How to create ssl certificate chain? - linux

I have public key certificate and private key and I have uploaded both keys in AWS cloudfront service.
I have tried to configure cloudfront and select custom SSL certificate and clicked on "YES EDIT" button. I received the below error message:
"com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist in the IAM certificate store, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: c169e804-ef21-11e4-a864-99c1866d5c97)"
Please give advice on above error.

You don't "create" it. The certificate chain is made up of one or more additional "intermediate" certificates provided by the certificate authority that generated your certificate.

Related

Setting a self signed certificate into list of windows certificates does not resolve SEC_E_UNTRUSTED_ROOT

I set http.sslbackend=schannel and imported my self-signed certificate into windows 10 (Personal | Certificates) pane in MMC. Now, I'm trying to clone a repository hosted on a server configured with the self-signed certificate.
As far as I understood as long as having the certificate in windows (explained above) git should not complain about the certificate. This is not the case. whenever I try to clone I'm getting:
unable to access https://server.com/project.git : schannel: SEC_E_UNTRUSTED_ROOT (0X80090325) - THE CERTIFICATE CHAIN WAS ISSUED BY AN AUTHORITY THAT IS NOT TRUSTED.
What am I missing here?

Valid CA certificates

I'm following this tutorial and app works, but certificates I created with my server key works
I understand that I need to pass ca option with certificates my server accepts, but I don't know how to specify what I need.
I would like to accept certificates from other CA, not only the ones signed with my server key.
[The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate.][1]
const opts = {
key: fs.readFileSync('server_key.pem'),
cert: fs.readFileSync('server_cert.pem'),
requestCert: true,
rejectUnauthorized: false,
ca: [ fs.readFileSync('server_cert.pem') ],
}
How can I do this?
It depends on how you're validating, but at the very least you would need to have a .CER copy of the other CA certs installed in your machines certificate store in the trusted root certification authorities folder. After that it'd all fall down to validation. Some validation methods automatically query your machines cert store for the certificate. Or you can programmatic it to pull the CA from your certificate store and construct the chain yourself.
The .CER version of the certificate refers to the public copy that does not contain the private keys used for signing a certificate. This cert can validate other certificates that were issued by it, but it cannot sign a certificate.
If you're on a windows machine, you can access your certificate store through the Microsoft Management Console. Open a cmd prompt and type MMC.
Go to file > Add or Remove Snap In > Certificates and select Add. This will prompt you for the specific certificate store you want. If you click the drop down, you'll see additional folders. This will show all trusted certificate authorities in the given store. You will need to add copies of the other CA signing certs here.

Custom domains/SSL binding in Microsoft Azure server

I have installed SSL successful in my azure server but it's not binding with domain. I am getting following error message.
It is not clear on what certificate you are using. To use a certificate in App Service, the certificate must meet all the following requirements:
Signed by a trusted certificate authority
Exported as a password-protected PFX file
Contains private key at least 2048 bits long
Contains all intermediate certificates in the certificate chain
As highlighted by Snobu you may regenerate the certificate (for Self-Signed) with: extendedKeyUsage = critical,codeSigning,1.3.6.1.5.5.7.3.1 in the x509_extensions in the file. Refer this document for the step-step instructions on uploading a certificate.

Creating a Digital Certificate without signing it

I have created a key-pair and now I want to bind my public key with an email id (create a digital certificate). I do not want to do the next step of signing the certificate.
Question: How can I create the digital certificate (hence bind the public key with the identity) and not really sign it for now ? (Using OpenSSL for the same would be fine).
My understanding:
Digital certificate is just packaging the public key with an
identity.
Digital signature is a CA assuring/signing the
certificate and embedding the signature in the certificate file
Or is my understanding all wrong ?
Signature is a required part of certificate. You may instead create so-called self-signed certificate, signed by your own key.
if i got your question right, you want to prepare a certificate and stop the process before the actual signing by a CA would happen ...
the thing you are looking for is a so called certificate request ...
have a look at the "openssl req" command ... for examples see http://www.openssl.org/docs/apps/req.html (examples section shows generating a new request)

how to validate an X509Certificate chain using a given Certificate

I have an trusted Certificate given by user (may be self-signed). I want to use that certificate to validate https server certificate chain.
I found there was code example like:
Validate X.509 certificate against CA in Java
which only validating if last certificate certs[0] is signed by given certificate.
Following link is using CertPathValidator to validate the certificate.
Java X509 Certificate parsing and validating
Which example should I follow? I suppose if any certificate in certificate chain is signed by given certificate, the validation is passed, is it right?

Resources