Azure B2C RSA Public Key to PEM Certificate - azure

A software system from a collaborating company needs to connect to one of our systems and authenticate against our Azure-B2C Directory. They would like to verify the signature in our JWT Token returned.
I have created a RSA Public Key using the approach described in this topic:
Azure AD B2C - Token validation does not work
This has resulted in the following RSA Public Key:
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END RSA PUBLIC KEY-----
I've used this RSA Public Key to verify the signature of my token in jwt.io, and it works.
The collaborating company however needs a PEM certificate like this:
-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END CERTIFICATE-----
Modifying the PEM Header of my RSA Public Key does not work.
So now my question is: Is it possible to convert my RSA Public Key to the appropriate Certificate format? If yes, how?

Related

In hyperledger fabric how to use user's key-pair for encryption and decription?

By using Hyperledger fabric 1.4 SDK I have created one user, a set of public and private key is generated for that user. Now I want to use this key pair for encrypting and decrypting the data.
I aware hyperledger uses elliptic curve cryptography for signing the data, but I don't know in background how they are signing the data. I tried several method in nodejs but didn't get success.
following are my keys generated while registering the user
public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBWLnhsBfNE+hF1uDuDb/Z87KAPvF
6RCQLtgZIxdU4x5qcTdEWQPOfF2fUSrecmHAfgMW1cMiun0B9KAaMY7dFg==
-----END PUBLIC KEY-----
private key:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmQndljBNeyPyvEDM
lPtXtibQ8yYwK05RfLhkl/sCJ5WhRANCAAQFYueGwF80T6EXW4O4Nv9nzsoA+8Xp
EJAu2BkjF1TjHmpxN0RZA858XZ9RKt5yYcB+AxbVwyK6fQH0oBoxjt0W
-----END PRIVATE KEY-----
by using following method I'm able to sign by using public key but for verifying I'm getting Unknown point format error
var EC = require("elliptic").ec;
var ec = new EC("secp256k1");
var mySign = ec.sign(msg, public_key);
var res = ec.verify(private_key, msg, mySign)
Can any one suggest the suitable method for signing the data by using hyperledger key pair.

Azure key vault - downloaded certificate not same as imported certificate

I imported the following certificate into Azure keyvault
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6hRANCAAR5kpzf9KLuFMI1DYF+a/YXucDPdL+X
4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOXnpoZ6JzO
-----END PRIVATE KEY-----
When I download the cert as pem, the private key is changed
az keyvault secret download --file "./text" --id https://myvault.vault.azure.net/secrets/sample/6d5505d2d0cd4d2285c80dc5a259c61c
I got a different private key.
-----BEGIN PRIVATE KEY-----
MIGiAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6gCgYIKoZIzj0DAQehRANCAAR5kpzf9KLuFMI1
DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOX
npoZ6JzOoA0wCwYDVR0PMQQDAgCA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
Why is the private key changing? How can I get the same private key that I had imported?
According to the az command you provided, you import certificate as azure key vault secret.
If so, the certificate content you sent will be the same as the secret value you get.
As I have test, when I import cert as secret. Then I retrieve the same secret value.
So, try to recreate a new secret and import again.

How to generate certificate request and private key files (.pem extension) from certificate file (.crt extension)

I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.

Using GoDaddy's HTTPS certificates in nodejs: cert.crt and sf_bundle-g1-g2.crt

I have found this related question:
Running SSL node.js server with godaddy gd_bundle.crt
which outlines the process of splitting the certificates, but uses three properties: certificate, ca, and key. I have only two files from my HTTPS registration with GoDaddy:
cert.crt (Not the name of the original but I'm fairly confident this is the certificate)
sf_bundle-g1-g2.crt (Is the actual name of the provided file)
Now the documents and file name seem to claim that sf bundle is a combination of two certificates, but mine looks like so:
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIDORSEMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAlVT
MSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3QUmNUqMZbhSa4Hs0py1NBCXnD7GL+2OQkIkLulzmiX5EfHyI2nL5ZRpoNLcsPxE
iawXqMzVN3cWxYC5DI9XAlWZhXtJ8C5boMJXU12i6KY3wwH6
-----END CERTIFICATE-----
Again, I've combed the documentation and it seems I simply provide the location of all 3 of these in the options.ca array property in nodeJS' https module.
However it seems like I am missing a file. I have a cert, and 3 ca's, but no key. Is this an acceptable configuration? Or is some part of the sf_bundle supposed to be my key? It says -g1-g2 but contains 3 certificate sections.
I am entirely new to encryption, so please forgive my ignorance.
key is the private key you used to sign the CSR that you sent to GoDaddy.
The solution ended up simply being going back to godaddy and requesting the certificates in my desired format.
I attempted splitting it up and using the key we signed the certificates with, as suggested by mscdex. I could not get this to work.

What's the purpose of a private key passphrase?

Sometimes, I see users use a private key and passphrase to log in.
So, does it mean the public key is stored on the log in server?
What's the purpose of the pass phrase?
Yes, the server stores the public key, and the client stores the private key. A security feature to prevent stolen private keys from being useful to the thief is to encrypt them. The passphrase allows you to decrypt the private key to use it. Without the passphrase, the key is useless.
You know whether a key is encrypted generally by looking at the PEM header surrounding it. For example, a DSA private key encrypted with 3DES in PEM format might look like this:
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BF6892D860EC969F
<encrypted key data here>
-----END DSA PRIVATE KEY-----
Whereas an unencrypted DSA private key in PEM format would not have a header saying it's encrypted:
-----BEGIN DSA PRIVATE KEY-----
<unencrypted key data here>
-----END DSA PRIVATE KEY-----

Resources