I'm very sorry for my language but I'm not speak english.
I'm trying to implement in my app SSL but I have only valud p7b created by csr file. I'm using expressjs and node js on linux server. I know how to implement PEM certificate
var options = {
key: fs.readFileSync('./private.pem'),
cert: fs.readFileSync('./' + config.ssl[config.mode].cert)
};
server = https.createServer(options, app).listen(3000);
but I don't know how implement p7b certificate, kindly help me
First you have to conver your p7b to pem format:
openssl pkcs7 -in public.p7b -inform DER -out public.pem -print_certs
Create a pkcs12 file contiaing your private key and the public certificate:
openssl pkcs12 -export -inkey private.key -in public.pem -name my_name -out result.pfx
To use the pfx file with node js use
const cert = fs.readFileSync("result.pfx");
const request = require('request').defaults({
agentOptions: {
pfx: cert,
passphrase: password
}
});
Related
I am trying to enable HTTPS on my pure nodeJS server (No express.js). To enable HTTPS I am using Openssl and generating keys and certificates which I can then load into the server file.
###################################
The problem:
###################################
I checked online, and most people were saying that the problem is occurring due to the common name of my CA certificate and Server certificate being the same. I did enter different values for both, and still the error persists.
######################################
Commands used to generate keys and certificates:
######################################
# Generating our private keys
openssl genpkey -algorithm ed25519 -outform pem -out ca_pvt_key.pem
openssl genpkey -algorithm ed25519 -outform pem -out server_pvt_key.pem
# Generating our certificate
openssl req -inform pem -key ca_pvt_key.pem -days 36000 -x509 -config openssl-ca.cnf -nodes -outform pem -out ca_cert.pem
openssl x509 -outform der -in ca_cert.pem -out ca_cert.crt
# Creating SCR (Server Certificate Request)
openssl req -new -config openssl-server.cnf -key server_pvt_key.pem -nodes -outform pem -out server_certificate.csr
# Creating required index.txt and serial.txt files for openssl ca
touch index.txt
echo '01' > serial.txt
# Generating our final signed certificate
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.pem -infiles server_certificate.csr
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.crt -infiles server_certificate.csr
cat server_certificate.pem > cert_chain.pem
cat ca_cert.pem >> cert_chain.pem
##################################
Configuration file snippets for above commands
##################################
CA config file
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
Server certificate config file
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
#################################
Server File snippet
#################################
const port = 3000;
const options = {
host: "localhost",
port: port,
path: "/",
rejectUnauthorized: false,
requestCert: true,
agent: false,
key: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/server_pvt_key.pem")),
cert: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/cert_chain.pem")),
};
const server = https.createServer(options, (req, res) => {
// Pure node server
});
##################################
System details
##################################
I am running a podman container having OpenSUSE Tumbleweed. The host system in Ubuntu 22.04LTS.
##################################
Extra details
##################################
I added the ca_cert.crt file to /usr/local/share/ca-certificates on Ubuntu. I also added the server_certificate.crt and server_pvt_key.pem into /etc/ssl/certs and /etc/ssl/private respectively.
##################################
Testssl Output
##################################
##################################
curl
##################################
curl does fetch me my site HTML. However, the moment I am in the browser, I get the cipher error.
##################################
Browser Trust Store
##################################
I am using Brave Browser. When I try to import my ca_cert.pem or ca_cert.crt file into the Authorities tab in Brave, it shows me the following:
Anyone have any idea why this is happening and how I could fix it?
I have generated the SSL using openssl using the following commands. Which have generated the cert and key file but where do I get the ca-bundle file. I need the ca-bundle file to include in nodejs application else it is showing not secure warning.
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-csr.pem
openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
my server's code
const options = {
key: fs.readFileSync("path-to-key"),
cert: fs.readFileSync("path-to-crt"),
ca: [fs.readFileSync("path-to-ca-bundle"), fs.readFileSync("path-to-crt")],
requestCert: false,
rejectUnauthorized: false
}
const server = https.createServer(options, app);
I have created a pfx file using openssl commands as below
opensl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out public_key.cer -days 100 -sha512 -sub "/CN=self-signed"
openssl pkcs12 -export -out samplepkcs12.pfx -inkey private_key.pem -in public_key.cer
Then I have imported my pfx file to my Azure Key vault.
Now in my azure function, I need to download this certificate and create a client certificate.
I am tried below code
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
KeyVaultSecret certificateSecret = client.getSecret(<certificateName>);
IClientCertificate clientCertificate =
ClientCredentialFactory.createFromCertificate(
new ByteArrayInputStream(certificateSecret.getBytes()),"<password>");
But I am getting below exception
java.IO.Exception to DerInputStream rejects type 77
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:873)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCSKeyStore.java:1994)
Any suggestion on the right way of uploading(if my approach is wrong) or retreiving certificate and creating a clientCertificate ?
You are using the Secret library. Instead you should use the Certificate library described here:
https://azuresdkdocs.blob.core.windows.net/$web/java/azure-security-keyvault-certificates/4.3.2/index.html
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
KeyVaultCertificate certificate = certificateClient.getCertificate("<certificate-name>");
brief description what I've done and what I would like to achieve:
I was trying to add certificate to azure key vault via UI:
Got those certificates as ca.crt (openssl req -new -x509 -days 1826 -key ca.key -out ca.crt) and ca.key (openssl genrsa -des3 -out ca.key 2048) but azure key vault requires certificates in .pem or .pfx format
I decided to move cert and key into pem format: key: openssl rsa -in ca.key -text > ca_key.pem
cert: openssl x509 -in ca.crt -out ca.pem then copied ca_key.pem inside ca.pem
I was trying with only cert + key and key extra data (binaries or sth)
I was getting error from UI: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I decided to install azure CLI and pass those in pfx format: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt and that works properly I'm able to see created cert in key vault cerfiticates
and there problem begins. I would like to get certificate with azure node library, extract separate key and cert to use them. What I've achieved so far:
const secretClient = new SecretClient(keyVaultUrl, credential);
const certificateSecret = await secretClient.getSecret(certificateName);
const PKCS12Certificate = certificateSecret.value!;
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
I got file and as documentation says:
https://www.npmjs.com/package/#azure/keyvault-certificates#getting-the-full-information-of-a-certificate
I was trying to execute:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys
to extract ca certificate from p12 but I'm still getting error:
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
any ideas what I'm doing wrong ?
The issue
I wrote a minimal server that requires a client certificate, but it always rejects connections with the following authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I put the steps I followed below, and they are quite simple, so you should be able to reproduce this in minutes, should you want to "try this at home". This is with Node.js 0.10.24. Am I doing something wrong?
What I did
First, I generated self-signed client and server certs as follows (instructions from the Client Side Certificate Auth in Nginx post), this is an ssl subdirectory.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Then, I run the following program with Node.js (i.e. put it in server.js and run node server.js).
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('ssl/server.key'),
cert: fs.readFileSync('ssl/server.crt'),
ca: fs.readFileSync('ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, function (req, res) {
if (req.client.authorized) {
res.writeHead(200, {"Content-Type":"application/json"});
res.end('{"status":"approved"}');
console.log("Approved Client ", req.client.socket.remoteAddress);
} else {
res.writeHead(401, {"Content-Type":"application/json"});
res.end('{"status":"denied"}');
console.log('authorizationError:', req.client.authorizationError);
console.log("Denied Client " , req.client.socket.remoteAddress);
}
}).listen(5678);
Finally, I try to connect with curl:
curl -v -s -k --key ssl/client.key --cert ssl/client.crt https://localhost:5678
This is where it fails with an authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I've read folks are having more luck setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; rather than using rejectUnauthorized: false, but that doesn't seem to make a difference in my case.