Creating client certificate with certificate uploaded in Azure key vault - azure

I have created a pfx file using openssl commands as below
opensl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out public_key.cer -days 100 -sha512 -sub "/CN=self-signed"
openssl pkcs12 -export -out samplepkcs12.pfx -inkey private_key.pem -in public_key.cer
Then I have imported my pfx file to my Azure Key vault.
Now in my azure function, I need to download this certificate and create a client certificate.
I am tried below code
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
KeyVaultSecret certificateSecret = client.getSecret(<certificateName>);
IClientCertificate clientCertificate =
ClientCredentialFactory.createFromCertificate(
new ByteArrayInputStream(certificateSecret.getBytes()),"<password>");
But I am getting below exception
java.IO.Exception to DerInputStream rejects type 77
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:873)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCSKeyStore.java:1994)
Any suggestion on the right way of uploading(if my approach is wrong) or retreiving certificate and creating a clientCertificate ?

You are using the Secret library. Instead you should use the Certificate library described here:
https://azuresdkdocs.blob.core.windows.net/$web/java/azure-security-keyvault-certificates/4.3.2/index.html
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
KeyVaultCertificate certificate = certificateClient.getCertificate("<certificate-name>");

Related

Unable to extract certificate and key from p12 file from azure key vault

brief description what I've done and what I would like to achieve:
I was trying to add certificate to azure key vault via UI:
Got those certificates as ca.crt (openssl req -new -x509 -days 1826 -key ca.key -out ca.crt) and ca.key (openssl genrsa -des3 -out ca.key 2048) but azure key vault requires certificates in .pem or .pfx format
I decided to move cert and key into pem format: key: openssl rsa -in ca.key -text > ca_key.pem
cert: openssl x509 -in ca.crt -out ca.pem then copied ca_key.pem inside ca.pem
I was trying with only cert + key and key extra data (binaries or sth)
I was getting error from UI: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I decided to install azure CLI and pass those in pfx format: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt and that works properly I'm able to see created cert in key vault cerfiticates
and there problem begins. I would like to get certificate with azure node library, extract separate key and cert to use them. What I've achieved so far:
const secretClient = new SecretClient(keyVaultUrl, credential);
const certificateSecret = await secretClient.getSecret(certificateName);
const PKCS12Certificate = certificateSecret.value!;
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
I got file and as documentation says:
https://www.npmjs.com/package/#azure/keyvault-certificates#getting-the-full-information-of-a-certificate
I was trying to execute:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys
to extract ca certificate from p12 but I'm still getting error:
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
any ideas what I'm doing wrong ?

why cryptogen does not creating the keysstore folder

i am using the cryptogen 1.4.0 version, its does not create the keystore folder inside the msp. please suggest some solution for this. what i am trying to achieve here is, using the cryptogen tool create the certificate and run the fabric CA server using the offline generated certificate by using docker.
I think it makes more sense to use openssl for that purpose.
Write your suitable csr.cnf (change dn and alt_names values):
[req]
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = x509_ext
[dn]
CN = mydomain.com
C = US
ST = New York
L = New York
O = MyOrg
OU = MyDepartment
[x509_ext]
basicConstraints=critical, CA:TRUE, pathlen:2
keyUsage=critical, Certificate Sign, CRL Sign
subjectKeyIdentifier=hash
subjectAltName = #alt_names
[alt_names]
DNS.1 = mydomain.com
IP.1 = 127.0.0.1
And then generate the key and the certificate:
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 7300 -config csr.cnf
And then use ca-cert.pem and ca-key.pem in your CA.
Anyway, Fabric-CA itself generates the certificate according to your fabric-ca-server-config.yaml parameters on first run if it does not exist.

Openssl certificate for Azure website

I am getting an error, when I try to add binding to ssl certificate.
Error:
Failed to add SSL binding. The certificate with thumbprint '877EC1DA24CD9D4713FD4107A83AC0EE5A4654E4' is invalid for SSL. The Enhanced Key Usage must be present and must contain Server Authentication (1.3.6.1.5.5.7.3.1).
Below is the method to generate ssl.
Step 1
Create file domain.rs.txt
Step 2
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=DK
ST=Jutland
L=Haderslev
O=Justlearn ApS
OU=Haderslev
emailAddress=team#justlearn.com
CN = www.justlearn.rs
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = justlearn.rs
DNS.2 = www.justlearn.rs
Step 3
openssl req -new -sha256 -nodes -out domain.rs.csr -newkey rsa:2048 -keyout domain.rs.key -config domain.rs.txt
Step 4
openssl x509 -req -days 365 -in domain.rs.csr -signkey domain.rs.key -out domain.rs.crt
Step 5
openssl pkcs12 -export -in domain.rs.crt -inkey domain.rs.key -out mycert.pfx
Create your Certificate with XCA. then in the key usage tab make sure you select the "TLS Web Server Authentication" options. also check is critical.
enter image description here
After that you need to export your certificate and key.
enter image description here
Then Use OpenSsl to convert the .crt to PFX is case you needed. see command bellow.
pkcs12 -export -out C:\Certificate\BBBakingdecor.pfx -inkey
C:\Certificate\bakingdecor.pem -in C:\Certificate\bakingdecor.crt

nodejs with expressjs and SSL p7b certificate

I'm very sorry for my language but I'm not speak english.
I'm trying to implement in my app SSL but I have only valud p7b created by csr file. I'm using expressjs and node js on linux server. I know how to implement PEM certificate
var options = {
key: fs.readFileSync('./private.pem'),
cert: fs.readFileSync('./' + config.ssl[config.mode].cert)
};
server = https.createServer(options, app).listen(3000);
but I don't know how implement p7b certificate, kindly help me
First you have to conver your p7b to pem format:
openssl pkcs7 -in public.p7b -inform DER -out public.pem -print_certs
Create a pkcs12 file contiaing your private key and the public certificate:
openssl pkcs12 -export -inkey private.key -in public.pem -name my_name -out result.pfx
To use the pfx file with node js use
const cert = fs.readFileSync("result.pfx");
const request = require('request').defaults({
agentOptions: {
pfx: cert,
passphrase: password
}
});

403 error when authenticating with Azure Management API - nodejs

I'm using the following npm to try and create a cloud service using NodeJS.
https://www.npmjs.com/package/azure-mgmt-compute
This is the code i'm using:
var file = __dirname + '/azure-cert.pem';
var computeManagementClient = computeManagement.createComputeManagementClient(computeManagement.createCertificateCloudCredentials({
subscriptionId: userCredentials.subscriptionId,
pem: fs.readFileSync(file, 'utf-8')
}));
I'm getting the error: "The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription".
Status code 403.
I've done what's written here:
https://msdn.microsoft.com/en-us/library/azure/gg551722.aspx
And converted to PEM using OpenSSL.
I also tried the following:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout azure-cert.pem -out azure-cert.pem
pkcs12 -export -out azure-cert.pfx -in azure-cert.pem -name "My Self Signed Cert"
openssl x509 -outform der -in azure-cert.pem -out azure-cert.cer
Everything fails.
Any ideas?
I tried to follow the section "How to Use -> Authentication " of the page https://www.npmjs.com/package/azure-mgmt-compute to get the .pem file via Azure Xplat-CLI and run the sample code. It works fine.
Firstly you need to install the Azure Xplat-CLI via command npm install -g azure-cli, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/.
Secordly you need to connect to your Azure subscription via command azure login -u <username>, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-connect/.
Then you can command azure account cert export to get the .pem file. The code works with the subscription id & pem file.
Best Regards!

Resources