SSL Certificate Generation from CSR and KEY file - security

My web host is shutting down - as they have been bought out. I am having difficulty getting my SSL certificate from them.. I am on my 3rd attempt and I have managed to get 2 files.. one I believe is the initial CSR, the Other is my Private Key .KEY file (although the Hosting Provider has been giving me them and claiming they are .crt - they are not) - that would be my actual Certificate!
I have my CSR file which is headed by -----BEGIN CERTIFICATE REQUEST-----, I have my Private KEY file which is headed by -----BEGIN RSA PRIVATE KEY-----
Is there any way fro me to use both of these components to produce my .crt file - I am not sure if my hosting provider (what is left of their support team ) knows the difference between these three files. Of course I am certainly learning myself. I had just purchased that cert from them about 4 months ago and I need it.
So is there any way I can use my two files .CSR and .KEY to generate
my .crt file ?

There is no way to re-create your certificate from the private key and certificate signing request (CSR), unless the certificate was self-signed. However, if the website is still up you can simply connect to the website with various tools and retrieve the certificate that way. Make sure you also retrieve any intermediate certificates as well, although these can almost certainly be obtained from your certificate authority (CA) website as well.

Related

Azure SSL Binding Issue- No match seleted hostname

I bougth a SSL certificate online from a seller today for my custom domain which redirected to the azure web application with cname.
I did created csr file with that domain let's call it app3.product.com by using IIS 8.And then created the .crt filel with that csr file.
After that i did found that i need the pfx file but i didn't have .key file so, i converted the .crt to .cer than uploaded it by azure portal.
The problem is Azure portal says,
No certificates match the selected hostname
Althogh my certificate issued as app3.product.com and the host name has the same domain name. It doesn't work.
I didn't include key file while i am creating the csr file also the subject of the certificate has some additional information by the issuer. The subject like app3.product.com, Certificate Issued By ... These may be the source of the issue.
Thank you in advance.
You need to include the private key. Otherwise your web server can not decrypt the data the clients (web browsers) are sending to it.
Explanation:
HTTPS/TLS/SSL are based on asymmetric cryptography which means that data gets encrypted with a so-called public key and can only be decrypted with the corresponding private key.
This means that your web server will send a certificate to the browsers which contains the domain name + the public key + a signature from a Certificate Authority (CA). The web browser then checks then if this certificate is valid (with a CA certificate) and uses the included public key to encrypt further data. Since your web server is the only one who knows the private key it can use it to decrypt the web browsers request. Actually the overall process is even a little bit more complex. You might want to have a look at the TLS handshake protocol to see how it works.

How to make you web application in Azure be accessible through https?

I applied for certificates for my domains. I received files with the following extensions:
ca-bundle
crt (multiple files)
p7b
I would like to upload SSL certificates to Azure by installing the certificate. For that I need to upload pfx file that is not included. I read that I need to create a private key and then merge the certificates somehow in order to create one. Unfortunately, as a programmer, I do not understand what and where should be done. Could someone help?
I think, this link here talks about the exact scenario you are talking about.
"The question is, how do I convert the CRT file into a PFX file so that I can upload it to my Azure Web App? Here are the steps I followed to convert a CRT into a PFX file:"
Open Certificate Manager for the Local Computer
Import the Intermediate Certificate (.P7B file)
Import the SSL certificate (.CRT file)
Export the SSL certificate and its dependencies as a .PFX file
https://blogs.msdn.microsoft.com/waws/2015/12/02/add-an-ssl-certificate-to-an-azure-web-app-crt-and-p7b/
You will need to convert it using a Windows system.
More info can be found here
In the end I managed to do it in the following way:
I downloaded openssl from here: https://indy.fulgan.com/SSL/
Two files are needed - the domain certificate and the private key. Once you have them you issue the following command:
openssl pkcs12 -export -out file.pfx -inkey private.key -in certificate.crt
You need to provide a password for the export. This will create a file.pfx file that you can upload to Azure using the same password. The next step is to add SSL bindings. For each domain you choose the certificate and create the binding. After ~2 minutes the https connection will be available for your domains.

SSL Certificate validation

I would like to know what are the exact steps of certificate authentication over HTTP.
I know this has been asked before, but from what I've read it's still unclear to me how it works.
When first contacting the secure site client will send its certificate
This will be his public key ( let's say a public_key.pem file begginging with ----BEGIN PUBLIC KEY---- )
Server will look whether this certificate has been signed by a trusted CA.
The server only has a list of certificates which it trusts (you configure this keystore when configuring SSL). That is where all private keys are stored. Is this equivalent to all the trusted CAs of the server?
The next step now is to take the public_key.pem and check whether any of the certificates in the keystore have signed it.
If the above process is accurate:
First question: A 'certificate' is a private key signed by another certificate ( or self-signed )
Second question: How exactly does a server validate that a public key was signed with a specific private key ( certificate ) ?
Third question: 'certificate' A can be used to sign another 'certificate' B, consequently 'certificate' B can be used to sign certificate C and so on. If my server has certificate A in its truststore, it means it will also trust public keys coming from certificate B and C ?
Edit based on answer below
My server has cert.pem and privkey.pem. The cert.pem ( x509 certificate ) has been signed by a trusted CA using its private key ( the 'signing' process involves the CA to do 'something' with its private key and sign my Certificate signing request ).
When SSL is negotiatied my server will send the cert.pem to the client ( in some form ). How does the client determine that my public cert was signed by a trusted CA. My truststore pb only contains other public certificates of trusted CAs, so it ends up checking whether my cert.pem was signed using only public certificates of trusted CAs.
This is is the part which is unclear - and I may be missunderstanding the whole process - can a client check if my x509 certificate is valid by just having an x509 list of certificates of trusted CAs?
When first contacting the secure site client will send its certificate
A client doesn't have to send a certificate. Judging from your question, it doesn't sound like you're asking specifically about client-cerificate authentication. In many sites, like if you go to google, stackoverflow, facebook, etc, the client / browser will not send a certificate.
A 'certificate' is a private key signed by another certificate ( or self-signed )
Not quite. A certificate contains a public key that is signed by the private key that corresponds to another certificate.
I think this is worth clearing up. A certificate itself will only ever contain the public key, or the "Subject Public Key Info" in x509 parlance. There is a corresponding private key to that public key that is stored separately from the x509 certificate.
There are some formats that "combine" the certificate and the private key in to a single file, but at this point it isn't a certificate anymore, it's a file containing a certificate - an example of this is PKCS#12. This is a format that can store as many certificates and private keys as needed.
A private key may not even necessarily be a file on disk - it could be in a Hardware Security Module, SmartCard, etc.
'certificate' A can be used to sign another 'certificate' B, consequently 'certificate' B can be used to sign certificate C and so on. If my server has certificate A in its truststore, it means it will also trust public keys coming from certificate B and C ?
Yes. This is called a certificate chain. A is the "root" certificate, B is an "intermediate", and C would be an "end-entity" or "leaf" certificate.
This is very common among HTTPS certificates by CAs. Certificates are never issued directly off the root, they're issued off the intermediate.
How exactly does a server validate that a public key was signed with a specific private key ( certificate ) ?
Well this makes the assumption that a certificate is a private key, which it isn't.
The server, as in the thing serving HTTPS, doesn't really care about the validity of the certificate. It's up to the client to decide if it should trust the certificate the server gives.
The server has the certificate and the corresponding private key. The server can validate that the public key and the private key belong together. How this is done depends on the key type, but the gist of it is, if you know the private key, you can fully reconstruct the public key from it. The server will validate that the private key's "public parts" match the certificate's public key.
The server will present the certificate to the client, like a browser. The browser will check many things, but at minimum it will check two important things:
Can the browser build a chain back to a certificate in the trust store. So the browser will look at the signer of the certificate, called the Issuer, and check if the issuer is in it's trust store. If yes, then the certificate is trusted. If no, it will see if that certificate has an Issuer, and loop all the way down the chain until it reaches the end of the chain, or when it finds something in the trust store. If it reaches the end, then the certificate was not issued by anyone it trusts.
That the certificate is valid for that domain. The certificate contains a Subject Alternative Name (SAN) which indicates what domains the certificate is valid for.
There are lots of other things that get checked, like expiration, revocation, Certificate Transparency, "strength" of the certificate - too many to list.
How does the client determine that my public cert was signed by a trusted CA.
Every client has its own trust store. Internet Explorer on Windows uses the Windows trust store, Google Chrome on macOS and Windows use the operating system trust store (Keychain, Windows Trust Store, etc).
The browser / client needs to build a trust path, as described above. How it does this is a bit complex, but it works out to the Authority Key ID attribute - if it exists, and the Issuer property of the certificate. It uses these values to find the certificate that issued it.
Once it finds the issuing certificate, it checks the signature on the certificate with the issuer's certificate public key.
That issuing certificate could be in the "root" trust store, and uses the public key in the issuing certificate to verify the signed certificate.
Your web server might (probably) send intermediate certificates along with the "main" (leaf) certificate. The client might use these intermediates to build a path back to a certificate that is in the root trust store. Intermediates can only be used as intermediates - you can't send an additional certificate saying "here's the root certificate, trust it".
can a client check if my x509 certificate is valid by just having an x509 list of certificates of trusted CAs?
Yes. That is the trust store. Every browser has / uses one. Firefox has their own trust store called NSS. Operating systems typically have their own trust store, too.

Authentication using digital signtures

I know a bit of authentication theory, but would like to know how is it really put in practice.
There are these software patches that must be distributed periodically. To ensure that only the genuine content reaches our users, we have been advised to sign our content before distribution.
The plan is to generate a Public-Private key pair. The patch would first be signed by our private key and recipients then authenticate the downloaded patch by using our public key. Our idea of signing is to generate a hash of the patch and encrypt the hash with our private key. The encrypted hash (signature) is to be bundled along with the patch before distribution.
We have been advised further that it is a good practice to get a digital certificate for our public key from a CA and post it on a certificate server in our premises. We are told that the CA would create this certificate using its private key. Our users are expected to download the public key certificate from our server and authenticate it using the public key of the CA. Thus our users would be confident that they have the right public key from us to authenticate the genuineness of the patch.
And finally the question:
How/where can the exact public key of the CA be downloaded for authentication of the public key certificate downloaded from our server?
In what formats are these certificates available? Are these plain text files or XMLs or ??
To answer your questions in order:
Using a browser and SSL. In that case you rely on the certificate store already in the browser. It may be a good idea to also publish the fingerprint of your own certificate. Note that you also distribute a certificate - or certificate chain - within your software. If the software download is trusted, then you may not even need an external Certificate Authority. But in that case you keep your private key of the CA very secure.
X5.09 certificates are created using ASN.1 DER encoding. DER is a binary encoding (and the textual ASN.1 definitions specifies the contents). Certificates are also often distributed in PEM format. This is a base 64 encoding of the binary certificate, with an additional header and footer.

Is there a way to form secure connections without trusted third parties?

I've just recently learned a bit about how encrypted messages are sent across the Internet, and it seems that it relies a lot on "trusted third parties" My problem is that I don't trust anyone, is there some way to form an encrypted connection between two computers without prior secrets or the need to trust anyone?
Yes, by creating a "Certificate Authority" (CA) and installing its certificates on the machines.
The third parties you're talking about issue certificates, and sign those certificates using a CA certificate that is included in popular operating systems and/or web browsers. You can create your own CA certificate and install it onto the machines in question alongside those third party certificates. Then you can issue your own SSL certificates which will be recognised by those machines without any third party involvement.
Note that the CA certificates aren't "prior secrets" - there's nothing secret about the certificate itself. It has a private key, which you use to sign your SSL certificates, but that key doesn't need to be on the machines in question (and shouldn't be).
There are plenty of sites that will walk you through the process - a quick Google turned up this one for example: Creating Your Own SSL Certificate Authority.

Resources