I am working with O'Reilly's book on SSL, which uses openSSL for its examples.
After creating a configuration file:
[ ca ]
default_ca = mobileCA
[ mobileCA ]
dir = /users/crodgers/src/sds2mobile/Server/CA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/key.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = md5
policy = mobile_CA_policy
x509_extensions = certificate_extensions
[ mobileCA_policy ]
commonName = SDS/2 Mobile Certificate
stateOrProvinceName = Nebraska
countryName = US
emailAddress = designdatamobiledevelopment#gmail.com
organizationName = Design Data
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = /users/crodgers/src/sds2mobile/Server/CA/private/key.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = Root Certificate
stateOrProvinceName = Nebraska
countryName = US
emailAddress = designdatamobiledevelopment#gmail.com
organizationName = Design Data
[ root_ca_extensions ]
basicConstraints = CA:true
The user is instructed to enter the following command:
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
This is supposed to create a self-signed root certificate.
This command gives me the -help output. I'm assuming something in the command is incorrect, but have been unable to narrow down what.
Currently working in Ubuntu 10.04 and openSSL 0.9.8k
You're missing the RSA key size, e.g. -newkey rsa:1024 for a 1024-bit key.
Related
const fs = require("fs")
const rsaPemToJwk = require('rsa-pem-to-jwk')
const pem = fs.readFileSync('./certs/private.pem');
var jwk = rsaPemToJwk(pem, {use: 'sig'}, 'public');
console.log(jwk)
this result:
Node.js v18.12.1
PS D:\ppp\JWKS-tutorial\auth-server> node covermtion.js
undefined
I added the private key instead of asking for it but it gave me the same result
const fs = require("fs")// fs.readFileSync('./certs/private.pem');
const rsaPemToJwk = require('rsa-pem-to-jwk')
const pem =
"-----BEGIN RSA PRIVATE KEY-----\n\
MIIG4wIBAAKCAYEAxzZZa6MCLR/rYmQ9BRKK/tpJ736j8QFR3RrUC8TZKvhx6QIB\
CULWvehctkjxkqREmfPbtQ1EkeoAfT68AeRd5CYpeucQrL1auZa6A0Wfjn5kRLIf\
5U8e7G+0eOd93GZ7BOLV5OgfkgX5Q4RYxAiHKc6zKqmFIBgj57oM00TcHF0lw7rv\
wvLzF3lDpEkS9ib/XlqpyHBgKrcjdVhD5V6GAgEv6TJpd/HtrV4CKC3prZIIilAF\
IUvVkHKT/F91XE6zo7IAyoFB+z/bTut7RQ4Eg1U3CtFxTjnBYxmPMIrqoUJDSdGt\
hBoG1uprNzdSupY1dIwpVDEXWqaOnzePsOYQnLgnV5sPgZOC85UgszfUu+bHuFtb\
tc+WZ7zBYYJzHGwraW/Jq5r9QwJ+8pJTh7ksS2ugV86s6Jxdg0dk6wMSd0NwQqfO\
iehqNw7w/TbayrtXl7ZCtHCErtMsnJEwVFRYsW7XB85piRcOEih30Yrx40oLfYUD\
mpAfdrUSuaAN9AR3AgMBAAECggGBAJVDmtK0q//Fp+fsNXBkiXMVekqRuCLvmzgx\
TuqWjyXMTAWLs90NkLtwrG8EzsTSgnhcKKZLD7LJA57Ub6h3RQaatX/aPDtCEgV2\
819aPohVGaoDUTTPCNudgzsIMN0AiHKLyDqg1m7iPPei5aPUw/nGX6a6p/35OIX7\
\n -----END RSA PRIVATE KEY-----";
var jwk = rsaPemToJwk(pem, {use: 'sig'}, 'public');
console.log(jwk)
this result:
Node.js v18.12.1
PS D:\ppp\JWKS-tutorial\auth-server> node covermtion.js
undefined
I want to transfer the private key via rsapemtojwk which gives me unknown result
Based on my code using a .pem SSL certificate and key, I would like to know how I can use a Sectigo SSL that has Root CA Certificate - AAACertificateServices.crt, Intermediate CA Certificate - USERTrustRSAAAACA.crt, Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt and Your PositiveSSL Certificate - example_com.crt.
Here is my server source code portion
let conf = config::get_config_file_path();
let server_ip = conf.server_ip;
let port = conf.port;
let port_ssl = conf.port_ssl;
let cache = conf.cache;
let ssl_dir = conf.ssl_dir;
let server_url_ssl = format!("{}:{}",server_ip,port_ssl);
let server_url = format!("{}:{}",server_ip,port);
let mut builder =
SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
builder
.set_private_key_file(format!("{}{}",&ssl_dir,"/key.pem").as_str(), SslFiletype::PEM)
.unwrap();
builder.set_certificate_chain_file(format!("{}{}",&ssl_dir,"/cert.pem").as_str()).unwrap();
HttpServer::new(|| {
let cors_ = Cors::permissive();
App::new()
.wrap(cors_)
.service(method_1)
})
.bind(server_url.as_str())?
.bind_openssl(server_url_ssl.as_str(),builder)?
.run()
.await
Thank you.
I have created a Certificate with an inf-file and certreq with the following settings:
$InfFile = #"
[NewRequest]`r
FriendlyName = $FQDN
Subject = "CN=$FQDN,OU=$OrganizationalUnit,O=$Organisation,L=$Locality,S=$State,C=$CountryName,E=$Email"`r
KeySpec = 1
KeyLength = 2048
Exportable = TRUE`r
RequestType = PKCS10`r
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=$FQDN&"
_continue_ = "DNS=$SERVERNAME"
"#
If I run this in a Script, the certificate will be created. But I'm unable to export the private key even though I set the value of "Exportable" to true. It seems no key is associated with the certificate as shown in this picture:
Certificate without key
Here a Certificate with associated Key for reference:
Certificate with Key
I'm not quite sure what I am doing wrong, any ideas?
Cheers
Buffalosoldier
Just found the answer to my own question. I had to add the following to the inf file: MachineKeySet = TRUE
I need either the secret for HMAC algorithms, or the PEM encoded private key for RSA and ECDSA used to function JWT.sign()
now I get result from function getSecret() and writeStream to a pfx file,then I use openssl get a private key.
const result = await client.getSecret(vaultUri, secretName, secretVersion);
let writeStream = fs.createWriteStream("1.pfx");
writeStream.write(result.value, 'base64');
openssl pkcs12 -in 1.pfx -nocerts -nodes -out 1.key
openssl rsa -in 1.key -out 1_pri.key
How can i get a private key through the result on node server without openssl?
Any help is much appreciated.
If you want to exact private key from .pfx , try this :
const fs = require('fs');
const forge = require('node-forge');
const file = fs.readFileSync("<path of your .pfx file>");
const p12Der = forge.util.decode64(file.toString('base64'));
const pkcs12Asn1 = forge.asn1.fromDer(p12Der);
const pkcs12 = forge.pkcs12.pkcs12FromAsn1(pkcs12Asn1, '<your .pfx password>');
const { key } = pkcs12.getBags({ bagType: forge.pki.oids.pkcs8ShroudedKeyBag })[
forge.pki.oids.pkcs8ShroudedKeyBag
][0];
const pemPrivate = forge.pki.privateKeyToPem(key);
console.log(pemPrivate);
Result :
Update: I have rewritten the sample code and the CSR is very close to the actual openssl created CSR (only missing the CA:False extended attribute)
I have a CA already and would like to dynamically generate user certs for enrolling authorized devices with phpseclib.
I know the logic is a little cloudy, this code was pieced together from a variety of different examples:
<?php
$USERNAME = "tester";
$DEVICENAME = "command";
$PASSWORD = "test";
$ID = 123;
require_once("config.inc.php"); // Sets defined paths to CA cert and key
require_once("File/X509.php");
require_once("Crypt/RSA.php");
// Setup our CA
$CA = array(); // Store our certificate authority information
$CA["key" ] = new Crypt_RSA();
$CA["key" ]->loadKey( file_get_contents(CAKEY) ); // Load our CA key to sign with
$CA["asciicert" ] = file_get_contents(CACERT);
$CA["cert" ] = new File_X509();
$CA["cert" ]->loadX509( $CA["asciicert"] ); // Load our CA cert and public key
$CA["cert" ]->setPrivateKey($CA["key"]);
// Create a new keypair
$DEVICE = array();
$DEVICE["keys" ] = new Crypt_RSA();
$DEVICE["keypair" ] = $DEVICE["keys"]->createKey(2048);
// Save our private key
$DEVICE["privkey" ] = new Crypt_RSA();
$DEVICE["privkey" ]->loadKey($DEVICE["keypair"]["privatekey"]);
// Save our public key
$DEVICE["pubkey" ] = new Crypt_RSA();
$DEVICE["pubkey" ]->loadKey($DEVICE["keypair"]["publickey"]);
// Create a new CSR
$DEVICE["csr" ] = new File_X509();
$DEVICE["csr" ]->setPrivateKey($DEVICE["privkey"]);
$DEVICE["csr" ]->setPublicKey ($DEVICE["pubkey" ]);
$DEVICE["csr" ]->setDN("C=SS, ST=obscure, L=obscure, O=secure, OU=networksecurity, CN={$USERNAME}#{$DEVICENAME}/emailAddress={$USERNAME}#{$DEVICENAME}");
// Sign the CSR
$DEVICE["signedcsr" ] = $DEVICE["csr"]->signCSR("sha256WithRSAEncryption");
$DEVICE["asciicsr" ] = $DEVICE["csr"]->saveCSR($DEVICE["signedcsr"]);
// Update the CSR with attributes
$DEVICE["cert" ] = new File_X509();
$DEVICE["cert" ]->loadX509( $DEVICE["asciicsr"] ); // Now load it back up so we can set extended attributes
$DEVICE["cert" ]->setPublicKey ($DEVICE["pubkey" ]);
$DEVICE["cert" ]->setStartDate("-1 day"); // Make it valid from yesterday...
$DEVICE["cert" ]->setEndDate("+ 5 years"); // Set a 5 year expiration on all device certs
$DEVICE["cert" ]->setSerialNumber($ID, 10); // Use our ID number in the DB, base 10 (decimal) notation
// These wont work, ill fix this later...
$DEVICE["cert" ]->setExtension("id-ce-basicConstraints", array("cA" => false ), 1 );
$DEVICE["cert" ]->setExtension("id-ce-keyUsage" , array("keyEncipherment" ,"nonRepudiation" ,"digitalSignature" ), 1 );
$DEVICE["cert" ]->setExtension("id-ce-extKeyUsage" , array("id-kp-emailProtection" ,"id-kp-clientAuth" ), 1 );
$DEVICE["cert" ]->setExtension("netscape-cert-type" , array("Email" ,"SSLClient" ), 1 );
// Finally have the CA sign the updated CSR
$DEVICE["signedcert"] = $DEVICE["cert"]->sign($CA["cert"], $DEVICE["cert"], "sha256WithRSAEncryption"); // Sign the new certificate with our CA
$DEVICE["asciicert" ] = $DEVICE["cert"]->saveX509($DEVICE["signedcert"]); // Ascii our certificate for presentation
print <<<END
User Public key:\n{$DEVICE["keypair"]["publickey"]}\n
User Private key:\n{$DEVICE["keypair"]["privatekey"]}\n
User CSR:\n{$DEVICE["asciicsr"]}\n
CA Cert:\n{$CA["asciicert"]}\n
User Certificate:\n{$DEVICE["asciicert"]}\n
END;
?>
Below is some sample output from this program:
...
User CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAb4CAQAwgZQxCzAJBgNVBAYMAlNTMRAwDgYDVQQIDAdvYnNjdXJlMRAw
DgYDVQQHDAdvYnNjdXJlMQ8wDQYDVQQKDAZzZWN1cmUxGDAWBgNVBAsMD25ldHdv
cmtzZWN1cml0eTEXMBUGA1UEAwwOdGVzdGVyQGNvbW1hbmQxHTAbBgkqhkiG9w0B
CQEMDnRlc3RlckBjb21tYW5kMIIBIDALBgkqhkiG9w0BAQEDggEPADCCAQoCggEB
ANzsEUPULfmkbDK2DLTWUbHxpqbxiQ0WF5vuUOXutcdJADG9uExyllRtnPmUq3yV
GhfF/jbKKwXrDMTc9JLRoPRjbCesHQq9p+WU2pgzHWOGne3b2SNB6ISSVUbmZwRd
3Uu78u2EIPw2yB/YAdMaSipuLnA4jbGwWHtMXWSr9g0en+CkJ0cHN3P0GAnDR7BF
2pq88si5Who9Dvn/Mo3npMZiAmD5D7qwD88mVFMC1j4q1xnqHi2X19Xz9+xgWZ1h
IdedpWh+v0i2kHE73Csu0Jiczxb28zdm+MjBEYGZ6X6LzCYHI5kx2wDKsxuxraMf
sY0QS/kATiTzSJMcWzxR82UCAwEAATALBgkqhkiG9w0BAQsDggEBABuThxlknbCS
Fzd8B+eM98uFW6YQmfp5js/S2+Cor3+btGi2d/siXDGusW7ceOEv4WLRikrv+0tt
rHNzndhl77ukSikA0H0VMUqNFYIL1N//W2nDhphYKWwKWHGoQ+/ZH30aLgw43iNz
IzWAj2d39bGEqAvGPzU6BDpm8o1ucMoJaqUAHNov69Ro/n+rb0k3ouuTqjewF781
lQFHMPhUY4j2JbGKpah3qPGvAgc44JR6VmG6Rh9nVhcZz5szit8K1UTgvIlSl7EH
7ggBHQl67kON19JKlKneJVsD36tczkEhuDGU5Dv4TH7SLiKwIRYHulD3bmqg2/Nq
sGAxVviaKBA=
-----END CERTIFICATE REQUEST-----
CA Cert:
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgICEA8wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCU1Mx
EjAQBgNVBAgMCVNlY3VyZSBDQTESMBAGA1UEBwwJU2VjdXJlIENBMRIwEAYDVQQK
DAlTZWN1cmUgQ0EwHhcNMTUwMjAxMTkzNjA2WhcNMTYwMjAxMTkzNjA2WjBPMQsw
CQYDVQQGEwJTUzEPMA0GA1UECAwGU2VjdXJlMQ8wDQYDVQQKDAZTZWN1cmUxHjAc
BgNVBAMMFW5ldHdvcmtzZWN1cml0eS5uaW5qYTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAN7PJWsyd3Hn7q5/Y4N9Dcpvtip/hiSEFwrkl4UWd+bD7CGz
wQjyZziVAj7mXjgTrPCmMzwV/aRtT2WM7l1vI8WV0swsTEidvZF+EDEAujnadMxr
8JWVC+ljYvhy7nIDRYpPwkKSBWpIF1UFaG8MduHxBtqlRlOJoIDQmJkLQO5fV/kv
cujct4myMhar6TPx52xWX0FLt0B3Rn04Rb0InstyDY0NtrTMsgSq32rj3sijTCAG
WDsnxNO+jsC7uFAjjldcWnqBs7of+sVb7TPiEsq/5adE6G50ctqW8H7JpY+SFZzG
Y+wPRUxJZsYq4qt/rkEv7ldtsbhHD6wO4I61eksCAwEAAaNBMD8wDAYDVR0TBAUw
AwEB/zALBgNVHQ8EBAMCBeAwIgYDVR0RBBswGYIXKi5uZXR3b3Jrc2VjdXJpdHku
bmluamEwDQYJKoZIhvcNAQELBQADggEBAMsXyUX95AkQKadbaZ1XEWoayElWtKUc
dRB15XDJ7xoWGQo/fDYebXOJMPffIQoOGtRZcYtPaVjr3PMUCaxIAUvdmO3UMfLh
M8kQhYBzyEKw+SRwcUHmKbU8Tz5AolL1qjoNm5SWBV9RbFj2TRcR27v/apmhIR+K
6KKbcIXklKhhBPacJL7NwAgibb8Ip4OtxSuzarydddPryAwTwUSJNlmozRAx7dFk
xLkLMQMqEtW7BmJqU+YUczddYvbsxmYqfaChM/TBo7VZd84RlWoXOqqfon6JGLWN
5lN86iVnfXeGLbhLt5GKWB6e4rUbiMAqmGYO6Cd2BMFRtlp9IYZIBSY=
-----END CERTIFICATE-----
User Certificate:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I find it really confusing that the signed certificate is blank. The error checking in place seems to make me think it would simply return FALSE if there was a problem, but getting blank output between the ----- lines makes me wonder what is going on.
From your code:
$DEVICE["cert" ]->loadX509( $DEVICE["asciicsr"] );
Try this:
$DEVICE["cert" ]->loadCSR( $DEVICE["asciicsr"] );