Unable to Generate .pfx File For Azure App - azure

We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".

Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on

Related

Fail to merge/extract OpenSSL certificates

I have 4 certificates with the following extensions
_com-bundle.pem
_com.der
_com.p7b
_com.pem
In my internal tool i need to add the SSL Cert and SSL key.
How can i merge/extract the correct cert and key from the above extensions?
i've tried the bellow command
openssl x509 -inform DER -in *_com.pem -outform PEM -out cert.pem
but i've received and error that the key file is incorrect

Two Way SSL Authentication in NodeJS

I am trying to integrate with a 3rd party API using two way SSL authentication. The documention provided by them is for JAVA and I am using NodeJS. I am new to this and really grasping at straw here. In document it is mentioned to generate a self signed certificate and use private key of that certificate with the public cetificate from them to create a PKCS 12 file and use it to call the API.
Below is the excerpt from the documentation to
Create a self signed certificate
keytool -genkey -keyalg RSA -alias <aliasName>-keystore selfsigned.jks -validity <days> -keysize 2048
Import JKS to key store
KeyDBs could be any format PFX, JKS or P12. Listing the certificates from > the Keystores, Go to bin directory of Java library, It should have a Private-> Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
If the KeyDB is not present create a Keydb using the Private key and Public Certificate provided through openSSL.
Create P12 from key
openssl pkcs12 -export -in mycert.crt -inkey <mykey.key> -out mycert.p12 -name tomcat -CAfile <myCA.crt> -caname root –chain
Create JKS from P12
keytool -v -importkeystore -srckeystore <key.p12> -srcstoretype PKCS12 -destkeystore <key.jks> -deststoretype JKS
To Verify: KeyDBs could be any format PFX, JKS or P12. Listing the certificates from the Keystores, Go to bin directory of Java library, It should have a Private-Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
I am facing problem in creating the PKCS 12 file. I created self signed certificate using openssl (provided with git) via below mentioned commmands
Creating request and private key
openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out certificatereq.cer
Creating Certificate using the request and key
openssl x509 -req -days 365 -in certificatereq.cer -signkey privatekey.key -out selfsigned.crt
Upon creation of certificate I used it to create PKCS 12 file as mentioned in documentation above via below mentioned command
openssl pkcs12 -export -in selfsigned.crt -inkey privatekey.key -out outpkcs12file.p12 -name myname -CAfile thirdpartypublic.crt -caname mycaname -chain
but getting the error Error self signed certificate getting chain. I tried by installing the self signed certificate in my system also and getting the same error. If I remove the -chain (not sure what it does, but found few commands without -chain) agrument there is no output in terminal. The third party's certificate is CA signed.

Security key and cert for mosca MQTT broker

I am trying to set up Mosca MQTT broker which is based on node.js
From the documentation below,
https://github.com/mcollina/mosca/wiki/TLS-SSL-Configuration
var mosca = require('mosca')
var SECURE_KEY = __dirname + '/../../test/secure/tls-key.pem';
var SECURE_CERT = __dirname + '/../../test/secure/tls-cert.pem';
Where do I get tls-key.pem and tls-cert.pem?
From the link https://github.com/mcollina/mosca/wiki/TLS-SSL-Configuration in your question, you are directed to another link https://nodejs.org/api/tls.html#tls_tls_ssl
Now, follow the instructions in this link.
$ openssl genrsa -out tls-key.pem 2048
$ openssl req -new -sha256 -key tls-key.pem -out ryans-csr.pem
$ openssl x509 -req -in ryans-csr.pem -signkey tls-key.pem -out tls-cert.pem
There you go. You should have your pem files.
It all depends on what you want to use the broker for.
If it's for simple private playing then you can create your own self signed certificate with openssl (details here)
openssl genrsa -des3 -out tls-key.pem 1024
openssl req -new -key tlk-key.pem -out server.csr
cp tlk-key.pem tls-key.pem.org
openssl rsa -in tls-key.pem.org -out tls-key.pem
openssl x509 -req -days 365 -in server.csr -signkey tls-key.pem -out tls-cert.pem
or if you are planning to do client authentication using certificates as well then can create your own Certificate CA and create a certificate signed by this. This is a longer process, details can be found here
Or finally if you want to make a service available publicly then you probably should really get a certificate signed by a real CA. Normally these would cost money, but the Let's Encrypt group will issue certificates with 90days of life for free and have an API which lets you renew the certificate before it expires. Details here

how to generate apns certificate in openshift server

I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?
Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.
Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.

Untrusted certificate on IIS using OpenSSL

I'm using OpenSSL to avoid pay for it. In my server is runing IIS 8 and Windows Server 2012.
I created my certificate this way:
Used IIS to create a certificate request
Used the following command to create a RSA private key
openssl genrsa -des3 -out cakey.pem 2048
After that I used this command to generate a certificate
openssl req -new -key cakey.pem -x509 -days 1825 -extensions v3_ca -out ca.crt
Finally I signed the certificate request using this:
openssl x509 -req -days 365 -in certreq.txt -CA ca.crt -CAkey cakey.pem -CAcreateserial -out iis.cer
But when I navigate to the website I get an "error" telling me that this is an "Untrusted certificate": The security certificate presented by this website was not issued by a trusted certificate authority.
What you get from OpenSSL tool is a self signed certificate. Of course it is not trusted by any browser, as who can say you are worth the trust.
Please buy a certificate if you want to set up a public web site. That's something you must pay, just like the public domain name.
Instead, if you are hosting an internal web site for your company, there are ways to set up your own CA, such as using Microsoft Active Directory Certificate Services.
Updated in 2018: Today there are more options to get free certificates, such as Let's Encrypt. Check them out and make good use of them.
Did you install your CA certificate into your browser before trying to visit the IIS server running the certificate you generated under the CA hierarchy? Here's some information about that step.

Resources