I got pvt-key.txt, certificate.crt and bundle.crt files from godaddy.
I am setting ssl for node js backend using https options
var httpsoptions = {
key: fs.readFileSync("pvt-key.txt"),
cert: fs.readFileSync("certificate.crt")
};
but it is not working.
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
I also converted .txt to .pem but there is same error. if I generate key from this command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey2.key -out certificate2.crt
then it works. I think there should be .key extension instead of .pem or .txt. Please help me to convert file into .key extension. Thank you in advance.
The extension of the file doesn't matter so much, but the contents of the file do. I suspect node wants a PEM encoded private key. You can convert a DER encoded private key to a PEM one like this:
openssl rsa -in pvt-key.txt -outform pem -out pvt-key.key
In order to accomplish this, #vcsjones provided the solution I was able to use.
openssl rsa -in pvt-key.txt -outform pem -out pvt-key.key
But, I got the same error as others:
Expecting: ANY PRIVATE KEY.
My fix was found in https://stackoverflow.com/a/54026652.
Open the key file in Notepad++ and verify the encoding. If it says UTF-8-BOM then change it to UTF-8. Save the file and try again.
Related
I have deployed an ASP.NET 6 solution based on the ASP.NET 6 ReactJS template into a Linux CentOS/Apache hosting environment.
According to the error message provided below, It seems I need to alter the algorithm for the signature provider, yet I am at a loss of how exactly to do this.
System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'xxxxxxxxxxxx', InternalId: 'xxxxxxx'.' is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
I have found several FAQs indicating to use ECDSA or similar instead, but no real examples of how exactly to implement this within my type of solution with examples of modifications in Program.cs or similar.
I would appreciate any tips of thoughts on this!
Thanks in advance!
You can use OpenSSL to create your own ECDSA key using:
#Create P256 ECDSA Private key
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -aes256 -out p256-private.pem
# Optionally, if you want to extract the public key:
openssl ec -in p256-private.pem -pubout -out p256-public.pe
# Create certificat file
openssl req -new -x509 -key p256-private-key.pem -days 365 -subj "/CN=MyP256Cert" -out p256-cert.crt
# Crete the PFX file
openssl req -new -x509 -key p256-private-key.pem -days 365 -subj "/CN=MyP256Cert" -out p256-cert.crt
Then you can load it in C# using:
var ecdsaCert = new X509Certificate2("es256.pfx", "password");
SecurityKey ecdsaPrivateKey = new ECDsaSecurityKey(ecdsaCert.GetECDsaPrivateKey());
You can add it to IdentityServer using something like this:
// Add ES256 (ECDSA using P-256 and SHA-256)
builder.AddSigningCredential(GetECDsaPrivateKey(p256Cert), IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
I have a .key file with password and I need to get the .pem file with RSA PKCS8 method with NodeJS function.
The command I use to do it with OpenSSL is the following
How can I do this in NodeJS???
openssl pkcs8 -inform DER -in file.key -out file.pem -passin pass:passwordkey
Let's say for example you have a key.pem file in a https folder and you want it as a parameter for your server options. You can get it via fs.readFileSync. Hope this helps.
const path = require("path");
server.httpsServerOptions = {
key: fs.readFileSync(path.join(_dirName, "./../https/key.pem"))
};
I managed to generate my Enclave (https://github.com/pc-magas/myFirstEnclave) but as far as I know I need to generate an rsa key in order to sign it. So I run:
openssl genrsa -out $(KEY_FILE) 2048
And then I run the following command to sign it:
sgx_sign -key (^key_generated)above^ -enclave enclave.o -out enclave.so -config Enclave.config.xml
But I get the following error:
Key file format is not correct.
Edit 2:
I tried to generate the key via ssh_keygen but still the same error.
What kind of format is needed in order to sign an enclave?
Edit 3:
I also tried to generate the key with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/.sgx/MyEnclave.pem
Still same result
IntelĀ® Software Guard Extensions Developer Reference specifies that SGX enclave signature key file should follow the PEM format which contains an unencrypted RSA 3072-bit key, the public exponent must be 3.
See page 20 (on version 2.0 November 2017) - OpenSSL Examples, for the following command line to generate the private key:
openssl genrsa -out private_key.pem -3 3072
I tried to create a self-signed certificate based on the instructions in the link in Security key and cert for mosca MQTT broker.
$ openssl genrsa -des3 -out tls-key.pem 1024 (works fine)
$ openssl req -new -key tlk-key -out server.csr (returns error)
The error looks like this on cygwin;
Error opening Private Key tlk-key 6870300:error:02001002:system
library:fopen:No such file or
directory:bss_file.c:391:fopen('tlk-key','rb')
6870300:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:393: unable to load Private Key
On Ubuntu 16.04, the error looks like this;
Error opening Private Key tlk-key
140137729443480:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('tlk-key','r')
140137729443480:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400: unable to load Private Key
I tried with cygwin and Ubuntu. Can anyone advise what went wrong?
EDIT:
I tried the command below after getting the answer from Steffen Ullrich. It still returns an error.
$ openssl req -new -key tlk-key.pem -out server.csr
Error opening Private Key tlk-key.pem 6870300:error:02001002:system
library:fopen:No such file or
directory:bss_file.c:391:fopen('tlk-key.pem','rb')
6870300:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:393: unable to load Private Key
You create the key file tls-key.pem but then try to use the non-existing file tlk-key instead of the file you've created:
$ openssl genrsa -des3 -out tls-key.pem 1024 (works fine)
^^^^^^^^^^^^
$ openssl req -new -key tlk-key -out server.csr (returns error)
^^^^^^^
I'm using the Express framework in Node.js to create a web server. I want to use ssl for the web server's connection.
The code to create the https web server is as below.
var app = express.createServer({
key: fs.readFileSync('./conf/key.pem'),
cert: fs.readFileSync('./conf/cert.pem')
});
module.exports = app;
Question: How to create the key.pem and cert.pem required by express?
The two files you need are a PEM encoded SSL certificate and private key. PEM encoded certs and keys are Base64 encoded text with start/end delimiters that look like -----BEGIN RSA PRIVATE KEY----- or similar.
To create an SSL certificate you first need to generate a private key and a certificate signing request, or CSR (which also contains your public key).You can do this in a variety of ways, but here's how in OpenSSL.
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
This will cause you to enter an interactive prompt to generate a 2048-bit RSA private key and a CSR that has all the information you choose to enter at the prompts. (Common Name is a legacy location where domain names used to go, but modern browsers require an extension called SubjectAlternativeName now. However, when submitting to a CA they will put CN values in SAN) Once you've done this you would normally submit this CSR to a trusted certificate authority and once they've validated your request you would receive a certificate.
If you don't care about your certificate being trusted (usually the case for development purposes) you can just create a self-signed certificate. To do this, we can use almost the same line, but we'll pass some extra parameters. The interactive prompt doesn't support Subject Alternative Name (SAN), which is required in most modern clients, so we pass it on the CLI via the -addext flag. You'll need to change mydnsname.com to the right name for your uses. Be sure to keep DNS: though!
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem -addext "subjectAltName = DNS:mydnsname.com"
This will give you a cert (valid for 10 years) and key pair that you can use in the code snippet you posted.
Just follow this procedure :
create the folder where you want to store your key & certificate :
mkdir conf
go to that directory :
cd conf
grab this ca.cnf file to use as a configuration shortcut :
wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/ca.cnf
create a new certificate authority using this configuration :
openssl req -new -x509 -days 9999 -config ca.cnf -keyout ca-key.pem -out ca-cert.pem
now that we have our certificate authority in ca-key.pem and ca-cert.pem, let's generate a private key for the server :
openssl genrsa -out key.pem 4096
grab this server.cnf file to use as a configuration shortcut :
wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/server.cnf
generate the certificate signing request using this configuration :
openssl req -new -config server.cnf -key key.pem -out csr.pem
sign the request :
openssl x509 -req -extfile server.cnf -days 999 -passin "pass:password" -in csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem
I found this procedure here, along with more information on how to use these certificates.
An alternative is to generate the certificates with the pem library using the createCertificate method of the class.
The process would be as follows:
Install openssl in your system if not there already, for instance for windows 10 the a compiled version of the sources (seems like the most open one) can be found here: https://curl.se/windows/ the explanations of how it is compiled and safeguarded are here: https://wiki.openssl.org/index.php/Binaries. For the source https://www.openssl.org/community/binaries.html
For windows, you may want to add the diretory of the openssl.bin file to the system environment path variable (https://www.architectryan.com/2018/08/31/how-to-change-environment-variables-on-windows-10/) or pass the location of the file to the PEM library.
Instal pem using (documentation here: https://github.com/Dexus/pem
npm i pem
at the command line at the root of the server.
From the documentation you can see that a simple https server with the keys can be created simply by:
const https = require('https')
const pem = require('pem')
pem.createCertificate({ days: 1, selfSigned: true }, (err, keys) => {
if (err) {
throw err
}
https.createServer({ key: keys.clientKey, cert: keys.certificate }, (req, res) => {
res.end('o hai!')
}).listen(443)
})
or using express
npm i express
at the command line at the root of the server):
const https = require('https')
const pem = require('pem')
const express = require('express')
pem.createCertificate({ days: 1, selfSigned: true }, (err, keys) => {
if (err) {
throw err
}
const app = express()
app.get('/', (req, res) => {
res.send('o hai!')
})
https.createServer({ key: keys.clientKey, cert: keys.certificate }, app).listen(443)
})
Just changed the var for const as appropiate, and functions for arrow functions