I am configuring the NTP with autokey to make NTP more secure.I don't want to use default certificate which can be generated using ntp-keygen command line tool. ntp-keygen generates one RSA key, one IFF Key and one md5withRSA signature certificate but i want to use my own certificate which is generated by using signature algorithm SHA1withRSA. but when i put my certificate and key in place of ntp deafault certificate and key. It showed me this Error on startup of ntpd.
Jan 19 20:52:22 GURNTP20150710 ntpd[21084]: crypto_key: no filestamp /etc/ntp/ntpkey_host_hostname
Jan 19 20:52:22 GURNTP20150710 ntpd[21084]: crypto_setup: host key file ntpkey_host_hostname not found or corrupt
Any one can help me here to secure my ntp server and client using autokey protocol while using my own certificate and key.
Thanks in advance. :)
I got the answer for the above problem.So the answer for can we use my own certificates generated by openssl for securing my ntp is YES.
I was facing a problem (above Error) after putting my openssl certificates on /etc/ntp/ path.
Answer: It was due to ntp on start up looks for the "ntpkey_" keyword in certificate's and key's name. So i had to rename my own certificate with this naming convention. but unfortunately i got again the same Error.
This time it was due to the file content of certificate file.I checked out the ntpkey-gen's code and figured out that ntp opens the certificate and key file on startup using the fopen C library function and looks for ".(dot)".
Actually when ntp_keygen generates the certificates and keys. It put a comment on the very first line of certificate and key with the file name of certificates which contains the file time stamp after the dot. That's why ntpd looks for dot in certificate file. So i added the file name of ntp Certificate and Key with file time stamp at first line of cert and key.
Its working fine now.
Thanks :)
Related
My immediate certificate on https://paper-shape.com got a weak signature algorithm SHA1: https://www.ssllabs.com/ssltest/analyze.html?d=paper-shape.com
I followed theses instructions. I created my pfx file both per OpenSSL and per certificate export wizard.
The CRT and pem (immediate certificate from startcom) seem to be ok, because the following command shows "Signature Algorithm: sha256WithRSAEncryption" on both (CRT and PEM):
$ openssl x509 -text -in paper-shape.com.crt
Either something went wrong during my pfx creation process or azure website overrules my immediate certificate.
Has anybody an idea?
Check your locally-installed certificates (on Windows, 'certmgr.msc'). You may have an old SHA-1-signed copy of the StartCom intermediate certificate which is still valid (say, to 2017) and being used in preference to that provided by the server.
You can find (and chain) the SHA-256 intermediate certificate for Class-1 in PEM format, here: https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
I have been facing this same problem, I was about to pull my hair out when the certificate seemed to be right in some browsers and OS and in others it claimed I was using SHA-1 and even https://shaaaaaaaaaaaaa.com was telling me that I had a SHA-2 signed crt.
So! Here is a huge thread in StartCom forum about this issue: https://forum.startcom.org/viewtopic.php?f=15&t=15929&st=0&sk=t&sd=a
The thing is that the browser is using an Intermediate crt that is SHA-1 signed.
The solution: you need to configurate the Intermadiate crt in your server!
You can see more details here:
https://sslmate.com/blog/post/chrome_cached_sha1_chains
I would like to be able to determine if a remote domain's TLS/SSL certificate is 'trusted' from the command line.
Here is an openssl example I was playing with a few weeks back, here I use openssl to acquire the certificate and then pipe it to openssl's 'verify' command. I assumed that the 'verify' command would verify the certificate, however, how I understand it now is that the 'verify' command just verifies the certificate chain (I think). (cdn.pubnub.com is just a domain I found from a quick Twitter search as an example to use)
echo "GET /" | openssl s_client -connect cdn.pubnub.com:443 | openssl x509 -text | openssl verify
As you can see from the cdn.pubnub.com domain (at the time of writing), the browser (Chrome at least) does not trust the certificate (because the certificate domain doesn't match), however, the openssl 'verify' command does not output 'trusted' or 'not trusted' or something else we can deduct that information from.
Another way I thought of doing this, is by using a headless browser (such as PhantomJS) and parsing any errors they return. It turns out that PhantomJS just errors but does not give any details, so this can not be used as the error could have been caused by something else.
I didn't think it would be this hard to find out that a certificate was trusted or not from the command line, without having to parse and check all the data that makes a certificate trusted myself which I don't think would be wise.
Is there a library or some other way I can tell if a remote domain's certificate is trusted from the command line?
curl (and libcurl) uses OpenSSL for https URLs, and checks certificate validity unless -k, --insecure option is enabled.
zsh 29354 % curl https://cdn.pubnub.com/
curl: (51) SSL peer certificate or SSH remote key was not OK
As you see, it doesn't give much details on why the certificate is invalid, but otherwise it should be as good as a headless browser, and much lighter.
It depends on what you consider "trusted". Beside the core cryptographic checks (e.g. checking the digital signature) the client usually does the following:
Check that the certificate chains to a trusted root
Verify that the current time is between the notValidBefore and not validAfter attributes.
The certificate is not revoked.
keyUsage and other certificate constraints match.
The entity we are communicating is somehow found in the subject of the certificate (for servers this usually means the hostname is listed as CN or subjectAlternativeName).
In your case the information to verify step 5 (namely the hostname) is missing, so it cannot be checked. You would have to do this step yourself.
Please note that different clients perform different checks to see if a certificate is trusted, so one answer may not apply to all possible clients. If you want to check your installation deeply, consider using the check from ssl labs https://www.ssllabs.com/ssltest /
Fatal error: Uncaught CurlException: 60: Peer certificate cannot be authenticated with known CA certificates thrown in /home/ldr/public_html/src/base_facebook.php on line 886
See: http://ldr.x10.bz/examples/with_js_sdk.php
I've been getting this error for 2 days now and can't find any information on where it has come from? Why is the certificate known and is there a way for it to be unknown again?
It had been working for months previously, so not sure if the API has just updated but I've deleted everything and just uploaded the PHP SDK 3.1.1 but still no luck :(
I've read about disabling the peer verification but sounds like a bad idea (plus I know it works with it enabled). Probably accidentally unchecked a box somewhere- any ideas on how to restore it back to normal would be very appreciated :)
Thanks!
Certificates are verified against a truststore somewhere on your system. This truststore should be updated once in a while; e.g. Firefox and Windows do this when updating the software. The error is a bit unclear; it actually means your curl client gets a certificate for which it does not have a trusted (root) certificate.
You may want to visit that site with your favorite up to date browser and save the root certificate somewhere, then create a CA store with that single certificate in it. Of course it will fail if that one gets replaced or if the server chooses another certificate authority.
Possibly updating curl or the OpenSSL library may do the trick, try that first :).
My company have code singing cert from Thawte to sing Windows applications. I need to sing my j2me jar file with this cert. I've used openssl to convert to pkcs12 format using this guide:
http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips
but I have one problem - I can't add full chain of certs. Just one, no intermediate and crossroot.
So when I signing there's only MIDlet-Certificate-1-1 param. No MIDlet-Certificate-1-2 and MIDlet-Certificate-1-3.
Is it possible to create a chain in keystore somehow?
At first you need another type of certificate - Sun Java certificate.
I don't exactly remember signing process but there are tutorials on this subject. Just try to google "midlet signing tutorial". Or read, for example, this one: http://www.forum.nokia.com/piazza/wiki/images/7/7e/MIDP_2_0_Tutorial_On_Signed_MIDlets_v1_1_en.pdf?20080603115110
The man page did not clearly specify this. But looking at openssl's apps implementations, SSL_CTX_use_PrivateKey* calls are usually made after SSL_CTX_use_certificate_file succeeded. I assume this is mostly used at the server side.
I recently confused the above function with SSL_CTX_load_verify_locations wherein you could specify a CA certificate file and path. It turned out that SSL_CTX_load_verify_locations is the one I needed to verify a server certificate which is signed by a Trusted Authority.
SSL_CTX_use_certificate_file() is used to load the certificates into the CTX object either in PEM or DER format. The certificates can be chained ultimately ending at the root certificates. SSL_CTX_use_certificate_file API loads the first certificate into the CTX context;not the entire chain of certificates. If you prefer that thorough check of certificates is needed then you need to opt for SSL_CTX_use_certificate_chain_file()
http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtpc2/cpp_ssl_ctx_use_certificate_file.html