I've built a LAMP solution that generates many powershell files that are automated to run on many Windows Servers.
I need to generate a public/private key pair within Linux, so that I can sign the powershell files and then verify their authenticity in Windows, via powershell's execution policy being set to "AllSigned"
I've tried PGP but have found that the public key it generates is not accepted by Windows Server's certificate manager.
I'd like to use private keys that are not backed by a Root Authority, and there are many different powershell scripts that need to be authenticated and run on many Windows servers.
My question is - How to generate x.509 keypair that windows certificate manager will accept, that will work with Powershell's "AllSigned" execution policy?
Any help is appreciated.
Have you tried using openssl command?
See http://www.ipsec-howto.org/x595.html
As #Peter suggested, OpenSSL was the answer!
Following instructions on this page, I was able to generate my own public/private key pair and import the public key into Windows Server Certificate Manager.
I used this command to generate the keys:
openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout "PrivateKey.key" -out "PublicKey.crt" -days 99999
Related
I have purchased an App Service Certificate from Azure, but I need to change the password of it to install it in an Application Gateway. What is the password of the certificate by default? How would I change it?
The default password of the App Service Certificate when exported as PFX is empty, but as you say you cannot import it to the Application Gateway as it needs a password (other services in Azure do too). In order to change it, you can run this commands with OpenSSL (download: https://wiki.openssl.org/index.php/Binaries):
Export the PFX and private key to .pem:
openssl pkcs12 -in .\old.pfx -out old.pem -nodes
Then create a new PFX:
openssl pkcs12 -export -out .\new.pfx -in old.pem
In Windows you can import it in your machine, mark the key as exportable when importing it (there is a menu for this), and then after installing it locally, export it. Make sure to click in "export private key"
I currently have an application set up in my Azure Registered Apps, and I'm unable to add my public key under 'Certificates & Secrets'. I tried generating a key like this, and the resulting public (or private, for that matter) key (.pem) was unable to be added to the app. I'm using this key for some work with JWTs, so I thought that maybe I'd need a slightly different format, so I tried making a pair like this as well. Still no luck.
The only way I was able to get some form of credential added to the app was actually creating & self-signing a .crt with the previously generated keypair, that is the only case where Azure has not complained about me adding a credential.
Trying to add anything else, even the public .pem, which it says IS a supported filetype, gives this error:
Failed to add certificate. Error detail: Upload a certificate (public key) with one of the following file types: .cer, .pem, .crt [8jpdkHO8jJ6PaePjw7NvbJ]
Having the .crt uploaded simply won't suffice, the fingerprint on my private key that I'm using with jwt.decode() aren't matching up with what is registered on Azure, causing errors.
I don't use stackoverflow often, so not sure on etiquette and whether re-posting after your answer has been deleted is ok. either way, I've fixed it up and added the actual steps, rather than just linking to them.
Following the certificate generation instructions here allowed me to upload the public key.
The steps are as follows:
Generate Certificate
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout key.pem -out cert.pem
Grab Thumbprint
echo $(openssl x509 -in cert.pem -fingerprint -noout) | sed ‘s/SHA1 Fingerprint=//g’ | sed ‘s/://g’ | xxd -r -ps | base64
You should then have a certificate azure will allow you to upload, as well as the thumbprint to use in any requests.
I am getting this error when I am trying to import a certificate from my machine provided by another CA (Honeywell CA).
CSR was created using the private key created by command - openssl ecparam -genkey -name prime256v1 | openssl ec -out webtls.key -aes128
For import, I tried azure UI, Azure powershell, and azureCLI nothing worked got the same error.
Any idea about this?
The ECC certificate needs to be created in a very specific manner. I spoke with the Key Vault product team about this specific issue and ended up with an ECC FAQ. It's a detailed operation that requires a special configuration file when the cert is being generated. I'm not going to go into the complete detail as I have it documented on my blog post:
https://azidentity.azurewebsites.net/post/2019/05/24/ecc-certificates-in-the-key-vault
Would I use the IIS Manager to create this CSR even though the web application is not hosted in IIS?
I have a .Net app using NancyFX that is self hosted using Microsoft.Owin.Hosting (so IIS is not used at all) and I need to create a CSR for the production server, but can't seem to find any details on how to do this.
I've tried creating the CSR using the Certificates MMC plugin, but it was rejected by the issuer due to missing Common name, Country, City/locality, Organization, State/province and an incorrect key size.
This is the first time that I need to create a CSR so I have no idea of how to do this.
To generate a CSR on Windows without IIS you can use OpenSSL. Download it for Windows from https://www.openssl.org/
Run the following openssl command (via run or cmd.exe)
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout private.key
And when you run the openssl req cmd, it will generate a CSR (with a public key embedded) and a private key.
I'm trying to create a CSR file in an Ubuntu 13. How can I do it from the command line? I know how to do it from MAC OS in the KeyChain, but I actually don't have one.
This is what I tried in MAC OS:
Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Click Continue within Keychain Access to complete the CSR generating process.
you can use the following command to generate a CSR and private key:
openssl req -new -keyout server.key -out server.csr
You can follow the detail documentation regarding CSR below:
https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
You can use the openssl req command, there are instructions here:
https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html
It's a little bit of a process but it will boil down to something along the lines of:
openssl req -new -key server.key -out server.csr