I would like to set up a TLS connection between a host and an hsm thales payshield. On the HSM I have generated the RSA key pair but I can only get the csr.
Can't I generate a self signed certificate? Are there alternative
methods?
first of all, you need to create your own ROOT CA, use it to sign the CRT of the payShield, then create a client certificate using your ROOT CA.
The certificates you generate need to be version v3!
Then you can finally upload them to your payShield using the payShield Manager or though USB stick (I tried on the 10k).
You need to upload to the payShield three certificates:
the CRT of your CA
the CRT of your payShield obtained signing the certificate request of it
the CRT of your client.
Kind regards,
Marco - StockTrader
Related
I am using fabric-sdk-nodejs to enroll the user it works fine, but all the private key and msp will be created using fabric CA.
my questions
How i can generate keypair for offline user and then generate the certificate using fabric CA for particular organisation?
Is it possible to create keypair offline, which keypair generation is supported or fabric has own offline keypair generation?
In production environment we cannot keep the user keypair, so how generation of keypair flow works?
The way you are trying to do is wrong
generation of private key and certificate is a multi-step procedure
When you try to create a keypair(private key & certificate) root-ca or intermediate-ca has to sign it then only it will be valid, this is called signing by using the concept of PKI
Fabric supports x509 certificate & ecdsa private key, you can generate root-ca certificate and sign certs outside.
Coming to your question about security of user credentials: you can always use fabric-ca to generate the sign certs and you have three options
store in the server as file-storage
store it in couchdb as key-value store
store it in hardware using hsm or so
Wow, SSL authentication is overwhelming!
I am using a NodeMCU device (ESP8266) device to connect to a Microsoft Azure IoT Hub securely using the MQTT protocol.
Microsoft offer the ability to authorise clients using self-signed X.509 certificates.
This is explained in detail here: Using X.509 Certificates with IoT Hub
I have followed the example that Microsoft Azure give, using OpenSSL to generate my self-signed X.509 certificates.
I try the example Python script to test the connection as a client, using my new certs and this works very well. So I know that the process has been a success, as it is tested and working and I am able to publish and subscribe to my IoT Hub.
In order to get the NodeMCU device connecting as a client to the IoT Hub, I need to load a certificate for authentication. NodeMCU provides the facility to load a single CA Certificate (in PEM format) into the operating system.
This is documented here: NodeMCU TLS Documentation
The question is, which certificate should I use?
I have tried a handful of combinations from the OpenSSL output, but none appear to result in a successful handshake. I am poking and hoping at this stage and could do with some input from someone who knows their stuff.
The encouraging news is that NodeMCU recognises the certificates as X.509 certs but fails on the verification. So this leads me to believe that I have the incorrect cert loaded...
-0x2700 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
Certificate verification failed, e.g. CRL, CA or signature check failed.
You need to use RSA Client Side Certificate & Private Key on NodeMCU end to authenticate client using X.509 authentication.
You can place PEM formatted certificate and private key in NodeMCU flash and load them in SRAM. It is a good idea to enclose the certificate and private key in "EOF(" ")EOF" tags.
Hopefully you are using Arduino core for ESP8266, you can them make use of BearSSL to format certificate files for transport layer and associate with WiFiClientSecure object as follows:
BearSSL::WiFiClientSecure espClient;
BearSSL::X509List serverCertList(getCertificate());
BearSSL::PrivateKey serverPrivKey(getPrivateKey());
espClient.setClientRSACert(&serverCertList, &serverPrivKey);
where, getCertificate() & getPrivateKey() methods you should define to read certificate from flash (or pass character array containing PEM formatted Certificate and Private Key here instead). After this, you will be able to authenticate the client with the server if your certificate and private key belongs to valid chain.
Let's assume we have 2 CAs "ACA" using RSA and "BCA" ECC, both issuing TLS certificates for the server. ACA is trusted by most clients while BCA is only trusted by only a few.
While ACA is trusted, RSA always takes more time. So we'd want the cert signed by BCA to be preferred by all clients that trust BCA while the others would fall back to the ACA one.
As I know, configuring multiple certificates for a domain is possible. At least on nginx, but the client always uses the certificate I have put a as the second certificate entry in the snginx.conf configuration file of nginx.
So is it possible that the server handles delivering the EC certificate if possible, but the RSA one if the client does not trust the certificate?
The client does not provide any information which CA it trusts. This means that the server can not decide which certificate to serve based on the clients trust settings. The only information the server has to decide which of these certificates to use is to look at the ciphers offered by the client, i.e. use the ECC certificate if the client supports ECDSA ciphers and use the RSA certificate otherwise.
I configured an openssl CA. I generated a CSR from another device's bash and signed using my openssl CA. I copied the signed cert to the device. Now I want to use this certificate while doing SSH to the device. How can I make use of this CA signed cert instead of default self signed certificate?
What I understand so far:
The CA(Certificate authority) has a key and builds a certificate using that key
The server has a key and builds a csr(Certificate Signing Request) with that key
Then using both the CA crt and key as well as the server csr the CA builds a server certificate
To authenticate a server the client uses the CA (its certificate) like this:
4.1. The client receives the server certificate
4.2. The client verifies that this certificate is authenticated by the certificate of the CA that it has (using the public key of the CA), it also verifies that the serial number of this certificate is not in the CRL (certificate revocation list)
4.3. The client generates a symmetric key and encrypts it using the public key giving by the server and sends it to the server
4.4. All communication starting from now is then encrypted using this symmetric key
Here is where I am still a bit confused:
The client uses the CA public key to verify the server certificate in step 4.2 but how does a match occur since the client only has the certificate of the CA? I mean unless the server csr passed to the CA has the same information verified by the client as the crt of the CA that the client has, how can a match occur?
Since anyone can have the server certificate I am assuming the only step that insures that only the server can communicate with the client is step 4.3 where only the server can have the symmetric key because only the server has the private key so only it can decrypt this encrypted symmetric key. Is this correct?
I am also not sure of all the steps or if I missed any steps.
I found an answer (How are ssl certificates verified?) that responds to the first part of my question then luckily someone posted a link in the comments that answers the rest: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html