how to generate apns certificate in openshift server - node.js

I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?

Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.

Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.

Related

Fail to merge/extract OpenSSL certificates

I have 4 certificates with the following extensions
_com-bundle.pem
_com.der
_com.p7b
_com.pem
In my internal tool i need to add the SSL Cert and SSL key.
How can i merge/extract the correct cert and key from the above extensions?
i've tried the bellow command
openssl x509 -inform DER -in *_com.pem -outform PEM -out cert.pem
but i've received and error that the key file is incorrect

Unable to Generate .pfx File For Azure App

We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".
Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on

unable to load Private Key from pem

I'm trying to generate a key to enable https on apache server under linux.
I took the certificat from godaddy that gave me .crt and .pem
I've tried to generate the key from the pem in many way:
openssl pkey -in foo.pem -out foo.key
openssl rsa -in foo.pem -out foo.key
Then I tried by an other way explain in some post I've found under stackoverflow
openssl rsa -in key.pem -out keyout.pem
and I always get this error message:
unable to load Private Key
139675415795008:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
Someone can explain to me what is my mistake and how to resolve it ?
Thanks a lot

Pushing SocketClutser to Google K8S Engine, the Ingress service not working complaining SSL key is too large

I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:

Untrusted certificate on IIS using OpenSSL

I'm using OpenSSL to avoid pay for it. In my server is runing IIS 8 and Windows Server 2012.
I created my certificate this way:
Used IIS to create a certificate request
Used the following command to create a RSA private key
openssl genrsa -des3 -out cakey.pem 2048
After that I used this command to generate a certificate
openssl req -new -key cakey.pem -x509 -days 1825 -extensions v3_ca -out ca.crt
Finally I signed the certificate request using this:
openssl x509 -req -days 365 -in certreq.txt -CA ca.crt -CAkey cakey.pem -CAcreateserial -out iis.cer
But when I navigate to the website I get an "error" telling me that this is an "Untrusted certificate": The security certificate presented by this website was not issued by a trusted certificate authority.
What you get from OpenSSL tool is a self signed certificate. Of course it is not trusted by any browser, as who can say you are worth the trust.
Please buy a certificate if you want to set up a public web site. That's something you must pay, just like the public domain name.
Instead, if you are hosting an internal web site for your company, there are ways to set up your own CA, such as using Microsoft Active Directory Certificate Services.
Updated in 2018: Today there are more options to get free certificates, such as Let's Encrypt. Check them out and make good use of them.
Did you install your CA certificate into your browser before trying to visit the IIS server running the certificate you generated under the CA hierarchy? Here's some information about that step.

Resources