I have a python flask app where I created a cert and key file using ssl and put that in the code as follows
if __name__=='__main__':
context=('cert.crt','keys.key')
app.run('0.0.0.0',ssl_context=context,debug=True)
However they are not valid. In the server I have deployed the code there are 2 files 'sslca-chain.der' and 'SSLCA-Chain.pem'. How do I use that in the code instead of the above?
The two files you have mentioned are the same thing (chain certificates) just in different formats.
It is best to configure a reverse proxy (like nginx) to handle the SSL stuff rather than include it in your flask application.
Python only handles PEM format files natively.
However, if you must - you need two files - the certificate file, and the key file.
If you got your certificate from a third party CA, then they will provide you the certificate file.
The key file is always with you, and should be kept secret.
Since you have a certificate chain, you must provide a custom context to the application and include all the files in your chain, as the load_cert_chain method only takes one argument for the certificate file.
So, in short what you have to do is:
Make sure your PEM file contains your server certificate.
Create a custom context with the PEM file and your key file.
Pass this custom context to Flask
A PEM file is just a text file that contains all the certificates in a specific order; the order is:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----
The -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are important and should be included
Once you have verified that your PEM file contains your server certificate, here is how you would configure it for flask:
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # use TLS to avoid POODLE
ctx.load_cert_chain('/path/to/sslca-chain.pem', '/path/to/server.key')
app.run('0.0.0.0',ssl_context=ctx,debug=True)
Related
A software system from a collaborating company needs to connect to one of our systems and authenticate against our Azure-B2C Directory. They would like to verify the signature in our JWT Token returned.
I have created a RSA Public Key using the approach described in this topic:
Azure AD B2C - Token validation does not work
This has resulted in the following RSA Public Key:
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END RSA PUBLIC KEY-----
I've used this RSA Public Key to verify the signature of my token in jwt.io, and it works.
The collaborating company however needs a PEM certificate like this:
-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END CERTIFICATE-----
Modifying the PEM Header of my RSA Public Key does not work.
So now my question is: Is it possible to convert my RSA Public Key to the appropriate Certificate format? If yes, how?
I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.
I have found this related question:
Running SSL node.js server with godaddy gd_bundle.crt
which outlines the process of splitting the certificates, but uses three properties: certificate, ca, and key. I have only two files from my HTTPS registration with GoDaddy:
cert.crt (Not the name of the original but I'm fairly confident this is the certificate)
sf_bundle-g1-g2.crt (Is the actual name of the provided file)
Now the documents and file name seem to claim that sf bundle is a combination of two certificates, but mine looks like so:
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIDORSEMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAlVT
MSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3QUmNUqMZbhSa4Hs0py1NBCXnD7GL+2OQkIkLulzmiX5EfHyI2nL5ZRpoNLcsPxE
iawXqMzVN3cWxYC5DI9XAlWZhXtJ8C5boMJXU12i6KY3wwH6
-----END CERTIFICATE-----
Again, I've combed the documentation and it seems I simply provide the location of all 3 of these in the options.ca array property in nodeJS' https module.
However it seems like I am missing a file. I have a cert, and 3 ca's, but no key. Is this an acceptable configuration? Or is some part of the sf_bundle supposed to be my key? It says -g1-g2 but contains 3 certificate sections.
I am entirely new to encryption, so please forgive my ignorance.
key is the private key you used to sign the CSR that you sent to GoDaddy.
The solution ended up simply being going back to godaddy and requesting the certificates in my desired format.
I attempted splitting it up and using the key we signed the certificates with, as suggested by mscdex. I could not get this to work.
I have ordered SSL from RapidSSL and have used it on my current hosting environment. Now I am changing hosting to Azure and they require a .PFX file.
What I have is an email from Rapid SSL with a
and got an email with a Web Server certificate in text formed like this:
-----BEGIN CERTIFICATE----
-----END CERTIFICATE-----
And I got a INTERMEDIATE CA that has the same format:
-----BEGIN CERTIFICATE----
-----END CERTIFICATE-----
I can find a lot of guides converting to .PFX but they ask for a key file (PEM) and such, and all I got is this email with text.
Can anyone point me to a guide or something? I don't really understand why this has to be so complicated. :(
Any help is much appreciated.
/Brian
You will need to use openssl.
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
The key file is just a text file with your private key in it.
Turned out I could get it using their support. They had an online service where I could get it.
I have SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE as follows:
SSL CERTIFICATE:
-----BEGIN CERTIFICATE-----
certificate here
-----END CERTIFICATE-----
PRIVATE KEY:
-----BEGIN RSA PRIVATE KEY-----
key here
-----END RSA PRIVATE KEY-----
SSLCertificateChain CERTIFICATE:
-----BEGIN CERTIFICATE-----
SSLCertificateChain here
-----END CERTIFICATE-----
I have saved certificate in SSLCertificateFile.crt, key in
SSLCertificateKeyFile.key and SSLCertificateChain certificate in
SSLCertificateChainFile.crt. All the three files are saved at
/opt/tomcat/conf/
In /opt/tomcat/conf/server.xml modified the connector as:
<Connector executor="tomcatThreadPool" scheme="https" secure="true"
port="443" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" acceptCount="100" SSLEnabled="true"
maxConnections="100000" SSLCertificateFile="/opt/tomcat/conf/SSLCertificateFile.cert"
SSLCertificatKeyFile="/opt/tomcat/conf/SSLCertificateKeyFile.key"
SSLCertificateChainFile="/opt/tomcat/conf/SSLCertificateChainFile.cert"
SSLProtocol="TLSv1"/>
I've restarted the tomcat server, http://www.digicert.com/help/ show the error "SSL Certificate is not trusted" as shown in the image.
Is there anything wrong in file extensions or the connetcor?
You've blanked out the information that would be required to give you the definitive answer:
"Certificate does not match name" means that you have a certificate for one server name, but access it as another server - this could be as simple as accessing "www.example.com" as "example.com" if the certificate is only valid for "www.example.com"
The "not trusted" points either again to the mismatch, but more likely you have a self-signed certificate? You don't mention where you got the certificate from, only that you have it. By going directly to your server (not to digicert) you probably will get the same mismatch.
Even if you got the certificate from a certification authority, make sure that it indeed is trusted. I've seen "demo" certificates (or "class 0" certificates) which were issued to demonstrate the ease of certification, but without any identity check free of charge. Those class 0 certificates are not trusted. Typically you'll need to pay some money for a trusted certificate to some certification agency.
I assume the server is visible on the internet (otherwise digicert won't see it), so if you would share the address, it would be easy to point you to the actual root cause. You can also inspect the certificate, e.g. with Firefox: This is offered through a dialog that opens from the button on the "not trusted" warning page.