into pem files that can be used. For some reason, GPG can't handle standard encoding.
openssl pkcs12 -in sectigo.pfx -nokeys -out gpg-certs.pem
openssl pkcs12 -in sectigo.pfx -nocerts -out gpg-key.pem
Combine the keys into something GPG recognizes
openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
Import into GPG
gpgsm --import gpg-key.p12
At this point we have the p12 imported, and we can see it in Kleopatra, but we can’t use it for PGP operations.
cat gpg-key.pem | PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "Your Name <your#email.address>" > key.pgp
Now!!!! We have a pgp key, and when you import the key.pgp into GPG it will absolutely have the same key as your certificate.
gpg --import key.pgp
It’s separate key storage: gpg has ~/.gnupg/pubring.gpg, gpgsm has ~/.gnupg/pubring.kbx
So keys added with gpgsm aren’t usable with gpg; gpg doesn’t read ~/.gnupg/pubring.kbx.
To see they keys you added with gpgsm, use gpgsm --list-keys. And to create ciphertext from those gpgsm keys, use gpgsm --encrypt. And so on. It’s a completely separate tool from gpg.
As far as importing X.509 stuff for use by gpg, GnuPG doesn’t provide a way to do that. There’s nothing in the OpenPGP standard about it, so there’s no interoperable way to do it.
But the commercial (Symantec) PGP Desktop tool has some way of doing it, so if you can get ahold of a copy of PGP Desktop, I guess you could use that to import your X.509 stuff into PGP Desktop’s key storage, then export it as a .gpg/.asc file, then run gpg --import on that.
Which is the terminal command line equivalent for installing the development certificate (.cer file) without having access to Keychain Access utility?
I have an cloud rented MAC which doesn't offeer me access to the Keychain utility, but I'm allowed to use the terminal.
The key is to use OpenSSL in order to convert the iOS developer certificate file into a PEM certificate file and then to generate a P12 file based on the PEM certificate and the certificate key earlier generated. source
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iOS_dev.p12
Try to see if this works for you :
http://lists.apple.com/archives/apple-cdsa/2010/Mar/msg00021.html
I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.
In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
Obtain your new CodeSign.spc certificate from GoDaddy.
Export a PEM-formatted private key from the expired PFX:
openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Convert the PEM-formatted private key into the PVK format:
pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk
Combine the PVK and SPC into PFX:
pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.
In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc
Sources:
http://www.tech-pro.net/export-to-pvk-spc.html
http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/
http://www.drh-consultancy.demon.co.uk/
https://www.sslshopper.com/ssl-converter.html
http://russenreaktor.wordpress.com/2010/06/10/solved-convert-signing-certificate-crt-to-spc/
The tools you will need:
OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010
I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View
Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.
You can create PFX with openssl only.
Export a PEM-formatted private key from the expired PFX:
openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Create PFX
openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx
The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.
For anyone else looking for similar information, here is what I ended up using...
Get the private key:
openssl pkcs12 -in certs-and-key.p12 -out privateKey.key
Get the certificatate:
Beware: This can give you the CA cert
openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys
Better: Use this command to print only the client cert
openssl pkcs12 -in MacCossLabUW.p12 -clcerts
Then copy the output between:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save it to a file named certificate.crt
Now check that the private key and certificate match with the commands:
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
Then generate a new CSR:
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Use the CSR to Re-Key the certificate.
Download the GoDaddy software publishing certificate (.spc) file.
Verify that the generated certificate matches the request private key:
openssl pkcs7 -inform DER -in certificate.spc -print_certs
Then copy the output between for your certificate (Note: the output will also contain CA certs):
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save to a file named certificate-new.crt
And run the command:
openssl x509 -noout -modulus -in certificate-new.crt | openssl md5
The output should match the previous call used with the private key and request certificate.
To finish the process, follow the steps outlined in the answer with pvk2pfx.
I also found the schematic diagram in this post quite helpful:
PVK2PFX Error 0x80070490 - Cannot find certificates that match the key
For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add winpty to the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:
Generate a private key and CSR using openssl
openssl req -newkey rsa:2048 -keyout private.key -out my.csr
Generate a PVK using the private key with openssl
openssl rsa -in private.key -outform PVK -pvk-strong -out codesign.pvk
Use the CSR in the generation of the code sign certificate on Godaddy
Download the Zip from Godaddy and extract the SPC file (as mentioned by OP)
Use pvk2pfx to combine the PVK and the SPC file into a code sign certificate. This was included in the same SDK (and directory) as signtool itself:
pvk2pfx.exe -pvk codesign.pvk -spc SPC_FILEPATH_HERE -pfx codesign.pfx -pi PVK_PASSWORD -po PFX_PASSWORD
If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request
- Open IIS
- Click on the top level node (Server node)
- Open the Server Certificates settings
- Click on "Complete certificate request" under actions on the right
- Import your spc file to the server.
From here you can then export to a PFX file