I'm using a script that generates a private/public key pair using the openssl command. It uses the following line :
$ openssl req -x509 -nodes -newkey rsa:2048 \
-subj '/O=Weaveworks, Inc./L=London/C=GB/CN=weave.works' \
-keyout ./ssh.key -out ./ssh.pem
(ref)
The issue is, when I try to use the generated key, it's asking me for a passphrase. My understanding is that if I don't specify a passphrase, none will be set. But when I try to add it, I get asked for one:
$ ssh-add ssh.key
Is there a default passphrase that's set up when openssl is used?
Thanks!
Related
I am new to Linux and i am currently trying to create server certificates from CA.crt.
I have Certificate parameter to be used are CN (common name) = ipaddress and 1 year validity. I know how to use validity parameter but don't know what is improtance of CN and how can i use it while creating server certificate? See below command i am using
//create a certificate request .csr
openssl req -new -out server.csr -key server.key
//CA key to verify and sign the server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
Some common information
'CN(Common Name)' is one of the parameters in the 'Subject' of the certificate.
Others being C(Country), ST(State), OU(Organization Unit), etc.
'Subject' usually includes the information about the entity to which the certificate has been issued to.
To specify CN for a certificate, you can specify it while generating the CSR.
Answer to your question
Assuming you have to generate server.crt with CN=<ip_address>, you will have to generate CSR as follows (change ip as needed):
openssl req -new -out server2.csr -key server.key -subj "/CN=255.255.255.255"
Alternatively, if -subj option is not provided, an interactive mode window should open where you can specify the desired CN in 'Common Name' field. If you wish to skip other parameters like ST, OU in the subject, put '.' to skip them in the interactive mode.
Hope this helps.
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
This is a popular command for generating self-signed SSL certificates using OpenSSL.
What confuses me is the -signkey parameter in the third command line, what is the use of this option? I don't see it in openssl req -help.
Can anyone answer it please? Thanks in advance!
Why are you looking at req's help? The third line is using x509 command:
]$ openssl x509 -help
...
-signkey infile Self sign cert with arg
So it is the key with which you self-sign the certificate.
Which programme or command do you use to extract the public key from a p12 protected with a password? I am trying with the command hydrabut i think it only works along networks
You can use openssl to check, convert etc. a p12 file.
E.g.:
openssl pkcs12 -info -in example.p12
or
openssl pkcs12 -in example.p12 -out example.pem -nodes
etc.
You can make openssl read the password from a file or stdin. E.g.:
openssl [...] -pass stdin
See man page for openssl for more ideas.
I would like to use the Mobile Push Gateway to send push messages when my app is in the background. I followed this tutorial and almost done it, but i can't convert the .p12 file to .pem. I could successfully export the .p12 certificate, but can't finish the next steps, maybe i missed something, but can't figure it out.
It's clear that i need to run an openssl command in the Terminal like this:
openssl pkcs12 -in <EXPORTED_CERT_NAME.p12> -out <PEM_CERT_NAME.pem> -nodes
This is my version:
openssl pkcs12 -in <cert.p12> -out <newCert.pem> -nodes
cert.p12 is the exported certificate from the keychain, newCert.pem is the new file's name. I've pasted it into the terminal and pressed enter, but nothing happens. Just getting this message cert2.pem: No such file or directory.
When i try to check the cert with this command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert server_certificates_bundle_sandbox.pem -key server_certificates_bundle_sandbox.pem
Get this error:
Error opening client certificate private key file server_certificates_bundle_sandbox.pem
2668:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('server_certificates_bundle_sandbox.pem','r')
2668:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
What did i wrong? Is it something wrong in my openssl code or i need to do something different in the terminal?
Update 3
a, version
cd /tmp
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
Error opening input file devKey.p12
devKey.p12: No such file or directory
b, version
In this case I don't have chance to enter the password, because the error shows up right after the openssl command.
cd documents
openssl pkcs12 -in devKey.p12 -out samplePem.pem -nodes
Enter Import Password:
Mac verify error: invalid password?
Update 2
I tried it without the < > in the names
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
And it seems something happened
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
....
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
But when i try to verify it still get an error:
Error opening client certificate private key file newDevCert.pem
850:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('newDevCert.pem','r')
850:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
Update (earlier)
I've exported a new .p12 certificate and tried it again. If i just open the terminal and run this code:
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
Got this error
-bash: developerTest.p12: No such file or directory
I saved developerTest.p12 into my Documents folder, so when i try
cd documents
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
I get a different error:
-bash: newDevCert.pem: No such file or directory
In this case I think the answer is a little bit closer, when I run the command inside the Documents folder it finds the exported .p12, however something is still wrong.
Is it sure that the PEM_CERT_NAME can be anything?
The /tmp version:
cd /tmp
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
-bash: developerTest.p12: No such file or directory
-node should be -nodes (this means "no des")
Never use the greater than / less than (< or >) in a filename. The have special meaning in Unix (redirects). When used in instructions, they basically mean, "replace whats between the < and > with your own value, and omit the < and >".
For example, this should work fine:
cd /tmp
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -nodes
Let me know if the above works.
I need to generate new keys &CSR for 17 different CN: i.e. server1.com, server2.com ... server17.com but they all have the same attributes:
i.e. C=US, ST=State, L=Town, O=Online Coputers, OU=Support Operations, CN=server1.com/emailAddress=certificates#support.com
I generated CSR and key for CN server1.com using:
openssl req -out server1.com.csr -new -newkey rsa:2048 -nodes -keyout server1.com.key
and it works fine.
Is it possible to feed the attributes as constants to openssl and just change CN, would openssl support this ? in this way the command will generate keys and CSRs with same attributes but different CNs.
Does it make any sense?
for example, you have a list file with different CN (CN.txt)
server1.com
server2.com
serverx.com
servery.com
Then you can run below command to generate keys:
while read line
do
openssl req -out ${line}.csr -new -newkey rsa:2048 -nodes -keyout ${line}.key
done < CN.list