We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".
Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on
1: Created private key and certificate by using following command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
2: Have simple text file to sign
$ cat message.txt
this is a test file.
3: Signed it with
openssl cms -sign -in message.txt -text -out OutMessage.txt -inkey private.key -signer certificate.crt
4: for verification
openssl cms -verify -in OutMessage.txt -signer user.pem -out signedtext.txt
I am not sure why I am getting following error while verification step is performed, Please some one can help me out.
$ openssl cms -verify -in OutMessage.txt -signer user.pem -out signedtext.txt
Verification failure
140539655524800:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify
error:../crypto/cms/cms_smime.c:253:Verify error:self signed certificate
You're getting an error as you're using a self signed certificate, at least that's what the error is telling you. You can either add the certificate to your trust, or disable the certificate verify check when executing the command with the -no_signer_cert_verify option.
How to create valid certificate using OpenSSL for using HTTPS binding in IIS ??
It must work in Firefox and all other browsers as well
I am using IIS 10 server. And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.
Ok. I think, I found out the answer,
A certification authourity have to be created to use HTTPS binding and hereby all our certificates will be signed from it. For that download a suitable version of OpenSSL from here: Win32/Win64 OpenSSL Installer for Windows And Install it. Then, for fast and easier working a few script file can be made,
In the folder (in which the script is running) add a folder named #. All the certicate files will be stored there.
for making Root Certificate's create RootCA.bat,
openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt
And, For RootCA's details create RootCa.csr,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.codesigning.in
When you Run RootCA.bat it will create a certificate using RootCa.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a RootCA.csr and 'RootCA.key' is also created).
Now, for servers certificate create server.bat,
openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
And, Of course for details create a server.csr file,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.localhost.in
And, Another file named v3.ext (I don't quite know about it),
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = *.localhost.in
Again When you Run server.bat it will create a certificate using server.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a server.csr and server.key is also created).
Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).
!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)
Adding to Windows,
As i use windows i only know about importing to windows. To add in windows simply click on the RootCA.p12 file and import it. Remember, you have to trust the RootCA in Trusted Root Certification Authourity And in Intermediate Certification Authourity.
All the browsers Except for firefox will trust the site. WORK Done (Partially)!!
You can check it using mmc in the run. And then snap-in certificates using Ctrl + M.
Adding to FireFox,
Because FireFox uses it own Certificate Managers and doesn't pay any heed to systems certificates. So, You will have to manually have to import the RootCA.crt for trust And all the inheriting certificates will be trusted. As Follows,
NOW, Import the certificate and simply add HTTPS binding with the certificate And Host the website using any server (even IIS etc).
when a created the certificate it's ok..but when add to windows, this error occur..This certificate has an invalid digital signature.
I have a node.js application heberged in heroku, as you know heroku generate free certificate SSL automatically, but when I generate the pem file (I use openssl for this) from this certificate to include it in a terminal to let him communicate with server, the error 403 forbidden goes, and know I have 401 which is Unauthorized, can anyone help me how to access to the server from my terminal?
Here are the command that I use to generate file.key, file.crt and file.pem.
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out server.key
openssl req -nodes -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
bash -c 'cat server.key server.crt server.pem
I'm trying to start a https server using this code in Pharo3.0 on ubuntu 14.04 32bit (but I've also tried on 64bit):
(ZnSecureServer on: 8343 )
certificate: '/home/monty/monty-cert.pem';
logToTranscript;
start;
yourself.
I get this error:
SSL Exception: accept failed [code:-5]
Has anyone gotten this to work on Pharo3.0 on linux? If so, how?
Thanks in advance for any suggestions!
It works on my 3.0
(ZnSecureServer on: 1235)
certificate: '/home/philippeback/.ssh/server.pem';
logToTranscript;
start;
yourself.
Certificate created with:
openssl genrsa -out privkey.pem 1024
openssl req -new -key privkey.pem -out certreq.csr
# makes certreq.csr privkey.pem
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
# should say Signature ok / Getting Private key
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
Some screenshots