.KEY and .CSR files but no .CRT file - node.js

I'm working migrating a Java app to NodeJS, they are using SSL and they gave me some files related with this:
www.domain.com.key
www.domain.com.csr
But I'm not an expert on this topic, and I'm trying to setting up the SSL certificate with Express but it seems a .CRT file is also required.
I asked them, but they told me that .CRT is actually inside of the .CSR file.
Not sure what should I do to make it work, I've been reading and doing lots of things without success, any idea?
Thanks.

The .key file is probably your PRIVATE key
The .csr file is a CERTIFICATE REQUEST probably signed with your private key
What you need is probably a .crt : a certificate corresponding to your csr signed by a certificate authority (or self signed, depending what you want to accomplish)
node (like another web server) is supposed to ask you 3 thing :
- your private key
- the certificate
- the certificate chain, eventually, depending of the certificate
What you can do is open with a text editor the different files, and see if you see the certificate inside:
you should see things like -----BEGIN CERTIFICATE----- or -----BEGIN PRIVATE KEY----- or -----BEGIN CERTIFICATE REQUEST----- , that will told you the exact content of the files.

Related

NodeJS 14: Using a SSL CA Bundle

I'm currently trying to use a CA Bundle with NodeJS 14.0. I've been using Namecheap's article as a guide the implement this feature. I'm currently stuck on a few things:
For the ca parameter for https.createServer(), what file formats are allowed to be passed in?
How do I check that a CA bundle is actually being used?
For the ca parameter for https.createServer(), what file formats are allowed to be passed in?
From NodeJS tls.createSecureContext:
Any string or Buffer can contain multiple PEM CAs concatenated together
Though, in general NodeJS uses PEM format.
How do I check that a CA bundle is actually being used?
You can use a certificate not signed by your CA, e.g. a self-signed certificate.
One point, possibly more subtle than you wanted: nodejs tls.createSecureContext internally calls OpenSSL PEM_read_bio_X509_AUX which actually accepts three PEM formats (or any sequence of those three formats, since nodejs loops). For two of them the base64/64cpl blob contains (exactly) an X.509 certificate, as respecified in rfc7468 sec 5, with either preferred label "CERTIFICATE" or deprecated label "X509 CERTIFICATE". In addition OpenSSL accepts a format of its own with label "TRUSTED CERTIFICATE" where the blob contains an X.509 certificate plus additional (ASN.1) data defined by OpenSSL; see e.g. the man page for d2i_X509_AUX online here. OpenSSL doesn't use this additional data for much, and of course nothing else uses it at all, so it's rare.
And to avoid confusion it might be worth noting that all OpenSSL PEM_read_ routines, including this one, skip any 'comment' data while searching for the PEM data, so actually a file/buffer that contains garbage, then a PEM cert, then more garbage, then another PEM cert, etc. will work the same as if it contained only the PEM certs.

How to configure NTP with autokey using our own Certificates

I am configuring the NTP with autokey to make NTP more secure.I don't want to use default certificate which can be generated using ntp-keygen command line tool. ntp-keygen generates one RSA key, one IFF Key and one md5withRSA signature certificate but i want to use my own certificate which is generated by using signature algorithm SHA1withRSA. but when i put my certificate and key in place of ntp deafault certificate and key. It showed me this Error on startup of ntpd.
Jan 19 20:52:22 GURNTP20150710 ntpd[21084]: crypto_key: no filestamp /etc/ntp/ntpkey_host_hostname
Jan 19 20:52:22 GURNTP20150710 ntpd[21084]: crypto_setup: host key file ntpkey_host_hostname not found or corrupt
Any one can help me here to secure my ntp server and client using autokey protocol while using my own certificate and key.
Thanks in advance. :)
I got the answer for the above problem.So the answer for can we use my own certificates generated by openssl for securing my ntp is YES.
I was facing a problem (above Error) after putting my openssl certificates on /etc/ntp/ path.
Answer: It was due to ntp on start up looks for the "ntpkey_" keyword in certificate's and key's name. So i had to rename my own certificate with this naming convention. but unfortunately i got again the same Error.
This time it was due to the file content of certificate file.I checked out the ntpkey-gen's code and figured out that ntp opens the certificate and key file on startup using the fopen C library function and looks for ".(dot)".
Actually when ntp_keygen generates the certificates and keys. It put a comment on the very first line of certificate and key with the file name of certificates which contains the file time stamp after the dot. That's why ntpd looks for dot in certificate file. So i added the file name of ntp Certificate and Key with file time stamp at first line of cert and key.
Its working fine now.
Thanks :)

How to use an SSL certificate from wosign in node.js

I'm trying to use a free ssl certificate(s?) I got from wosign in node.js, but I'm having some issues.
I'm creating my server with:
var server = https.createServer({key: serviceKey, cert: certificate}, httpHandler).listen(port)
which works fine with my self-signed certificate. To allow wosign to generate a certificate, I gave them the CSR that was generated alongside my self-signed certificate. They gave me the following files:
root.crt
3_user_my.domain.crt
2_issuer_Intermediate.crt
1_cross_Intermediate.crt
I've also read through the following couple sources to help me along:
https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
http://www.lowendtalk.com/discussion/41289/free-chinese-2-year-ssl-certificate-dv-kuaissl-by-wosign-com
Both mention that the "order" of the certificates is important, but I don't know what they mean there. I assumed that there would be a single certificate I could replace my self-signed certificate with. If there's an order, I assume it goes 1->2->3 as those numbers are in the filenames.
I replaced my certificate with the 3_user_my.domain.crt contents, and it works like my self-signed one - chrome says it should only work on localhost.
So how do I "order" these certs and ultimately how do I use the files given to me so that browsers will recognize it correctly?
Ok, I got it working.
A. I learned that the "certificate" used actually can be multiple certificates (crt files that only have one -----BEGIN CERTIFICATE----- and one -----END CERTIFICATE-----. So in order to make it work right, I needed to create one certificate file/string that contained 3 of the 4 certificates I got in the right order (apparently the root.crt isn't useful)
B1. The English set of certificate wosign gave me didn't match my private key, which I verified using the following:
openssl x509 -noout -modulus -in yourcertificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
# If both outputs match, the cert matches the key, otherwise they don't
B2. So I chose the chinese certificate option, and there was a much different set of certs in the archive I got from that. I used the bundled cert for NGINX. And that works!

Why do i have a wrong (sha1) immediate startcom certificate in my chain on azure website?

My immediate certificate on https://paper-shape.com got a weak signature algorithm SHA1: https://www.ssllabs.com/ssltest/analyze.html?d=paper-shape.com
I followed theses instructions. I created my pfx file both per OpenSSL and per certificate export wizard.
The CRT and pem (immediate certificate from startcom) seem to be ok, because the following command shows "Signature Algorithm: sha256WithRSAEncryption" on both (CRT and PEM):
$ openssl x509 -text -in paper-shape.com.crt
Either something went wrong during my pfx creation process or azure website overrules my immediate certificate.
Has anybody an idea?
Check your locally-installed certificates (on Windows, 'certmgr.msc'). You may have an old SHA-1-signed copy of the StartCom intermediate certificate which is still valid (say, to 2017) and being used in preference to that provided by the server.
You can find (and chain) the SHA-256 intermediate certificate for Class-1 in PEM format, here: https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
I have been facing this same problem, I was about to pull my hair out when the certificate seemed to be right in some browsers and OS and in others it claimed I was using SHA-1 and even https://shaaaaaaaaaaaaa.com was telling me that I had a SHA-2 signed crt.
So! Here is a huge thread in StartCom forum about this issue: https://forum.startcom.org/viewtopic.php?f=15&t=15929&st=0&sk=t&sd=a
The thing is that the browser is using an Intermediate crt that is SHA-1 signed.
The solution: you need to configurate the Intermadiate crt in your server!
You can see more details here:
https://sslmate.com/blog/post/chrome_cached_sha1_chains

Setting https on expressjs PEM routines:PEM_read_bio:no start line

A few similar threads exist but none has a checked answer or much discussion. I'm trying to setup an https server on express js but I'm getting
crypto.js:100
c.context.setKey(options.key);
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
I generated my .csr and .key files with
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr
One suggestion was to convert the .csr to a .pem by following these instructions: http://silas.sewell.org/blog/2010/06/03/node-js-https-ssl-server-example/
That didn't work.
The express.js docs (http://nodejs.org/api/https.html) show both of these files as .pem, however. If that's the issue, how would you convert a .key file to a .pem? This threat is partially helpful How to get .pem file from .key and .crt files? but if anyone knows what expressjs requires, I feel that's the missing component.
How would I check that the files are properly in ANSI, or convert them if not?
There is also some discussion on whether the file should begin with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----
Any help is greatly appreciated.
So i think there's at least a little bit of terminological confusion, and the node.js example you have there doesn't help by renaming everything to .pem.
Here's a general overview for how SSL works:
You generate a pair of public and private keys. For our purposes the former is your "certificate signing request" (CSR for short) and the latter is your private signing key (just "your key").
If you wanted to generate a self-signed certificate (this is useful for local testing purposes) you can turn around and use your key and your CSR to generate a certificate. This link http://www.akadia.com/services/ssh_test_certificate.html has a pretty clear run down of how to do that on a *nix based system.
For the purposes of web browsers, SSL certificates need to be co-signed by a trusted authority, e.g. a Certificate Authority (CA). You pay a CA to co-sign your cert, and vouch for your authenticity with browser vendors (who will in turn display a green padlock for your site when your website presents its certificate to browsers).
The co-signing process starts with you uploading your CSR to your CA. They will then take that CSR and generate your certificate. They will then provide you with a couple of certificates, your certificate, their root certificate, and possibly some intermediate certificates.
You then need to form a combined certificate that proves a chain of authenticity back to browsers. You do this literally just by concatenating your certificate, followed by the intermediate certificates (in whatever order was specified) ending with the root certificate. This combined certificate is what you hand to your web server.
In order to enable your web server to serve over SSL, you need to hand it your (combined) certificate as its public encryption key (which it provides to web browsers upon request), and your private encryption key, so that it can decrypt the traffic sent to it by web browsers.
So. Now with all of that in mind, you should take that CSR that you have and provide it to your CA, and get the various certificates back, concatenate them, and then use that w/ your private key in your express server.

Resources