How can I grab the root SSL certficate, together with any intermediates, to a file from a given url? Ideally through some linux shell compatible commandline, but manually will do if I have to. Update: Interactively, using Chrome, if I examine a certificate I can optionally export it. And there's a way to grab the entire chain, if applicable. So now I'm only looking for a scriptable method.
Background:
mono nuget.exe install ./packages.config -o ./packages
will install project packages on ubuntu, as long as the required certificates are installined in the machine's Trust store. In part, it's done like this:
$ certmgr -ssl https://nugetgallery.blob.core.windows.net
This command, with the -ssl option, grabs the certificate and any intermediates from the specified url, and requires user confirmation. I'm trying to automate server builds, so I'd like to get the certificates added without requiring user confirmation.
I've tried piping the response into the command - i.e.:
$ echo "Yes" | certmgr -ssl https://nugetgallery.blob.core.windows.net
That doesn't work. I've tried to export the certficates to a file, so I can add them to my build project, but mono certmgr hasn't implemented 'put' yet.
Assuming openssl is installed, this commandline:
echo | openssl s_client \
-showcerts \
-connect nugetgallery.blob.core.windows.net:443 2>&1 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
produces a file that contains all three certificates involved in this chain.
Thanks to this answer to this question: Using openssl to get the certificate from a server for the solution to get the chain. The following commands will get the saved certificates loaded into the Trust store.
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
certmgr -add -c -m Trust ./cert.p7b
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I'm using linux and I basically want to encrypt a file using a password.
I've tried using gpg -c myfile for encryption, and that works fine, it asks me for a password and encrypts it. But it only asks for a password when encrypting.
I want a way to encrypt a file and if you want to decrypt it you have to give the same password that it was encrypted with.
If there's a python library that would work too since I can put that on a script.
There are several alternatives to create passowrd protected files under Linux.
GnuPG
GnuPG can be used to encrypt data and create digital signatures.
To encrypt and decrypt a data.txt file, use gpg command as follows:
$ gpg -c data.txt
$ gpg data.txt.gpg
mcrypt
mcrypt allows you to create password protected files similarly to GnuPG
To encrypt and decrypt a data.txt file, use mcrypt command as follows:
$ mcrypt data.txt
$ mcrypt -d data.txt.nc
OpenSSL
The OpenSSl Cryptography Toolkit can also be used to encrypt and decrypt files and messages.
To encrypt and decrypt a data.txt file, use the openssl command as follows:
$ openssl enc -aes-256-cbc -salt -in data.txt -out data.txt.enc
$ openssl enc -aes-256-cbc -d -in data.txt.enc -out data.txt
That's because of gpg-agent, a daemon that manages private keys and which is used as a backend for gpg. It caches your passphrases for some time by default. You can configure that with the following options (from man gpg-agent):
--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry's timer is reset. To set an entry's maximum
lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal
housekeeping function which is only run every few seconds.
--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-
preset-passphrase. The default is 2 hours (7200 seconds).
One way to clear the cache is to reload the gpg-agent : gpgconf --reload gpg-agent
You can use gpg -c myfile && gpgconf --reload gpg-agent to encrypt your file, after which the password will be asked if you try to decrypt it with gpg myfile.gpg
I am running a bunch of shell scripts which uses the properties in config.properties file.. it has database connection details, passwords.. etc.,
I just want to encrypt the passwords.. so that when someone looks at the properties file they shouldn't be able to use it.
Also I don't want to change the permissions on the file, I want only the passwords to be encrypted
I know there are few ways.. like using java or using any encryption algorithm but I don't want to use java.
I am running the shell scripts on CentOS.. sample scripts looks like below..
config.properties
DatabaseHostName=test_host
DatabasePort=4898
DatabaseUserName=test_user
# MY DB Password here is visible.. I want to encrypt this
DatabasePassword=password123
script.sh
#sourcing the above properties file here
source ./config.properties
export PGPASSWORD=${DatabasePassword}
psql -h ${DatabaseHostName} -p ${DatabasePort} ${DatabaseUserName} -c "select * from table_name;"
my both files are under the same folder
Here's the problem, whatever encryption you put in the file, you'd need to be able to reverse in the script. So anyone who can see the script can figure out how to decode the passwords.
command encrypt:
echo 'hoge' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > pass.rsa
command decrypt:
openssl rsautl -decrypt -inkey /root/.ssh/id_rsa -in pass.rsa
config modify:
DatabasePassword=S03EXE -> DatabasePassword=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in pass.rsa)
I want to search a user using ldapsearch, but the hosting provider gave me a certificate from the CA. I added that certificate in my ldapconf.
Before executing the ldapsearch command I am running openssl as follows
openssl s_client -connect hostname -CAfile /certificate.pem
After connecting via openssl, I execute the following command in another terminal
ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
Now I want to know, is there any way to use the certificate while executing the ldapsearch command?
This should be doable by performing:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
although, I'd use:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D uid=mailid#domain.con, dc=global,dc=example,dc=net
to ensure that it tries with ldaps, rather than heuristics.
If you're getting errors still, you can add -ZZ which will give better error messages.
An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:
subject=/C=IE/CN=hostname.domain.local
you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)
A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).
I'm trying to create a self-signed certificate for a test web server running Sun Webserver 6.1 using certutil. I am open to using keytool or openssl if someone has better instructions which work with Sun Webserver.
Here are the commands that I use:
certutil -S -P "https-myWebapp-" -d . -n myCA -s "CN=myWebserver.com CA,OU=myCompany,C=US" -x -t "CT,CT,CT" -m 102 -v 301 -5
and I select option 5 - SSL CA and "yes" to the critical extension question. The CA is created successfully. Now that I have created the certificate authority, I try to sign the actual cert with the following command:
certutil -S -P "https-myWebapp-" -d . -n myServer -s "CN=myWebserver.com,C=US" -c myCA -t "u,u,u" -m 102 -v 300 -5
At the certutil prompt, I select option 1 to create a SSL server with critical extensions enabled. This produces the following error:
certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
What did I do wrong? I think that I may have a failed SSL certificate, but I get the following when running certutil -L -d . -P "https-myWebapp-"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myCA CTu,Cu,Cu
In the second command, I needed to change the -m property to a new serial id number.
That fixed the error message and created the certificate.