I am trying to create the kubernetes secret using PFX certificate that are stored in the keyvalut
I have download the secrets and the certificates to store the secrets
I have followed the below steps to store the secrets but i am getting the below error
#To get the password of the certificate
az keyvault secret show --name $secret_name --vault-name $keyvault_name -o tsv --query value)
#download the certificate
az keyvault certificate download --file $cert_pfx --name $cert_name --vault-name $keyvault_name
#convert pfx to key
Error:
0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
#140546015532944:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=PKCS12
Any idea? Thanks for the help :)
I tried to reproduce the same in my work environment and got the expected results as shown in below
I have the keyvault with newly created secrets and set the polices to access the secrets
az keyvault set-policy -n "keyvault-name" --spn "service-principal-id" --secret-permissions get
I have created the certificate with the name "policycert"
az keyvault certificate create --vault-name newcertkv --name policycert -p "$(az keyvault certificate get-default-policy -o json)"
Added the polices to access the certificate
az keyvault set-policy -n newcertkv --spn "spn-id" --certificate-permissions get
Generated the private keyvault and certificate
openssl genrsa 2048 > pkeys123.key
openssl req -new -x509 -nodes -sha256 -days 365 -key pkeys123.key -out newcert123.cert
After enter the command it will ask the name and cert related documents
I generated the password using below command
openssl pkcs12 -export -out certificate.pfx -inkey pkeys123.key -in newcert123.cert
I have conerted this into pfx
$fileContentBytes = get-content ‘newcert123.pfx' -AsByteStream
[System.Convert]::ToBase64String($fileContentBytes) | Out-File ‘pfx-encoded-bytes.pem
The secrets need to be set to PKCS file format
az keyvault secret set --vault-name newcertkv --name newcertsecret --file pfx-encoded-bytes.pem --description "application/x-pkcs12"
I have downloaded the certificate and converted the pfx to pem and then PFX to key
az keyvault certificate download --file newcert123.pem --name my-certificate --vault-name newcertkv
openssl pkcs12 -in newcert123.pfx -clcerts -nokeys -out newcert123.pem -password pass:0000
openssl pkcs12 -in newcert123.pfx -nocerts -out newcert123.key -password pass:XXXX
Related
I bought a (E-mail ID Business (S/MIME)) certificate from certum, hoping to use to sign pdf files more affordable.
They have send me the files in plain(pem) and in binary(cer).
Here is the file list I downloaded:
Certificate chain Certum Digital Identification CA SHA2.cer
Certificate chain Certum Digital Identification CA SHA2.pem
Certificate chain Certum Trusted Network CA.cer
Certificate chain Certum Trusted Network CA.pem
Certificate.cer
Certificate.pem
I tried to use below command to create p12 file.
"openssl.exe" pkcs12 -export -in D:\xampp_data\MIME\Certificate.cer -inkey D:\xampp_data\MIME\Certificate.cer -out Certificate.p12 -name "MyCert" -password pass:MyCert
When using the command with D:\xampp\php\extras\openssl\openssl.exe, windows 11 console does not gives any error. And there is no output file too.
When using the command with C:\Program Files\OpenSSL-Win64\bin\openssl.exe, windows 11 console gives below error. Win64 OpenSSL v3.0.5 Light
D:\xampp_data\MIME>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -in D:\xampp_data\MIME\Certificate.cer -out Certificate.p12 -name "MyCert" -password pass:MyCert
Could not read private key from -in file from D:\xampp_data\MIME\Certificate.cer
We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".
Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on
I'm looking for some CLI commands or a script of some sort that I can execute to do the following in one step
create a self-signed certificate
upload it to my Azure App Service
create an app setting param with the certificate thumbprint as value
Has anyone done this before?
1. Create a self-signed certificate
If you want to create a self-signed certificate, we can use OpenSSL to implement it. For more details, please refer to here and here
a. Create the certificate key and the signing (csr).
openssl req -new -x509 \
-newkey rsa:2048 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key \
-subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
The fields, specified in -subj line are listed below:
C= - Country name. The two-letter ISO abbreviation.
ST= - State or Province name.
L= - Locality Name. The name of the city where you are located.
O= - The full name of your organization.
OU= - Organizational Unit.
CN= - The fully qualified domain name
b. Generate the certificate
openssl pkcs12 \
-inkey example.key \
-in example.crt \
-export -out example.pfx \
-password pass:<your password>
2. Upload it to my Azure App Service and save the certificate thumbprint in Azure App service app settings
Regarding the issue, please refer to the following code
az login
# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)
# save thumbprint
az webapp config appsettings set --name $appName --resource-group myResourceGroup \
--settings "Certificate _Thumbprint=$thumbprint"
I am trying to integrate with a 3rd party API using two way SSL authentication. The documention provided by them is for JAVA and I am using NodeJS. I am new to this and really grasping at straw here. In document it is mentioned to generate a self signed certificate and use private key of that certificate with the public cetificate from them to create a PKCS 12 file and use it to call the API.
Below is the excerpt from the documentation to
Create a self signed certificate
keytool -genkey -keyalg RSA -alias <aliasName>-keystore selfsigned.jks -validity <days> -keysize 2048
Import JKS to key store
KeyDBs could be any format PFX, JKS or P12. Listing the certificates from > the Keystores, Go to bin directory of Java library, It should have a Private-> Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
If the KeyDB is not present create a Keydb using the Private key and Public Certificate provided through openSSL.
Create P12 from key
openssl pkcs12 -export -in mycert.crt -inkey <mykey.key> -out mycert.p12 -name tomcat -CAfile <myCA.crt> -caname root –chain
Create JKS from P12
keytool -v -importkeystore -srckeystore <key.p12> -srcstoretype PKCS12 -destkeystore <key.jks> -deststoretype JKS
To Verify: KeyDBs could be any format PFX, JKS or P12. Listing the certificates from the Keystores, Go to bin directory of Java library, It should have a Private-Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
I am facing problem in creating the PKCS 12 file. I created self signed certificate using openssl (provided with git) via below mentioned commmands
Creating request and private key
openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out certificatereq.cer
Creating Certificate using the request and key
openssl x509 -req -days 365 -in certificatereq.cer -signkey privatekey.key -out selfsigned.crt
Upon creation of certificate I used it to create PKCS 12 file as mentioned in documentation above via below mentioned command
openssl pkcs12 -export -in selfsigned.crt -inkey privatekey.key -out outpkcs12file.p12 -name myname -CAfile thirdpartypublic.crt -caname mycaname -chain
but getting the error Error self signed certificate getting chain. I tried by installing the self signed certificate in my system also and getting the same error. If I remove the -chain (not sure what it does, but found few commands without -chain) agrument there is no output in terminal. The third party's certificate is CA signed.
I'm trying to automate my infrastructure using puppet with Azure.
I've created my puppet master using puppet enterprise VM from gallery on Azure. After that, I've generated a certificate running the following commands:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem
sudo openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
Then, I've uploaded my cert file to Azure Management Portal and finally, I've create a VM with the following command:
puppet azure_vm create --management-certificate /tmp/cert.pem --azure-subscription-id=xxxxxx --image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-12.04-x64-v13.4 --location 'west us' --vm-name puppetslave --vm-user xxxx --password xxxxx --puppet-master-ip 23.102.xxx.xxx
Finally, I've exported my private key using PuttyGen and I'm using it to connect to my new linux vm. Unfortunately, I'm getting the following error:
server refused out key
And I don't know why. I'm stuck at this point and don't know how to proceed.