I have a key and csr generated and want to use the csr to generate certificates. GoDaddy has a provision wherein the csr can be uploaded for the cert to be generated and am wondering what equivalent openssl command is run to convert csr to cert?
The openssl commmand is:
openssl x509 -signkey GoDaddy.key -in domain.csr -req -days 365 -out domain.crt
Note that it is not a conversion of the csr into a certificate, it is a generation of a certificate from a csr and a private key. The key is always needed. The fact that you don't send your key to GoDaddy is because it's YOUR private key (as pointed out in the comments) and because they sign your certificate with their own private key. That's what makes it special. That's why they are paid for.
In this link you can find some useful openssl commands that may help you in the future.
Related
We have an Azure Function (.NET 4.7.2) running for a year that sends messages to a webservice using a client certificate. This certificate has to be renewed but now we have done that we are getting this exception when sending a message;
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
Azure has problems reading the private key and the problem seems to be exporting it from my local machine. Could this problem originate from the original CSR? The previous certificate still works fine, as long as it's valid. Note that I can send messages using the new certificate from my local machine.
Things I have tried;
Using all combinations of MMC settings to export the .pfx file
Using the answer in https://stackoverflow.com/a/34103154/6033193 to convert the cert key to the RSA format and upload the new resulting .pfx
Using CertUtil.exe -store -user my to compare the new and the old certificate. They both have Provider Microsoft Enhanced Cryptographic Provider v1.0 and, apart from the hashes and names, look the same.
Removing Azure Key Vault from the setup and uploading the pfx directly to the app service
Reading the .pfx from a local folder and using it like this: new X509Certificate2(certByes, "password", X509KeyStorageFlags.PersistKeySet);. This works so something seems to be going wrong when uploading the .pfx file to the Azure portal.
Any more things I can try?
The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.
Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:
First export the .key and the public .pem part from the .pfx file;
openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts
If it's encrypted it will ask for your password after each command.
Then, convert it back to a .pfx specifying the provider;
openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"
Again, specify a password and the new .pfx should be good to go!
Optional, if you'd want to verify the CSP:
openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"
Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY----- and look for Microsoft CSP Name: Microsoft Platform Crypto Provider right above that.
I need to verify a X509 cert signature with a DSA public key. My cert file is x509.crt and my DSA public key is in a file named dsa_pub.key
I am trying to use openssl for this purpose. I have read the openssl verify documentation but I cant find any reference to DSA within it.
When I run the following command, I can see my DSA Public Key within the cert:
openssl x509 -in cert.crt -text -noout
However, I am hitting a wall when it comes to verifying cert.crt using my DSA public key from the file dsa_pub.key
I would appreciate any advice.
To verify, use the command pkeyutl as well as the verify command. See the documentation here for details.
Background
We have MS Azure cloud hosting
Purchased a wildcard SSL certificate for my domain from a 3rd party (not Microsoft)
Created a CSR file + private key file
Used these & have been issued x509 and PKCS7 certs from SSL issuer
Azure requires a PFX file, so have been attempting to follow the ssl.com tutorial here: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
Issue
Running the openssl command in terminal on my local machine (breaks inserted for readability)
openssl pkcs12 -export -out certificate.pfx -password pass:somepassword
-inkey domain.key -in certificate.crt
I receive the following error:
140735704675208:error:0906D06C:PEM routines:PEM_read_bio:no start line
:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704:
Expecting: ANY PRIVATE KEY
But I've supplied the key? I'm confused. I'm an SSL beginner when it comes to Azure. What am I doing wrong?
Note, I included the -password parameter because MS Azure expects PFX files to be password protected. This is not optional: they HAVE to be protected.
EDIT
Having regenerated a CSR & Key using Openssl, I get a new error that the key file isn't valid. To ensure I'm not missing something obvious:
What do I do with the X509?
What do I do with the PKCS7?
Got bored messing about with openssl and terminal so found a GUI to do it. Steps:
Copy X509 contents, paste into code editor, save as cert.pem
Copy private key, paste into code editor, save as private.key
Go to https://help.configuressl.com/ssl-tools/ssl-converter/, upload both
Set password
Export as PFX
This generates a password protected PFX which can then be uploaded to Azure.
I've built a LAMP solution that generates many powershell files that are automated to run on many Windows Servers.
I need to generate a public/private key pair within Linux, so that I can sign the powershell files and then verify their authenticity in Windows, via powershell's execution policy being set to "AllSigned"
I've tried PGP but have found that the public key it generates is not accepted by Windows Server's certificate manager.
I'd like to use private keys that are not backed by a Root Authority, and there are many different powershell scripts that need to be authenticated and run on many Windows servers.
My question is - How to generate x.509 keypair that windows certificate manager will accept, that will work with Powershell's "AllSigned" execution policy?
Any help is appreciated.
Have you tried using openssl command?
See http://www.ipsec-howto.org/x595.html
As #Peter suggested, OpenSSL was the answer!
Following instructions on this page, I was able to generate my own public/private key pair and import the public key into Windows Server Certificate Manager.
I used this command to generate the keys:
openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout "PrivateKey.key" -out "PublicKey.crt" -days 99999
I'm trying to create a CSR file in an Ubuntu 13. How can I do it from the command line? I know how to do it from MAC OS in the KeyChain, but I actually don't have one.
This is what I tried in MAC OS:
Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Click Continue within Keychain Access to complete the CSR generating process.
you can use the following command to generate a CSR and private key:
openssl req -new -keyout server.key -out server.csr
You can follow the detail documentation regarding CSR below:
https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
You can use the openssl req command, there are instructions here:
https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html
It's a little bit of a process but it will boil down to something along the lines of:
openssl req -new -key server.key -out server.csr