I have SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE as follows:
SSL CERTIFICATE:
-----BEGIN CERTIFICATE-----
certificate here
-----END CERTIFICATE-----
PRIVATE KEY:
-----BEGIN RSA PRIVATE KEY-----
key here
-----END RSA PRIVATE KEY-----
SSLCertificateChain CERTIFICATE:
-----BEGIN CERTIFICATE-----
SSLCertificateChain here
-----END CERTIFICATE-----
I have saved certificate in SSLCertificateFile.crt, key in
SSLCertificateKeyFile.key and SSLCertificateChain certificate in
SSLCertificateChainFile.crt. All the three files are saved at
/opt/tomcat/conf/
In /opt/tomcat/conf/server.xml modified the connector as:
<Connector executor="tomcatThreadPool" scheme="https" secure="true"
port="443" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" acceptCount="100" SSLEnabled="true"
maxConnections="100000" SSLCertificateFile="/opt/tomcat/conf/SSLCertificateFile.cert"
SSLCertificatKeyFile="/opt/tomcat/conf/SSLCertificateKeyFile.key"
SSLCertificateChainFile="/opt/tomcat/conf/SSLCertificateChainFile.cert"
SSLProtocol="TLSv1"/>
I've restarted the tomcat server, http://www.digicert.com/help/ show the error "SSL Certificate is not trusted" as shown in the image.
Is there anything wrong in file extensions or the connetcor?
You've blanked out the information that would be required to give you the definitive answer:
"Certificate does not match name" means that you have a certificate for one server name, but access it as another server - this could be as simple as accessing "www.example.com" as "example.com" if the certificate is only valid for "www.example.com"
The "not trusted" points either again to the mismatch, but more likely you have a self-signed certificate? You don't mention where you got the certificate from, only that you have it. By going directly to your server (not to digicert) you probably will get the same mismatch.
Even if you got the certificate from a certification authority, make sure that it indeed is trusted. I've seen "demo" certificates (or "class 0" certificates) which were issued to demonstrate the ease of certification, but without any identity check free of charge. Those class 0 certificates are not trusted. Typically you'll need to pay some money for a trusted certificate to some certification agency.
I assume the server is visible on the internet (otherwise digicert won't see it), so if you would share the address, it would be easy to point you to the actual root cause. You can also inspect the certificate, e.g. with Firefox: This is offered through a dialog that opens from the button on the "not trusted" warning page.
Related
I am running Web API server on Windows. It uses certificate and host Web APIs on https.
For example, when I put below URL in chrome Browser, it would give list of customer as JSON Array.
https://windows-hostname.xyz.com/api/customers
Also, when When I put this URL in Chrome browser on any machines across organization, it works perfectly fine and returns data. It does NOT throw certificate error - because certificate it uses is valid certificate issued by company's certificate issuer.
However, when I write Nodejs program to access same URL. IT throws me SSL error
const superagent = require('superagent');
var baseUrl = 'https://windows-hostname.xyz.com';
superagent
.get(baseUrl + "/api/customers")
.set("accept", "application/json")
.end(function(err, resp){
// throws ERROR - err = Error: unable to get local issuer certificate at TLSSocket.onConnectSecure
}
I have certificate installed (run MMC on windows server->Add/Remove Snap-ins->Select Certificates in left pan->Add to Right pan->Computer Account->) under "Trusted Root Certification Authorities"
I could right click on Certificate and exported certificate with .CER extension (BASE-64 encoded). There is no way I could export Private key.
I changed above program to use this exported certificate. Then it throws me Error: unable to get local issuer certificate at TLSSocket.onConnectSecure
const superagent = require('superagent');
var ca = fs.readFileSync('exported.cer');
var baseUrl = 'https://windows-hostname.xyz.com';
superagent
.get(baseUrl + "/api/customers")
.set("accept", "application/json")
.ca(ca)
.end(function(err, resp){
// throws ERROR - err = Error: unable to get local issuer certificate at TLSSocket.onConnectSecure
}
My question is how do I use this exported .CER file and write nodejs program that can connect to this Web application without SSL Error?
Also, I must not ignore certificate error.
Thanks,
Atul
Thanks #dave_thompson_085 for your efforts and help.
I could solve this problem. it wasn't quite difficult. Basically when I exported certificate as CER file (BASE - 64 encoded) it doesn't include all the certificates in certificate chain. For example issuer certificate was not included.
Therefore, I created single exported.CER file that concatenates all the certificates in Certificate chain - including all issuers from top.
-----BEGIN CERTIFICATE-----
XXXXIszCCBpugAwIBAgITKQAANSmJkY5OfHmEGgAAAAA1AAAAAAAAAAABBBBBBBBB
YYYYMR33333333333333333333YD55555555555555555555LGQBGR11223344553
...
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=DC = com, DC = xyz, DC = domain, CN = Company Root CA
issuer=DC = com, DC = xyz, DC = domain, CN = Company Root CA
-----BEGIN CERTIFICATE-----
XXXXYYYYYYYYYYwIBAgITKQAAN77777777777777777777TAN1111111111111111
YYYYMRMwEQYKCZImiZPyLG99999999999999999999ImiZPyLGQBGR11223344553
...
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=DC = com, DC = xyz, DC = domain, CN = Issuer
issuer=DC = com, DC = xyz, DC = domain, CN = Company Root CA
-----BEGIN CERTIFICATE-----
XXXXYYYYYYYYYYwIBAgITKQAANSmJkY5OfHmEGgAAAAA1KTANBgkqhkiG9w0BAQsF
YYYYMRMwEQYKCZI00011111111111111111111111111111yLGQBGR11223344553
...
-----END CERTIFICATE-----
Now my earlier program works when I have .CER file that includes all certificates in certificate chain.
Also we can use following openssl command to get all certificates in chain.
openssl s_client -connect windows-hostname.xyz.com:443 -showcerts
This command gives 2 certificates and NOT top level certificate. I am not sure if it will still work.
Simplest thing is right click and export all certificate in certificate chain and create one file.
Thanks,
Atul
I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.
I have a python flask app where I created a cert and key file using ssl and put that in the code as follows
if __name__=='__main__':
context=('cert.crt','keys.key')
app.run('0.0.0.0',ssl_context=context,debug=True)
However they are not valid. In the server I have deployed the code there are 2 files 'sslca-chain.der' and 'SSLCA-Chain.pem'. How do I use that in the code instead of the above?
The two files you have mentioned are the same thing (chain certificates) just in different formats.
It is best to configure a reverse proxy (like nginx) to handle the SSL stuff rather than include it in your flask application.
Python only handles PEM format files natively.
However, if you must - you need two files - the certificate file, and the key file.
If you got your certificate from a third party CA, then they will provide you the certificate file.
The key file is always with you, and should be kept secret.
Since you have a certificate chain, you must provide a custom context to the application and include all the files in your chain, as the load_cert_chain method only takes one argument for the certificate file.
So, in short what you have to do is:
Make sure your PEM file contains your server certificate.
Create a custom context with the PEM file and your key file.
Pass this custom context to Flask
A PEM file is just a text file that contains all the certificates in a specific order; the order is:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----
The -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are important and should be included
Once you have verified that your PEM file contains your server certificate, here is how you would configure it for flask:
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # use TLS to avoid POODLE
ctx.load_cert_chain('/path/to/sslca-chain.pem', '/path/to/server.key')
app.run('0.0.0.0',ssl_context=ctx,debug=True)
I have found this related question:
Running SSL node.js server with godaddy gd_bundle.crt
which outlines the process of splitting the certificates, but uses three properties: certificate, ca, and key. I have only two files from my HTTPS registration with GoDaddy:
cert.crt (Not the name of the original but I'm fairly confident this is the certificate)
sf_bundle-g1-g2.crt (Is the actual name of the provided file)
Now the documents and file name seem to claim that sf bundle is a combination of two certificates, but mine looks like so:
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIDORSEMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAlVT
MSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3QUmNUqMZbhSa4Hs0py1NBCXnD7GL+2OQkIkLulzmiX5EfHyI2nL5ZRpoNLcsPxE
iawXqMzVN3cWxYC5DI9XAlWZhXtJ8C5boMJXU12i6KY3wwH6
-----END CERTIFICATE-----
Again, I've combed the documentation and it seems I simply provide the location of all 3 of these in the options.ca array property in nodeJS' https module.
However it seems like I am missing a file. I have a cert, and 3 ca's, but no key. Is this an acceptable configuration? Or is some part of the sf_bundle supposed to be my key? It says -g1-g2 but contains 3 certificate sections.
I am entirely new to encryption, so please forgive my ignorance.
key is the private key you used to sign the CSR that you sent to GoDaddy.
The solution ended up simply being going back to godaddy and requesting the certificates in my desired format.
I attempted splitting it up and using the key we signed the certificates with, as suggested by mscdex. I could not get this to work.
I have ordered SSL from RapidSSL and have used it on my current hosting environment. Now I am changing hosting to Azure and they require a .PFX file.
What I have is an email from Rapid SSL with a
and got an email with a Web Server certificate in text formed like this:
-----BEGIN CERTIFICATE----
-----END CERTIFICATE-----
And I got a INTERMEDIATE CA that has the same format:
-----BEGIN CERTIFICATE----
-----END CERTIFICATE-----
I can find a lot of guides converting to .PFX but they ask for a key file (PEM) and such, and all I got is this email with text.
Can anyone point me to a guide or something? I don't really understand why this has to be so complicated. :(
Any help is much appreciated.
/Brian
You will need to use openssl.
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
The key file is just a text file with your private key in it.
Turned out I could get it using their support. They had an online service where I could get it.