I'm trying to sign an XPI on linux (no gui) using the NSS cert db (cert8.db and key3.db) i copied from another server of mine, on which I can sign XPI's just fine.
On the new box I can sign with a brand new test certificate ok, but when i try to use the old cert db, it complains with:
signtool: PROBLEM signing data (Unknown issuer)
Certutil lists the cert im trying to use with a * and the CA is present in there as well.
Is this cert db transferable between computers like this? Or are there any other files I have to setup?
TIA
Mike
im not sure if this is what you need, but here it is: http://www.mercille.org/snippets/xpiSigning.php
If the certificate chain has an intermediate CA that also needs to be there.
NSS is rather picky when it comes to the chain and also needs the certs to have been marked as trusted.
Related
Like many I have received the MSB3325 strong naming error, I am targeting a pfx file and have tried to install the certificate directly to the CSP at the given container. The certificate is installed on the machine I am working on.
I generated the CSR through OpenSSL and received a p7b from a Certificate Authority, which I then converted to pfx with the key used in generating the CSR (I have also tried using online converters from different CAs to ensure I was not messing up the conversion through OpenSSL). I can confirm the pfx certificate contains the same key.
The sn -i cert.pfx VS_KEY_XXXXXXXXXXXXXXXX succeeds in pairing to the container but I get the exact same error and a failed build. I have tried many times to recreate the pfx and delete the container to pair to the new one. Initially I did not sign a password to the certificate (just pressed enter) but I have also tried giving it one, it made no difference.
I am trying to sign a WPF project and so far have been frustratingly unsuccessful.
Am I missing something? Many hours of research and all results come up to use the sn -i command to fix the problem.
I am learning how to install and use EJBCA to deploy an enterprise PKI. I know I can install EJBCA using a quick install configuring the script ejbca-setup like is explained here, and I also have tested a longer install process with WildFly 10 like explained here. In both variants I need to create a default ManagementCA and I can make some configuration changes related to the database I'm using and other things during the installation process. My problem is I need to install a CA of subCA type, and my subCA private key comes in a PKCS12 or PEM file from the root CA (I'm not completelly sure about the format yet).
Right now I know I can install EJBCA with the default CA and then create my subCA as a second one like is explained here, but I want to know if I can create this subCA as my first CA at the installation process, because I dont't need the default CA. Also if I have to create the default CA mandatorily I want to know if I can remove this default CA after I create my subCA without problems or if this first default CA is some kind of special CA for EJBCA.
The default ManagementCA is nothing special and can be deleted.
You can make the initial installation using an external CA for administrator certificates if you like. Documented here: https://doc.primekey.com/ejbca/ejbca-installation/installing-ejbca/install-ejbca-as-a-ca-without-a-management-ca
Note the "-superadmincn" argument which binds your externally issued certificate to the suprt administrator role during the installation.
I'm trying to renew a Puppet CA certificate and propagate it to the agents according to this https://github.com/puppetlabs/puppetlabs-certregen manual. While the first step of regenerating the CA certificate was easy to do, distributing the new CA to the clients does not work.
I created a file in the /manifests folder of the puppet repository called ca.pp with the content include certregen::client, but after a puppet update on the server and puppet agent -t -v on one of the clients nothing changes. I still get the warning Warning: Certificate 'Puppet CA: puppetmaster.domain.name' will expire on 2019-10-20T10:35:43UTC.
Unfortunately I don't have much knowledge about puppet since I inherited the setup from a former colleague who isn't available any more. So I don't even know where to start to debug this issue. Any help is very much appreciated.
The file named ca.pp containing the line include certregen::client has to be imported in the sites.pp file with import 'ca.pp' in the main manifests directory.
After that step, the CA certificate was successfully distributed among the clients.
I am trying to connect via SSL to a PostgreSQL using FireDac in Delphi. I have followed the instructions at the following site:
https://www.howtoforge.com/postgresql-ssl-certificates
I have created all the certificates. Configured the postgreql.conf as specified so it points to the required files. Copied the specified files to the client machine and installed the root.crt certificate.
Via FireDAC's connection params I have specified the following:
Params.values[SSL_ca']:=sslCertsPath+'root.crt';
Params.values['SSL_cert']:=sslCertsPath+'postgresql.crt.';
Params.values['SSL_key']:=sslCertsPath+'postgresql.key';
I am getting a connection error re invalid client certificate. I am not sure which certificate it is referring to and why it is invalid. Am I specifying the correct client certificates by way of the connection's params? If so, any suggestions as to why I may be getting the error please?
OpenSSL verify against the root.crt and postgresql.crt confirms the certificate is ok.
After over 3 weeks of frustration trying to set up PostgreSQL with SSL using FireDAC, I have finally figured out what the problem is and what the solution is.
For anyone wishing to connect using FireDAC, the howtoforge guide (see link in original post) works fine.
However, do not use the FireDAC parameters in my original post. PostgreSQL does not use them. You need to use the PGAdvanced parameter.
But even after figuring this out, I still could not get it to work for weeks until after testing I got an error message which finally made it clear what I was doing wrong. On Windows PostgreSQL strips out path delimiters unless you escape them (this is not mentioned in the PostgreSQL or FireDAC help files as far as I can see).
Below is an example of the correct way to connect using FireDac paramaters for ssl
Params.values['PGAdvanced']:='sslmode=verify-ca sslrootcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\root.crt sslcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.crt sslkey=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.key';
If you don't wish to use a root certificate set sslmode to require.
I have a p12 file. This was generated from a DigiCert p7b.
When I import this into my personal store on one machine (windows server, using certificates mmc) it shows me one chain when I view the path.
Using the same file, I import into my personal store on a different machine (also windows, using certs mmc). On this one I see a different path (and in this case it has an expired hop)
Specifically, two hops above my cert the divergence occurs.
Why does this happen? Is there anything I can do to influence that chain (remember its the same p12 that is creating different paths)?
I should also say, I am no expert in this area. I'm a developer that muddles through these security issues when needed.
I had the same issue. Two different windows 2008 r2 servers, same certificate. After standard OS patching one of the servers was sending only the first layer of certificate trust chain (number 0), so the openssl client was failing with the message:
verify error:num=21:unable to verify the first certificate
No idea what was the root cause. I tried to
reassign certificate in IIS
reimport certificate
restart IIS
with no success. What finally helped to fix the issue was the server reboot...
Closing this out.
I'm still a little foggy on why things were working the way they did but some things made sense.
It seems the .p12 was created from a p7b that included some of the intermediate certs. One of the included intermediates was the bad one. This explains why the chain was bad on one machine.
Still not sure how I was able to see a good chain on different machine but I understand why I saw the bad one. It seems the good chain was the fluke and the bad chain should have been expected (I originally assumed the opposite).
I created a new .p12 without the intermediates. Cleaned up all the bad intermediates that were previously imported from the first .p12 in both service user and local machine stores. All seems to be working as expected now with same valid chain on all machines.