Using a new utility kyrtool, I've been trying to create keyring and import the particular domain certificate into it.
Certificate has been issued by RapidSSL. It's an SHA2 certificate issued for "*.domain.tld".
First of all I've created a new keyring file:
kyrtool create -k C:\path\keyring.kyr -p password
Then I've converted my pfx certificate to pem in opnessl:
openssl pkcs12 -in certificate.pfx -out certificate.pem
Then I've tried to import my PEM into the new keyring:
kyrtool import all -i certificate.pem -k C:\path\keyring.kyr -v
And an error occured:
Using keyring path 'C:\path\keyring.kyr'
No private key found in the input file
ReadPEMPrivateKey returned error 0x0495
Invalid arguments
My PEM certificate contains both -----BEGIN RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE----- blocks.
Any idea?
Thanks, JiKra
Ok, problem was with the wrong order in certificate chain in PEM file. There was a global CA (GeoTrust CA) certificate before the issuer certificate (RapidSSL 256 - G3).
We've resolved the problem by dividing the whole certificate into four separate PEM files and importing them in the proper order.
kyrtool import keys
kyrtool import certs
kyrtool import roots ...global
kyrtool import roots ...intemediate
JiKra
EDIT 1:
As we realized, the main problem could be with the intermediate certificate of RapidSSL 256 G3 where there were no paddings at the end. This certificate ends exactly with 7bit content:
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYT
AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz
dCBHbG9iYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBH
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UE
AxMXUmFwaWRTU0wgU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCvVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBd
mJyNkA+8EGVf2prWRHzAn7XpSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9E
X9zHFLYDn4ZLDqP/oIACg8PTH2lS1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4K
jxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQDAP8m/0Ip4yM26eO8R5j3LMBL3+v
V8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AMQriYrRmIV9cE7Ie/fodOoyH5
U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkpYEj4/5G8V1jlNS67abZZ
AgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrM
TjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYDVR0TAQH/BAgw
BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0
cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEB
BCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdl
b3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCj
WB7GQzKsrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/C
J8cW8fuTgZCpfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5Uz
CHuTcSJCs6nZb0+BkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5h
o452nFnPjJSxhJf3GrkHuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq
7A6rvz17OQV79PP7GqHQyH5OZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWm
My66S6VdU5oNMOGNX2Esr8zvsJmhgP8L8mJMcCaY
-----END CERTIFICATE-----
Related
I am new to SSL and trying to find some method or code which can convert .pem file to .crt using Python3 and OpenSSL.
Have searced through openSSL docs there is resource for shell script but wasn't able gain much python3..
Also I tried with some shell script
import os
cmd = 'openssl x509 -outform der -in cert.pem -out cert.pem.crt'
os.system(cmd)
but when I open the newly converted .crt file
i getting some gibberish words
instead of below words or encoding
-----BEGIN CERTIFICATE-----
... (certificate in base64 PEM encoding) ...
-----END CERTIFICATE-----
If anyone can share some idea or code will be helpful. Thanks in advance
I have a PKCS12 file containing a certificate chain and a private key.
I would like to use BouncyCastle to create a CRT file with that cert chain, the same way we can do using OpenSSL command-line tool:
openssl pkcs12 -in [yourfilename.pfx] -clcerts -nokeys -out [certificatename.crt]
I was already able to load the pkcs12 Keystore and obtain the certificates:
Certificate[] certs = pKeyStore.getCertificateChain(pAlias);
But I wasn't able to find a store builder for a CRT file that could accept the array of certificates above...
The class you are looking for is org.bouncycastle.openssl.jcajce.JcaPEMWriter in bcpkix. You can use its write method to encode all sorts of JCE interfaces (X509Certificate, X509CRL, PublicKey, PrivateKey, KeyPair) to a PEM file.
In your case:
final JcaPEMWriter pemWriter = new JcaPEMWriter(System.out);
for (final Certificate cert : certs) {
pemWriter.write(cert);
}
I am trying to install Chrome native client.
I went to this https://developer.chrome.com/native-client/sdk/download page to download and install the sdk. I followed the instructions in this page however when I tried to execute the naclsdk list command or any naclsdk command I got an error:
third_party.fancy_urllib.InvalidCertificateException: Host storage.googleapis.com returned an invalid certificate ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)):
To learn more, see http://code.google.com/appengine/kb/general.html#rpcssl
Usage: sdk_update_main.py <command> [options]
What is the problem here? Is there a problem with a certificate?
just comment two lines of sdk_tools/download.py
# ca_certs = os.path.join(SCRIPT_DIR, 'cacerts.txt')
# request.set_ssl_info(ca_certs=ca_certs)
When I tried applying the accepted answer, download.py was overwritten with the old version before it was executed.
Instead, I updated the certificates by replacing the contents of cacerts.txt with the certificate chain storage.googleapis.com is using today:
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgIQBdcOj75NzEPW3Y45nh0r+zANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMwMTA5
MzY0NVoXDTE5MDUyNDA5MjUwMFowcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxITAfBgNVBAMMGCouc3RvcmFnZS5nb29nbGVhcGlzLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhmw+ZB0GgoEEHQR+g75gfFMoqoBHvc
NADV8RJ5iCIiIQh2slRYv9Wai9/ZeYrxaJowLyEpi5n3ZjeIBBGitSnTd+sUOnT5
n/D/d5FCRKBcNkAJkdMtqnHJNPRt5xlheKlPYPzb+qR/BdoedfMbcgJ8Qgfg5mAb
xVpLOUGIKDNfC+z+wthXJJtqp2WU3MCKfFQy9tXodq043Mvdl0hEF4P3I3SSZioO
WK44JonwPbbvy7qk9ohrchfLa0VfPVN9rlpV0eoNTWISlNrK+fmBgj5lr7YNtfUK
lyi26L119hWPAlVpnHohf15iRPUudK70GY+xPbol6tD92pXY3pxPwD8CAwEAAaOC
AyAwggMcMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIIB9QYDVR0RBIIB7DCCAeiCGCou
c3RvcmFnZS5nb29nbGVhcGlzLmNvbYIkKi5hcHBzcG90LmNvbS5zdG9yYWdlLmdv
b2dsZWFwaXMuY29tgiIqLmNvbW1vbmRhdGFzdG9yYWdlLmdvb2dsZWFwaXMuY29t
gikqLmNvbnRlbnQtc3RvcmFnZS1kb3dubG9hZC5nb29nbGVhcGlzLmNvbYInKi5j
b250ZW50LXN0b3JhZ2UtdXBsb2FkLmdvb2dsZWFwaXMuY29tgiAqLmNvbnRlbnQt
c3RvcmFnZS5nb29nbGVhcGlzLmNvbYIQKi5nb29nbGVhcGlzLmNvbYIhKi5zdG9y
YWdlLWRvd25sb2FkLmdvb2dsZWFwaXMuY29tgh8qLnN0b3JhZ2UtdXBsb2FkLmdv
b2dsZWFwaXMuY29tgh8qLnN0b3JhZ2Uuc2VsZWN0Lmdvb2dsZWFwaXMuY29tgiBj
b21tb25kYXRhc3RvcmFnZS5nb29nbGVhcGlzLmNvbYIrc3RhdGljLnBhbm9yYW1p
by5jb20uc3RvcmFnZS5nb29nbGVhcGlzLmNvbYIWc3RvcmFnZS5nb29nbGVhcGlz
LmNvbYIdc3RvcmFnZS5zZWxlY3QuZ29vZ2xlYXBpcy5jb22CD3VuZmlsdGVyZWQu
bmV3czBoBggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29v
Zy9nc3IyL0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtp
Lmdvb2cvR1RTR0lBRzMwHQYDVR0OBBYEFIDYGi+iqBDS6hhcK63FsCcyzki1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAi
hiBodHRwOi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsF
AAOCAQEAsNHEdUG4mXtpq1/QwqkL4ljH0HTCi586YHsijMpt6yaVXHxwlofBmB5r
7q/zlPIrIYvwEhl6Hx61mUEvUgnaeSFxYacI6UzRVyD1SA4VACpWCvBSgmNGz4TG
PvN10UvhQr8oje4VTON+UHI1sqLbSMQU6R3hlYQryu8dfl7Rc9evEjErNljATkgU
63DPq2bs/twkmRV/ORwgqzjoIxYK+58mpgV5CJGkdkqhiQAJ2Pu7ZeNdwWuQqjGC
H8kutx7Vvlm84BM4syzRoTWK4pOGmZVbrXHu2yiuHuJyfeT1ZQuNm0yuXW2A4PZh
z+TIiPW8jDr4cXccAslL+BuIpURPWg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
c7o835DLAFshEWfC7TIe3g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----
The problem is with an outdated sdk_tools/cacerts.txt file; Google has changed the CA they use, but the code tries to verify against a specific CA trust anchor.
As an aside, this highlights the difficulties with key pinning.
The minimum change you can do is to update the CA cert it expects by downloading a newer version. This still verifies that you're connected to a Google-controlled server.
The solution by sevenyearslater of ripping this custom check out works too, but makes it possible to spoof the download site in some scenarios.
I am having trouble getting my SSL server working with the certificate's from godaddy
Using Express: 3.1.0
Below this works with a key/crt that was generated locally / not signed by go daddy (The browser complains but if you add exception it works.
var http = require('https');
var privateKey = fs.readFileSync('/var/www/dev/ssl/server.key').toString();
var certificate = fs.readFileSync('/var/www/dev/ssl/server.crt').toString();
var credentials = {key: privateKey, cert: certificate};
var https = http.createServer(credentials, app);
With godaddy I am provided an extra file gd_bundle.crt which I believe you implement like this, however I am getting an error
var http = require('https');
var privateKey = fs.readFileSync('/var/www/prod/ssl/mysite.key').toString();
var certificate = fs.readFileSync('/var/www/prod/ssl/mysite.com.crt').toString();
var ca = fs.readFileSync('/var/www/prod/ssl/gd_bundle.crt').toString();
var credentials = {key: privateKey, cert: certificate, ca: ca};
var https = http.createServer(credentials, app);
With this configuration I get: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Truth be told I am not creating they keys/certs our devops guy does... I am not sure how I can troubleshoot if I am implementing the godaddy ones incorrectly or if there is a way to ensure he setup the key/crt files correctly....
Does anyone see anything blatantly obviously wrong?
Node requires each certificate in the CA chain to be passed separately in an array. gd_bundle.crt probably looks like this:
-----BEGIN CERTIFICATE-----
MIIE3jCCA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCA...
-----END CERTIFICATE-----
Each certificate needs to be put in its own file (ie gd1.crt and gd2.crt) and read separately.
https.createServer({
key: fs.readFileSync('mysite.key'),
certificate: fs.readFileSync('mysite.crt'),
ca: [fs.readFileSync('gd1.crt'), fs.readFileSync('gd2.crt')]
});
Ask GoDaddy for your ssl certificate in SHA-1 signature and break the bundle file into two files, this way...
FROM your gd_bundle.crt
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----
TO gd_bundle_01.crt
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-----END CERTIFICATE-----
AND gd_bundle_02.crt
-----BEGIN CERTIFICATE-----
56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldX
RQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8
-----END CERTIFICATE-----
then on your server do this
var fs = require('fs'),
https = require('https');
var ssl = {
key: fs.readFileSync('./ssl/server.key', 'utf8'),
cert: fs.readFileSync('./ssl/server.crt', 'utf8'),
ca: [fs.readFileSync('./ssl/bundle_01.crt', 'utf8'),
fs.readFileSync('./ssl/bundle_02.crt', 'utf8')]
};
https.createServer(ssl, function(req, res) {
//... your code here ...
}).listen(443);
Recently I had a similar problem with Godaddy's SSL certificates on one of our node.js servers. In my case the problem was with one of our servers validating the SSL using PHP's curl functions.
It turns out I had to choose SHA-1 signature algorithm when submitting the CSR to Godaddy. I guess it is more compatible with older systems.
Simpler
Why be so specific just for GoDaddy's CA bundle when you can keep the same approach for different environments? I only need two files for dev env for example but production is using GoDaddy certs and has many so what to do?
For GoDaddy, I take their bundle and append it into a single file and name the extension as PEM as well as the key file which gives a pretty standard approach for all types of certs.
Then you end up just doing this for all environments:
server = https.createServer({
key: fs.readFileSync(config.sslKey),
cert: fs.readFileSync(config.sslCert),
},app).listen(config.sslPort);
In your GoDaddy cert.pem file you just place your certificate and your bundle files from 1 to x (top to bottom) and you're done like so:
-----BEGIN CERTIFICATE-----
site certificate goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 1 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 2 goes here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA X goes here
-----END CERTIFICATE-----
Not necessarily better but I prefer it. I didn't encounter on Express 3.x that I had to do the CA array route but I could be wrong for the specific version.
I am trying to import Gmails smtp certificate for use with Jira, but I get this error when importing using Javas keytool.
I used openssl to get the certificate, everything between ----Begin Certificate---- and ----End Certificate---- (inclusive). I also attempted to create an x.509 certificate using Windows Certificate Manager, but still get this error. I have verified that there are no extra whitespaces in the file.
I have seen many people with this problem online, but none of the solutions seem to work for me. Any help would be appreciated.
Thanks
openssl x509 -outform der -in foo.pem -out foo.der
Then use the DER-encoded output certificate.
The answer is correct but be sure to INCLUDE the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in the copy/paste.
This command will then work:
openssl x509 -outform der -in gmail.pem -out gmail.der
and then you do:
sudo keytool -import -file gmail.der -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts
Unfortunately, openssl didn't work for me.
unable to load certificate 2740:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:./crypto/as n1/tasn_dec.c:1294:
2740:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1 error:./ crypto/asn1/tasn_dec.c:380:Type=X509_CINF
2740:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:./crypto/asn1/tasn_dec.c:749:Field=cert_info, Type=X509
2740:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:./crypto/pem/pem_oth .c:83:
Used this knowledge base and success followed.
https://knowledge.verisign.ch/support/code-signing-support/index?page=content&id=SO18659&actp=search&viewlocale=en_US&searchid=1343045026667