Where is the private key? - certificate

Two simple questions about makecert command,
Suppose I am using the following command:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Will the private key automatically registered somewhere in certificate manager or the private key will just be in file root.pvk?
Suppose I am using the following command:
makecert -r -pe -n "CN=XYZ Company" -ss my
After executing this command, where is the private key stored (since I did not specify -pe option, the private key is not embedded in the certificate, but where it is) ?

Even without the -pe (enable private key export) the private key should still be stored in the certificate store you have specified. In your example that store is the LocalMachine physical store and the TrustedRoot logical store. You can check by opening up mmc (start->run->mmc) and adding the Certificates snap in and selecting "Computer Account" as the store.
An even simpler test is:
makecert -sk myKey -n "CN=test" -ss my -pe
Then start->run->certmgr.msc (which opens the certificate manager for the local user store) and check the Personal certificate store. In there you should have a certificate called test with a private key attached.
You can then right click the certificate and export it to a .pfx file to get a single file that has the certifcate AND the private key embedded.
Edit:
The -pe option stands for private key exportable. If -pe is used you will have the option of exporting the key from certmgr with the private key. If you don't use -pe then you will not get the option of exporting the private key (my comment below should say "without -pe" not "with -pe").

Related

Why does creating my self signing certificate fail?

I am trying to generate a self signing certificate but am unable to accomplish it. I am using this command to create a self signing certificate authority:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Which by all accounts works, and I can view the new entry under the Trusted Root Certification Authorities.
Next I use the following command to create a signing certificate:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer
But the command fails with:
Error: Can't load the issuer certificate ('root1.cer')
Failed
I was of the impression that the -ic switch would create the root1.cer file, but the error seems to indicate that it can't load it? Where am I going wrong with this?
When attempting to creating a Self Signed Certificate it does not require another certificate to generate it. Because as the name states, it is Self Signed (it is signed by the private key that belongs to the public key it contains).
When creating a common certificate you should provide a parent to make use of it. When verifying authenticity of this child certificate you should also have the parent certificate installed on your machine. This is the concept of Chain Trust.
See in your 'Local Machine' store, under trusted root certificates, you should have .cer from many Authority Agencies, such as Verisign for instance.
-iv Stands for Issuer's Private Key. (Parent .pvk)
-ic Stands for Issuer's Certificate. (Parent .cer)
In your first command, you created root.cer.
makecert [...] -r -sv root.pvk root.cer -ss Root -sr localMachine
In your second command, you told it that the issuer certificate was in root1.cer (with the parameter "-ic root1.cer"). That is what led to the error message that it could not find root1.cer.
So, change the 'root1.cer' in the second command to 'root.cer'. It should look like this:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv powershelluser.pvk powershelluser.cer
This does the following:
Generates a new key, placing it in powershelluser.pvk.
Uses the key in root.pvk to sign the new certificate, and uses the information in root.cer to set the Issuer of that new certificate.
Writes the new certificate to powershelluser.cer, and also writes it to the "Personal" certificates store in CurrentUser.

makecert requesting password

Given the following powershell function:
function CreateRootCertificate($certificateName, $path, $certificatePassword){
makecert -r -pe -n "CN=$certificateName" -sky exchange $path\$certificateName.cer -sv $path\$certificateName.pvk
pvk2pfx.exe -pvk $path\$certificateName.pvk -spc $path\$certificateName.cer -pfx $path\$certificateName.pfx -po $certificatePassword
}
makecert is prompting me to enter the certificate password. From what I understand it wont do this, if the *.pvk file already exists, and has a password set upon it.
SO my question is, how do I split my single makecert command in two separate commands, one to create the *.pvk and another to create the *.cer?
Many Thanks
“Makecert.exe” will always prompt for password when creating a private key.
One way around this prompt may be to write code/macro, to find the password input window and enter your password in it.
The other is to use OpenSSL. In OpenSSL use
openssl genrsa -aes128 -passout pass:password -out $certificateName.pvk 2048
to generate a private key with passphrase.
If you do work with certificates a lot, I would recomend to forget “makecert.exe” altogether and use OpenSSL instead.

Calculate RSA key fingerprint

I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.
What is the command I need to enter to find my current RSA key fingerprint?
Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):
$ ssh-keygen -lf /path/to/ssh/key
So for example, on my machine the command I ran was (using RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf <fileName>
Bonus information:
ssh-keygen -lf also works on known_hosts and authorized_keys files.
To find most public keys on Linux/Unix/OS X systems, run
$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'
(If you want to see inside other users' homedirs, you'll have to be root or sudo.)
The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)
The newer SSH commands will list fingerprints as a SHA256 Key.
For example:
ssh-keygen -lf ~/.ssh/id_dsa.pub
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)
If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.
ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)
Also available: -E sha1
Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.
To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!
To see your key on Ubuntu, just enter the following command on your terminal:
ssh-add -l
You will get an output like this:
2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName#ubuntu (RSA)
If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with:
ssh-agent bash (thanks to #Richard in the comments) and then re-run ssh-add -l
A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.
The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.
Load the SSH agent, if you haven't done so. The easiest way is to invoke
$ ssh-agent bash
or
$ ssh-agent tcsh
(or another shell you use).
Load the private key you want to test:
$ ssh-add /path/to/your-ssh-private-key
You will be asked to enter the passphrase if the key is password-protected.
Now, as others have said, type
$ ssh-add -l
1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you#yourhost (DSA)
fd:bc:... is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.
If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.
I do not add new information, but hopefully this answer is clear to users of all levels.
Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Where:
primary.pem is the private key to check
Note that this gives a different fingerprint from the one computed by ssh-keygen.
The fastest way if your keys are in an SSH agent:
$ ssh-add -L | ssh-keygen -E md5 -lf /dev/stdin
Each key in the agent will be printed as:
4096 MD5:8f:c9:dc:40:ec:9e:dc:65:74:f7:20:c1:29:d1:e8:5a /Users/cmcginty/.ssh/id_rsa (RSA)
$ ssh-add -l
will also work on Mac OS X v10.8 (Mountain Lion) - v10.10 (Yosemite).
It also supports the option -E to specify the fingerprint format so in case MD5 is needed (it's often used, e.g. by GitHub), just add -E md5 to the command.
On Windows, if you're running PuTTY/Pageant, the fingerprint is listed when you load your PuTTY (.ppk) key into Pageant. It is pretty useful in case you forget which one you're using.
This is the shell function I use to get my SSH key finger print for creating DigitalOcean droplets:
fingerprint() {
pubkeypath="$1"
ssh-keygen -E md5 -lf "$pubkeypath" | awk '{ print $2 }' | cut -c 5-
}
Put it in your ~/.bashrc, source it, and then you can get the finger print as so:
$ fingerprint ~/.ssh/id_rsa.pub
d2:47:0a:87:30:a0:c0:df:6b:42:19:55:b4:f3:09:b9
Sometimes you can have a bunch of keys in your ~/.ssh directory, and don't know which matches the fingerprint shown by GitHub/Gitlab/etc.
Here's how to show the key filenames and MD5 fingerprints of all the keys in your ~/.ssh directory:
cd ~/.ssh
find . -type f -exec printf "\n{}\n" \; -exec ssh-keygen -E md5 -lf {} \;
(For what the parameters mean, refer to this answer about the find command.
Note that the private/public files that belong to one key have the same fingerprint, so you'll see duplicates.
If your SSH agent is running, it is
ssh-add -l
to list RSA fingerprints of all identities, or -L for listing public keys.
If your agent is not running, try:
ssh-agent sh -c 'ssh-add; ssh-add -l'
And for your public keys:
ssh-agent sh -c 'ssh-add; ssh-add -L'
If you get the message: 'The agent has no identities.', then you have to generate your RSA key by ssh-keygen first.
Google Compute Engine shows the SSH host key fingerprint in the serial output of a Linux instance. The API can get that data from GCE, and there is no need to log in to the instance.
I didn't find it anywhere else but from the serial output. I think the fingerprint should be in some more programmer-friendly place.
However, it seems that it depends on the type of an instance. I am using instances of Debian 7 (Wheezy) f1-micro.
If you need to obtain that from the private key do it:
ssh-keygen -y -f key > key.pub && ssh-keygen -lf key.pub
To check a remote SSH server prior to the first connection, you can give a look at www.server-stats.net/ssh/ to see all SHH keys for the server, as well as from when the key is known.
That's not like an SSL certificate, but definitely a must-do before connecting to any SSH server for the first time.
On Fedora I do locate ~/.ssh which tells me keys are at
/root/.ssh
/root/.ssh/authorized_keys

How can use a X.509 certificate created on another computer?

I need to encrypt an XML file with a x509 certificate on one computer and be able to decrypt it with the same certificate on another computer. It doesn't seem to work for me like Microsoft suggests:
http://msdn.microsoft.com/en-us/library/ms229744.aspx
The decryption process always fails on another computer!
I create a certificate by using the following command:
makecert -r -pe -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
Then I install it by using:
certmgr /add deep.cer /s root
And try to get its private key with the FindPrivateKey.exe utility:
FindPrivateKey My CurrentUser -n "CN=DEEP_201X"
Works great. However, when I perform all the same actions to install the certificate on another computer FindPrivateKey will fail with
No certificates with key 'CN=DEEP_201X' found in the store.
when I use
certmgr /add deep.cer /s my
the error message will be like this:
Unable to obtain private key file name
Could someone please give me a piece of advice on how to make it work?
I suspect that you only need the private key on the decrypting computer.
However...
If you really need the private key on both computers, be aware that The .cer file does not include the private key.
(I think) makecert adds it to the local machine when it generates the cert. You can write it out using the -sv option. Then build a pfx container for the certificate that contains it.
makecert -r -pe -sv myprivatekey.pvk -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
pvk2pfx -pvk myprivatekey.pvk -spc deep.cr -pfx deep_private.pfx
I haven't been able to convince certmgr to import private keys from the commandline. Use it in gui mode or use the certmgr.msc snap-in.

certificates with SDK tools (makecert, pvk2pfx)

I need to make two certificates: CA sert and Server cert.
I use this commands.
makecert -r -pe -n "CN=CACert" -a sha1 -sky signature -cy authority -sv CACert.pvk CACert.cer
certutil -addstore Root TGCA.cer
makecert -pe -n "CN=ServerCert" -a sha1 -sky exchange -ic CACert.cer -iv CACert.pvk -sv ServerCert.pvk ServerCert.cer
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx
Then I import ServerCert.pfx to certificate storage.
Why they do not contain private key in storage?
Why don't you try to generate pfx file by passing the private key password as an argument?
Try it this way
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx -pi password
As the documentation says:
/pi pvkpassword
Specifies the password for the .pvk file.
Source: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672(v=vs.85).aspx
So, after a long dance with a tambourine I found a solution. Problem was in UI. My goal was to import pfx to localmachine storage. It's impossible to do by starting pxf file from folder.
When pxf imports wihout pvk pass, the internal private key do not imports. Password do not requests when importing to localmachine storage by MMC.
What I made:
Import pxf-file from file explorer to CurrentUser "My" strorage (entering pvk password).
Export certificate from storage to new pxf with password.
Import new pxf to localmachine "My" storage with MMC.
I don't know other ways.