I'm facing an issue in installing SSL certificate in IIS and below are the step before I got the certificate from my CA.
Generated a private key file using OpenSSL with: "openssl genrsa -out key_name.key 2048" command.
Generated .csr file with: "openssl req -out CSR.csr -key key_name.key -new -sha256" command.
Once I generated the CSR file, I provided the same CSR file to CA to get me certificate.
I got the certificate in .p7b format, which I converted to .cer format.
Installed certificate using "Complete certificate request" option in IIS.
Now the problem is that newly installed certificate vanishes from IIS after a refresh. I Googled this issue and understood that, it's happening so because there is no private key associated with certificate. My question is where the private key has gone?? I had created the CSR using the private key in step 1. Secondly, how do I over come this issue, I have to install the certificate anyhow. Please help.
You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request.
Instead, you need to use OpenSSL to generate a PFX file,
create a pfx file from a .cer and a .pem file
Then you can import it to IIS.
You might read this post for more details,
https://blog.lextudio.com/2015/06/the-whole-story-of-server-certificate-disappears-in-iis-77-588-510-0-after-installing-it-why/
Related
I received .crt .pem and .p7b file from GoDaddy to setup SSL. How can I generate a .pfx file from them using openssl
It appears you are after a PKCS#12 file. In this case you should be able to do something like so:
openssl pkcs12 -export -in your.crt -inkey your.pem -out resulting.pfx
options are pretty self-explanatory. Depending on whether your source key is password-protected you might also need to supply that via -passin/-passout values
I am trying to establish node to node encryption. I am following datastax online guidance available for ssl encryption on below link- https://docs.datastax.com/en/security/5.1/security/secSetUpSSLCert.html
as per the documentation i have skipped first two steps and followed from step-3.
so, I have created the keystore, using below command-
keytool -genkeypair -keyalg RSA -alias node1 -keystore cassandra.jks -storepass cass123 -keypass cass123 -validity 365 -keysize 2048 -dname "CN=host1, OU=cluster1, O=org, C=US"
after creating the keystore, here the public certificate authority have two level of encryption or certs. first is root.cert and another is intermediate.cert.
when i have checked through below command, intermediate.cert is signed or verifyed by root.cert.
openssl verify -CAfile root.cert intermediate.cert , Got OK in Response.
after than with keystore(cassandra.jks), i have raise the certificate signed request (CSR):
keytool -keystore cassandra.jks -alias node1 -certreq -file cassandra.csr -keypass cass123 -storepass cass123 -dname "CN=host1, OU=cluster1, O=org, C=US"
then after uploading this CSR file (cassandra.csr) to public certificate authority i got in response one Cert.cer file.
so, then i checked whether the Cert.cer file get signed by root.cert or not.
openssl verify -CAfile root.cert Cert.cer
Got unable to load certificate in Response, with error message-
140044398696338:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c707:Expecting TRUSTED CERTIFICATE
Even I have Checked the Cert.cer with intermediate.cert-- got the same above error message.
Is this mean the Cert.cer which i got in response to csr request in not properly signed by certificate authority.
So i have stopped further steps here, which needed for cassandra ssl implementation.
Please, let me know, if i miss something or doing in wrong manner. much appreciated all help and suggestions
This issue is resolved, due to platform issue certs generated have extras carriage characters ^M. after removing this and merging root and intermediate certs together it works fine.
I have the working GoDaddy SSL certificate for Java/Tomcat server, consisting of 3 files:
a6d8a8b6f1b7d24b.crt
gdig2.crt.pem
gd_bundle-g2-g1.crt
All three are the base64 encoded text files and the contents look like
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIJAKbYqLbxt9JLMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
...
MLLO84KBeOlWOD9ShSj2OqPQiozGPPjqzuIyyWJF37s0Y/BpgJPfqHgE
-----END CERTIFICATE-----
gd_bundle-g2-g1.crt contains multiple such entries inside.
Now, Hyperledger instructions here explain:
composer-rest-server -t -c /tmp/cert.pem -k /tmp/key.pem -p hlfv1 -n my-network -i alice1 -s suchs3cret
Which one in my case is expected to be the cert.pem and which one the key.pem? Do they need any conversion, and if they do, how? These certificates work fine for Java frameworks that use jks keystore. Hyperledger uses node.js and produces errors like
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:85:17)
at Server (_tls_wrap.js:776:25)
at new Server (https.js:26:14)
at Object.exports.createServer (https.js:47:10)
at Promise.then (/home/hla/.nvm/versions/node/v6.11.2/lib/node_modules/composer-rest-server/server/server.js:148:28)
at process._tickCallback (internal/process/next_tick.js:109:7)
I tried to substitute the files in various combinations but only get error messages so far. I think I actually tried all possible combinations already, so very likely the format is wrong.
GoDaddy allows to export certificates also in various popular formats (Apache, Exchange, IIS, MacOS X and Tomcat to be precise), but Hyperledger is obviously not between them.
It may also be problematic that when I generate the certificate with
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
(where obviously key.pem should probably be the key), I also get the same error:
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL version OpenSSL 1.0.2g 1 Mar 2016. node --version. node --version. node --version 5.4.0.
The rest server is expecting 2 things in order to be able to enable tls. It requires a private key and a public certificate associated with that private key. They both need to be in .pem format. The public certificate will have text that starts with -----BEGIN CERTIFICATE----- whilst the private key will have text that starts with -----BEGIN PRIVATE KEY-----
The openssl command can be used to generate a self signed certificate for example which would be usable by the rest server. In the example you gave above, you actually generated a CSR (certificate request) which is a request to create a certificate for you based on the private key it has generated and so the csr.pem file it created isn't a usable certificate. A CSR is something you send to a certificate authority to request the creation of a certificate.
Use gdig2.crt.pem as your certificate (-c). You need to specify the file to your private key (-k) which you used to generate the CSR. If your private key is password protected, you need to provide the passphrase in composer-rest-server/server.js (look for the line https.createServer({cert, key}, app);). Good luck.
I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?
Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.
Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.
I'm using OpenSSL to avoid pay for it. In my server is runing IIS 8 and Windows Server 2012.
I created my certificate this way:
Used IIS to create a certificate request
Used the following command to create a RSA private key
openssl genrsa -des3 -out cakey.pem 2048
After that I used this command to generate a certificate
openssl req -new -key cakey.pem -x509 -days 1825 -extensions v3_ca -out ca.crt
Finally I signed the certificate request using this:
openssl x509 -req -days 365 -in certreq.txt -CA ca.crt -CAkey cakey.pem -CAcreateserial -out iis.cer
But when I navigate to the website I get an "error" telling me that this is an "Untrusted certificate": The security certificate presented by this website was not issued by a trusted certificate authority.
What you get from OpenSSL tool is a self signed certificate. Of course it is not trusted by any browser, as who can say you are worth the trust.
Please buy a certificate if you want to set up a public web site. That's something you must pay, just like the public domain name.
Instead, if you are hosting an internal web site for your company, there are ways to set up your own CA, such as using Microsoft Active Directory Certificate Services.
Updated in 2018: Today there are more options to get free certificates, such as Let's Encrypt. Check them out and make good use of them.
Did you install your CA certificate into your browser before trying to visit the IIS server running the certificate you generated under the CA hierarchy? Here's some information about that step.