I followed this tutorial to create a point-to-site connection:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Now, when i try to connect the VPN I get this error:
A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)
It doesn't even work in the computer that I generated the self-signed cert. Neither it works in another client that I installed the pfx private key and fails in both with the same error.
Any ideas?
Ok turns out the document to create the certs are not complete here and not mentioning anything about the client cert and it just says how to create a root cert:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Here is what I had to do to make it work:
Create root cert:
makecert -sky exchange -r -n "CN=AzureRootCert" -pe -a sha1 -len 2048 -ss My "AzureRootCert.cer"
Create client cert:
makecert.exe -n "CN=AzureClientCert" -pe -sky exchange -m 96 -ss My -in "AzureRootCert" -is my -a sha1
Then the rest is documented. so have to export the root cert and upload to Azure and then download the VPN tool.
Related
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
How to Create Root Certificate for Azure VPN using MakeCert command specific to Azure VPN Requirements
1) Please mention specific command which could generate the certificate according to Azure VPN requirements
and
2) How to get the string value of the certificate to put it on Azure?
Question have two parts, first command and second how to get the string value.
1)
You can use below command and you can also change the CN= parameters to your naming if required.
Server:
makecert -sky exchange -r -n “CN=AzureVPNRootCert” -pe -a sha1 -len
2048 -ss My “AzureVPNRootCert.cer”
You need to install the certificate locally and then export it in base 64 encoded format to see the signature string of the certificate to put it on Azure.
2)
Use certlm.msc -> Certificate Local computer -> trusted Root Certificate -> certificates -> choose your certificate -> right click export -> choose base 64 encoded format -> save
Open the saved certificate in notepad and copy only the Certificate string to Azure.
Bonus: if you need to create client certificate to connect to Azure VPN, from more than one point.
Client:
makecert.exe -n “CN=AzureVpnClientCert” -pe -sky exchange -m 96 -ss My
-in “AzureVPNRootCert” -is my -a sha1
For official Docs
Original Post
we create azure management certiicate both using "makecert" and using IIS7..And uploaded it in the azure site also.But noting seems to be working .Is there any other reason behind this?
API throws 403 errors.Powershell cmdlets throws Authentication failed error.
Working with different certificate file types and the various parameters to makecert can be a bit confusing. Ultimately, you need to upload a CER file (does not contain private key) to the management portal for management API authentication, and use a PFX (contains private key) for signing requests.
When you need to use SSL, you need to upload a PFX file to your hosted service via the management portal, the management API, or you can use a tool like one of Cerebrata's.
We use the following batch file to create our certificate files (replace CAPS_HERE text):
makecert -r -pe -a sha1 -n "CN=CERTIFICATE_NAME_HERE" -ss My -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 CER_FILE_NAME_HERE.cer
makecert -r -pe -n "CN=CERTIFICATE_NAME_HERE" -sky exchange "CER_FILE_NAME_HERE.cer" -sv "PVK_FILE_NAME_HERE.pvk"
pvk2pfx -pvk "PVK_FILE_NAME_HERE.pvk" -spc "CER_FILE_NAME_HERE.cer" -pfx "PVK_FILE_NAME_HERE.pfx" -pi PASSWORD_HERE
Additionally, some links:
http://blogs.msdn.com/b/kaushal/archive/2010/11/05/ssl-certificates.aspx
http://www.lombard.me/2008/03/summary-of-x509-certificate-file-types.html
http://technet.microsoft.com/en-us/library/cc770735.aspx
Another alternative is to download a publishsettings file - this automatically configures a certificate public key in your azure subscription and downloads the cert to your machine.
You can use Get-AzurePublishSettingsFile to download a publishsettings file, or log in at:
https://manage.windowsazure.com/publishsettings/index?client=powershell
Here's my situation:
I'm trying to create a SSL certificate that will be installed on all developer's machine's, along with two internal servers (everything is non-production).
What do I need to do to create a certificate that can be installed in all of these places?
Right now I've got something along these lines, using the makecert application in Microsoft Visual Studio 8\SDK\v2.0\Bin:
makecert -r -pe -n "CN=MySite.com Dev" -b 01/01/2000 -e 01/01/2033 -eku 1.3.6.1.5.5.7.3.1 -ss Root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mycert.cer
However, I'm not sure as to how to place this .cer file on the other computers, and when I install it on my local machine IIS, everytime I visit a page via https:, I get the security prompt (even after I've installed the certificate). Has anyone done this before?
Here are my scripts for doing this:
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature).
The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= allow batch command-line to wrap line)
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange).
It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
The issuing certificate is in a file (-ic), as is the key (-iv).
Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.
You should add -cy authority to the switches when creating the cert authority, otherwise some cert stores won't see it as a proper CA.