I have the working GoDaddy SSL certificate for Java/Tomcat server, consisting of 3 files:
a6d8a8b6f1b7d24b.crt
gdig2.crt.pem
gd_bundle-g2-g1.crt
All three are the base64 encoded text files and the contents look like
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIJAKbYqLbxt9JLMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
...
MLLO84KBeOlWOD9ShSj2OqPQiozGPPjqzuIyyWJF37s0Y/BpgJPfqHgE
-----END CERTIFICATE-----
gd_bundle-g2-g1.crt contains multiple such entries inside.
Now, Hyperledger instructions here explain:
composer-rest-server -t -c /tmp/cert.pem -k /tmp/key.pem -p hlfv1 -n my-network -i alice1 -s suchs3cret
Which one in my case is expected to be the cert.pem and which one the key.pem? Do they need any conversion, and if they do, how? These certificates work fine for Java frameworks that use jks keystore. Hyperledger uses node.js and produces errors like
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:85:17)
at Server (_tls_wrap.js:776:25)
at new Server (https.js:26:14)
at Object.exports.createServer (https.js:47:10)
at Promise.then (/home/hla/.nvm/versions/node/v6.11.2/lib/node_modules/composer-rest-server/server/server.js:148:28)
at process._tickCallback (internal/process/next_tick.js:109:7)
I tried to substitute the files in various combinations but only get error messages so far. I think I actually tried all possible combinations already, so very likely the format is wrong.
GoDaddy allows to export certificates also in various popular formats (Apache, Exchange, IIS, MacOS X and Tomcat to be precise), but Hyperledger is obviously not between them.
It may also be problematic that when I generate the certificate with
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
(where obviously key.pem should probably be the key), I also get the same error:
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL version OpenSSL 1.0.2g 1 Mar 2016. node --version. node --version. node --version 5.4.0.
The rest server is expecting 2 things in order to be able to enable tls. It requires a private key and a public certificate associated with that private key. They both need to be in .pem format. The public certificate will have text that starts with -----BEGIN CERTIFICATE----- whilst the private key will have text that starts with -----BEGIN PRIVATE KEY-----
The openssl command can be used to generate a self signed certificate for example which would be usable by the rest server. In the example you gave above, you actually generated a CSR (certificate request) which is a request to create a certificate for you based on the private key it has generated and so the csr.pem file it created isn't a usable certificate. A CSR is something you send to a certificate authority to request the creation of a certificate.
Use gdig2.crt.pem as your certificate (-c). You need to specify the file to your private key (-k) which you used to generate the CSR. If your private key is password protected, you need to provide the passphrase in composer-rest-server/server.js (look for the line https.createServer({cert, key}, app);). Good luck.
Related
I have a wildcard ssl certificate chain for *.mydomain.one.
The certificates are pem files and look like:
Thawte RSA CA 2018.pem
DigiCert Global Root CA.pem
mydomain.one.pem
With the following begin/ending:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
When I want to add a certificate to an Azure Gateway in the listener section it requires to be in pfx format.
So I tried to convert the files with openssl pkcs12.
openssl pkcs12 -export -nokeys -in mydomain.one.pem -certfile DigiCert_Global_Root_CA.pem -certfile Thawte\ RSA\ CA\ 2018.pem -out mydomain.pfx
When uploading to Azure it fails because the file has no private key.
I also tried using one of the pem files as private key which fails while the pfx creation.
So my question is if its even possible to create a valid pfx file from this pem files and if not where and how to get the private key?
I'm trying to generate a key to enable https on apache server under linux.
I took the certificat from godaddy that gave me .crt and .pem
I've tried to generate the key from the pem in many way:
openssl pkey -in foo.pem -out foo.key
openssl rsa -in foo.pem -out foo.key
Then I tried by an other way explain in some post I've found under stackoverflow
openssl rsa -in key.pem -out keyout.pem
and I always get this error message:
unable to load Private Key
139675415795008:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
Someone can explain to me what is my mistake and how to resolve it ?
Thanks a lot
I am trying to establish node to node encryption. I am following datastax online guidance available for ssl encryption on below link- https://docs.datastax.com/en/security/5.1/security/secSetUpSSLCert.html
as per the documentation i have skipped first two steps and followed from step-3.
so, I have created the keystore, using below command-
keytool -genkeypair -keyalg RSA -alias node1 -keystore cassandra.jks -storepass cass123 -keypass cass123 -validity 365 -keysize 2048 -dname "CN=host1, OU=cluster1, O=org, C=US"
after creating the keystore, here the public certificate authority have two level of encryption or certs. first is root.cert and another is intermediate.cert.
when i have checked through below command, intermediate.cert is signed or verifyed by root.cert.
openssl verify -CAfile root.cert intermediate.cert , Got OK in Response.
after than with keystore(cassandra.jks), i have raise the certificate signed request (CSR):
keytool -keystore cassandra.jks -alias node1 -certreq -file cassandra.csr -keypass cass123 -storepass cass123 -dname "CN=host1, OU=cluster1, O=org, C=US"
then after uploading this CSR file (cassandra.csr) to public certificate authority i got in response one Cert.cer file.
so, then i checked whether the Cert.cer file get signed by root.cert or not.
openssl verify -CAfile root.cert Cert.cer
Got unable to load certificate in Response, with error message-
140044398696338:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c707:Expecting TRUSTED CERTIFICATE
Even I have Checked the Cert.cer with intermediate.cert-- got the same above error message.
Is this mean the Cert.cer which i got in response to csr request in not properly signed by certificate authority.
So i have stopped further steps here, which needed for cassandra ssl implementation.
Please, let me know, if i miss something or doing in wrong manner. much appreciated all help and suggestions
This issue is resolved, due to platform issue certs generated have extras carriage characters ^M. after removing this and merging root and intermediate certs together it works fine.
I'm facing an issue in installing SSL certificate in IIS and below are the step before I got the certificate from my CA.
Generated a private key file using OpenSSL with: "openssl genrsa -out key_name.key 2048" command.
Generated .csr file with: "openssl req -out CSR.csr -key key_name.key -new -sha256" command.
Once I generated the CSR file, I provided the same CSR file to CA to get me certificate.
I got the certificate in .p7b format, which I converted to .cer format.
Installed certificate using "Complete certificate request" option in IIS.
Now the problem is that newly installed certificate vanishes from IIS after a refresh. I Googled this issue and understood that, it's happening so because there is no private key associated with certificate. My question is where the private key has gone?? I had created the CSR using the private key in step 1. Secondly, how do I over come this issue, I have to install the certificate anyhow. Please help.
You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request.
Instead, you need to use OpenSSL to generate a PFX file,
create a pfx file from a .cer and a .pem file
Then you can import it to IIS.
You might read this post for more details,
https://blog.lextudio.com/2015/06/the-whole-story-of-server-certificate-disappears-in-iis-77-588-510-0-after-installing-it-why/
I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?
Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.
Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.