How do I get my certificate to self sign using CA - node.js

I'm new to the OpenSSL and Node community and could use some help on some commands.
I'm working on a node application where users can input their information and get a browser certificate to hit an application I have on my server. I want the user to be able to put in their information once, then have a browser cert download (in other words, all the commands need to run with no more user input).
I have the three commands using child processes in Node and OpenSSL and I'm trying to translate them over to node, but I'm having some issues.
My first command get variables from the users runs fine:
sudo openssl req -new -nodes -out /etc/pki/tls/request/bdd-req.pem -keyout /etc/pki/tls/private/bdd-key.pem -subj "/C='+country+'/ST='+state+'/L='+locality+'/O='+organization+'/CN='+name+'" -passout pass:'+password+' -x509 -days 365 -config /etc/pki/tls/openssl.cnf
However when the second command runs, I get an error:
sudo openssl ca -out /etc/pki/tls/cert-pem/bdd-cert.pem -days 365 -config /etc/pki/tls/openssl.cnf -passin pass:*PASSWORD* -keyfile /etc/pki/tls/private/cakey.pem -cert /etc/pki/tls/cacert.pem -selfsign -infiles /etc/pki/tls/request/bdd-req.pem
Error: Command failed: Using configuration from /etc/pki/tls/openssl.cnf
Error reading certificate request in /etc/pki/tls/mapedit-req-pem/bdd-req.pem
140052424636320:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
at ChildProcess.exithandler (child_process.js:658:15)
at ChildProcess.emit (events.js:98:17)
at maybeClose (child_process.js:766:16)
at Process.ChildProcess._handle.onexit (child_process.js:833:5)
What is the CERTIFICATE REQUEST it's asking for? Isn't that the cert flag?

Related

Pushing SocketClutser to Google K8S Engine, the Ingress service not working complaining SSL key is too large

I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:

npm start, use a valid SSL

I have an Outlook Web Add-In, running on node server, locally I need it to run with a valid ssl cert to debug in IE.
In Chrome it looks like this
I have built a cert using the following command line
C:\OpenSSL-Win32\bin\openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
I run the application using VS Code and the command line npm start
My env file is .env.development.local
it contains one line HTTPS = 'true'
I have looked at
https://www.npmjs.com/package/serve-https
It appears to look like that is not used for development
So inside scripts\start.js file what do I need to get it to respect the ssl cert.

openssl in RHEL - sign client cert with root without utilizing openssl.cnf?

Trying to achieve a sort of self-signed PKI setup utilizing openssl on RHEL, with a few caveats. I will attempt to provide as much information as possible here.
Versions: RHEL 6.7 | OpenSSL 1.0.1e-fips 11 Feb 2013
Caveats/constraints on the script: this script will be utilized to create multiple key sets - by default, one root keypair and cert and two client keypairs and certs per run. User input is asked for for file location, filename and passphrase on the client keys. All this was fairly straightforward, and I had a script that would run these commands on user request, and utilized the openssl.cnf file to point back to the root key to sign. I had used sed to change the location pointers in openssl.cnf based on filename originally, and was successfully able to sign the client cert.
However, there are two major caveats to this:
I was asked to change the script so that it is not dynamically the script or other files per each run, meaning openssl.cnf should not be edited on the fly if possinble. If this is needed to function however, then it should be fine.
The user needs to be able to run multiple sets of this script ad hoc, especially with regards to the client keypairs (I have the root script and the client generation script separate in a user selectable menu). That is to say, generating the client keypair is requisite on having a root key to associate with, but can be done multiple times, and the client key script should ask the user with which root key to associate and sign from?
Because of these constraints, it didn't seem that editing openssl.cnf was a prudent option, and not very scalable. So, given this info my question which I've been unable to figure out is simply:
Is there a way to point a client key to a variable which would be the root key cert to sign? (Rather than utilizing openssl.cnf for the 'certificate' and 'private_key' entries?)
As of now, I have:
root key & cert:
openssl req -config $dir/openssl.cnf -new -x509 -days 3652 -nodes -sha384 -newkey ec:ec-secp384r1.pem -keyout $userdir/${rootName}_private.key -out $userdir/${rootName}.crt -subj "stuff_here"
...
export rootName
client keys & certs:
read -p "Which root key do you want to associate this client keypair with? Please type absolute filepath and filename (ending in .key); rkAssoc #STILL NEED TO USE THIS VARIABLE
##KEY GENERATION
openssl req -newkey ec:ec-secp384rp1.pem -keyout $userdir/{$clientName}_privat.key -out $userdir/client/${clientName}.csr -subj "Stuff_here"
##SIGN CSR
openssl ca -config $dir/openssl.cnf -policy policy_anything -extensions usr_cert -days 730 -notext -md sha384 -in $userdir/client/${clientName}.csr -out $userdir/client/${clientName}_signedprivatekey.pem && echo "Client key created."
So I guess,
1) Did i do the client signing correctly (something seems off about it but not sure)
2) instead of referencing -req openssl.cnf I presume there is probably some kind of flag where you could do something more like
openssl ca ... -cert ${rkAssoc}
is this remotely correct or am I way off?
Thanks in advance for anyone who lends a hand.
OpenSSL has multiple ways of doing the same thing. You found one way of signing a CSR, with openssl ca. openssl x509 can act as a mini CA, so to eliminate the need for a config file, you could do something like:
openssl x509 -req -in /tmp/mykey.csr.pem -CA /path/to/ca/mycacert.pem -CAkey /path/to/ca/cakey engine -CAserial /path/to/ca/myca.srl -days 3600 -out /tmp/mykeypub.cert.pem
Where -CA points to your root CA cert, and -CAkey to your root CA key.

npm http-server with SSL

I'm using the npm package "http-server" (https://www.npmjs.com/package/http-server) to set up a simple webserver, but I cannot get it to use SSL. My command in package.json is
http-server -p 8000 -o -S
with a cert.pem and key.pem in my root directory (for now). The "-o" option opens a browser to the default page, but the page is served using HTTP and not even accessible through HTTPS. I don't get any errors or warnings. I've also tried adding the "-C" and "-K" options without luck. Has any one had any success with this package?
First, make sure that you have key.pem and cert.pem files. You can generate them using this command:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
You will be prompted with a few questions after entering the command. Use 127.0.0.1 as value for "Common name" if you want to be able to install the certificate in your OS's root certificate store or browser so that it is trusted.
This generates a cert-key pair and it will be valid for roughly 10 years (3650 days to be exact).
Then you need to run the server with -S for enabling SSL and -C for your certificate file:
$ http-server -S -C cert.pem -o
Starting up http-server, serving ./ through https
Available on:
https:127.0.0.1:8080
https:192.168.1.101:8080
https:192.168.1.104:8080
Hit CTRL-C to stop the server
I installed mkcert:
brew install mkcert
brew install nss # if you use Firefox
mkcert -install
Then, in your project directory:
mkcert 0.0.0.0 localhost 127.0.0.1 ::1
Finally, I renamed generated files:
0.0.0.0+3-key.pem -> key.pem
0.0.0.0+3.pem -> cert.pem
And ran the following command:
http-server -S -C cert.pem -o
Then I got:
I referenced this blog: https://qiita.com/walkers/items/b90a97a99bbb27f6550f
(written in Japanese)
Just for future reference, my problem was solved by updating the package to the latest version in package.json. I copy-pasted an old example file without updating the version numbers.
EDIT: Since writing this answer there is a new tool mkcert that does this for you. See https://stackoverflow.com/a/61905546/9540493 instead. My original answer below for historical interest.
Firefox didn't accept self-signed certs, so a bit more effort was required. First create a CA:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout ca-key.pem -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
Add ca.pem (A localhost CA) to trusted certs of your OS and/or Firefox (other browsers use system CAs). Keep the ca* files in a secure location for future use, so you never have to do this again.
Then, for any site that you are running, and whenever you wish to change settings, create cert.pem and key.pem with:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout key.pem -subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem -CAcreateserial -out cert.pem -days 365 -extfile (echo subjectAltName=DNS:localhost|psub)
The above should work on most systems. If not, you might want to create temporary files ecparam.tmp and ext.tmp. Commands functionally equivalent to the two oneliners:
# Output Elliptic Curve parameters to a temporary file
openssl ecparam -name prime256v1 -out ecparam.tmp
# Create CA
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout ca-key.pem \
-x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
# Create a CSR for localhost, then sign it by CA
echo subjectAltName=DNS:localhost > ext.tmp
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout key.pem \
-subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem \
-CAcreateserial -out cert.pem -days 365 -extfile ext.tmp

how to generate apns certificate in openshift server

I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?
Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.
Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.

Resources