why cryptogen does not creating the keysstore folder - hyperledger-fabric

i am using the cryptogen 1.4.0 version, its does not create the keystore folder inside the msp. please suggest some solution for this. what i am trying to achieve here is, using the cryptogen tool create the certificate and run the fabric CA server using the offline generated certificate by using docker.

I think it makes more sense to use openssl for that purpose.
Write your suitable csr.cnf (change dn and alt_names values):
[req]
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = x509_ext
[dn]
CN = mydomain.com
C = US
ST = New York
L = New York
O = MyOrg
OU = MyDepartment
[x509_ext]
basicConstraints=critical, CA:TRUE, pathlen:2
keyUsage=critical, Certificate Sign, CRL Sign
subjectKeyIdentifier=hash
subjectAltName = #alt_names
[alt_names]
DNS.1 = mydomain.com
IP.1 = 127.0.0.1
And then generate the key and the certificate:
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 7300 -config csr.cnf
And then use ca-cert.pem and ca-key.pem in your CA.
Anyway, Fabric-CA itself generates the certificate according to your fabric-ca-server-config.yaml parameters on first run if it does not exist.

Related

ERR_SSL_VERSION_OR_CIPHER_MISMATCH while trying to enable HTTPS on localhost using OpenSSL

I am trying to enable HTTPS on my pure nodeJS server (No express.js). To enable HTTPS I am using Openssl and generating keys and certificates which I can then load into the server file.
###################################
The problem:
###################################
I checked online, and most people were saying that the problem is occurring due to the common name of my CA certificate and Server certificate being the same. I did enter different values for both, and still the error persists.
######################################
Commands used to generate keys and certificates:
######################################
# Generating our private keys
openssl genpkey -algorithm ed25519 -outform pem -out ca_pvt_key.pem
openssl genpkey -algorithm ed25519 -outform pem -out server_pvt_key.pem
# Generating our certificate
openssl req -inform pem -key ca_pvt_key.pem -days 36000 -x509 -config openssl-ca.cnf -nodes -outform pem -out ca_cert.pem
openssl x509 -outform der -in ca_cert.pem -out ca_cert.crt
# Creating SCR (Server Certificate Request)
openssl req -new -config openssl-server.cnf -key server_pvt_key.pem -nodes -outform pem -out server_certificate.csr
# Creating required index.txt and serial.txt files for openssl ca
touch index.txt
echo '01' > serial.txt
# Generating our final signed certificate
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.pem -infiles server_certificate.csr
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.crt -infiles server_certificate.csr
cat server_certificate.pem > cert_chain.pem
cat ca_cert.pem >> cert_chain.pem
##################################
Configuration file snippets for above commands
##################################
CA config file
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
Server certificate config file
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
#################################
Server File snippet
#################################
const port = 3000;
const options = {
host: "localhost",
port: port,
path: "/",
rejectUnauthorized: false,
requestCert: true,
agent: false,
key: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/server_pvt_key.pem")),
cert: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/cert_chain.pem")),
};
const server = https.createServer(options, (req, res) => {
// Pure node server
});
##################################
System details
##################################
I am running a podman container having OpenSUSE Tumbleweed. The host system in Ubuntu 22.04LTS.
##################################
Extra details
##################################
I added the ca_cert.crt file to /usr/local/share/ca-certificates on Ubuntu. I also added the server_certificate.crt and server_pvt_key.pem into /etc/ssl/certs and /etc/ssl/private respectively.
##################################
Testssl Output
##################################
##################################
curl
##################################
curl does fetch me my site HTML. However, the moment I am in the browser, I get the cipher error.
##################################
Browser Trust Store
##################################
I am using Brave Browser. When I try to import my ca_cert.pem or ca_cert.crt file into the Authorities tab in Brave, it shows me the following:
Anyone have any idea why this is happening and how I could fix it?

How to get ca-bundle from openssl

I have generated the SSL using openssl using the following commands. Which have generated the cert and key file but where do I get the ca-bundle file. I need the ca-bundle file to include in nodejs application else it is showing not secure warning.
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-csr.pem
openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
my server's code
const options = {
key: fs.readFileSync("path-to-key"),
cert: fs.readFileSync("path-to-crt"),
ca: [fs.readFileSync("path-to-ca-bundle"), fs.readFileSync("path-to-crt")],
requestCert: false,
rejectUnauthorized: false
}
const server = https.createServer(options, app);

Creating client certificate with certificate uploaded in Azure key vault

I have created a pfx file using openssl commands as below
opensl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out public_key.cer -days 100 -sha512 -sub "/CN=self-signed"
openssl pkcs12 -export -out samplepkcs12.pfx -inkey private_key.pem -in public_key.cer
Then I have imported my pfx file to my Azure Key vault.
Now in my azure function, I need to download this certificate and create a client certificate.
I am tried below code
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
KeyVaultSecret certificateSecret = client.getSecret(<certificateName>);
IClientCertificate clientCertificate =
ClientCredentialFactory.createFromCertificate(
new ByteArrayInputStream(certificateSecret.getBytes()),"<password>");
But I am getting below exception
java.IO.Exception to DerInputStream rejects type 77
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:873)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCSKeyStore.java:1994)
Any suggestion on the right way of uploading(if my approach is wrong) or retreiving certificate and creating a clientCertificate ?
You are using the Secret library. Instead you should use the Certificate library described here:
https://azuresdkdocs.blob.core.windows.net/$web/java/azure-security-keyvault-certificates/4.3.2/index.html
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
KeyVaultCertificate certificate = certificateClient.getCertificate("<certificate-name>");

Unable to extract certificate and key from p12 file from azure key vault

brief description what I've done and what I would like to achieve:
I was trying to add certificate to azure key vault via UI:
Got those certificates as ca.crt (openssl req -new -x509 -days 1826 -key ca.key -out ca.crt) and ca.key (openssl genrsa -des3 -out ca.key 2048) but azure key vault requires certificates in .pem or .pfx format
I decided to move cert and key into pem format: key: openssl rsa -in ca.key -text > ca_key.pem
cert: openssl x509 -in ca.crt -out ca.pem then copied ca_key.pem inside ca.pem
I was trying with only cert + key and key extra data (binaries or sth)
I was getting error from UI: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I decided to install azure CLI and pass those in pfx format: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt and that works properly I'm able to see created cert in key vault cerfiticates
and there problem begins. I would like to get certificate with azure node library, extract separate key and cert to use them. What I've achieved so far:
const secretClient = new SecretClient(keyVaultUrl, credential);
const certificateSecret = await secretClient.getSecret(certificateName);
const PKCS12Certificate = certificateSecret.value!;
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
I got file and as documentation says:
https://www.npmjs.com/package/#azure/keyvault-certificates#getting-the-full-information-of-a-certificate
I was trying to execute:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys
to extract ca certificate from p12 but I'm still getting error:
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
any ideas what I'm doing wrong ?

Openssl certificate for Azure website

I am getting an error, when I try to add binding to ssl certificate.
Error:
Failed to add SSL binding. The certificate with thumbprint '877EC1DA24CD9D4713FD4107A83AC0EE5A4654E4' is invalid for SSL. The Enhanced Key Usage must be present and must contain Server Authentication (1.3.6.1.5.5.7.3.1).
Below is the method to generate ssl.
Step 1
Create file domain.rs.txt
Step 2
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=DK
ST=Jutland
L=Haderslev
O=Justlearn ApS
OU=Haderslev
emailAddress=team#justlearn.com
CN = www.justlearn.rs
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = justlearn.rs
DNS.2 = www.justlearn.rs
Step 3
openssl req -new -sha256 -nodes -out domain.rs.csr -newkey rsa:2048 -keyout domain.rs.key -config domain.rs.txt
Step 4
openssl x509 -req -days 365 -in domain.rs.csr -signkey domain.rs.key -out domain.rs.crt
Step 5
openssl pkcs12 -export -in domain.rs.crt -inkey domain.rs.key -out mycert.pfx
Create your Certificate with XCA. then in the key usage tab make sure you select the "TLS Web Server Authentication" options. also check is critical.
enter image description here
After that you need to export your certificate and key.
enter image description here
Then Use OpenSsl to convert the .crt to PFX is case you needed. see command bellow.
pkcs12 -export -out C:\Certificate\BBBakingdecor.pfx -inkey
C:\Certificate\bakingdecor.pem -in C:\Certificate\bakingdecor.crt

Resources