Conversion from cert file to pfx file - security

Is it possible to convert a cert file to a pfx file? I tried importing my cerf file into IE, but it is never shown under the "personal" tab, thus I cannot export there.
I am looking for if there is alternatives available.
FYI, the cerf file is created by using "keytool" and then doing an export to a cert file.

This article describes two ways of creating a .pfx file from a .cer file:
Maxime Lamure: Create your own .pfx file for ClickOnce
Create your public & private Keys (You will be prompt to define the private key’s password):
makecert.exe -sv MyKey.pvk -n "CN=.NET Ready!!!" MyKey.cer
Create your PFX file from the public and private key
pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyPFX.pfx -po toto
Programmaticaly you could do so in C# by writing the byte array directly to a file:
byte[] certificateData = certificate.Export(X509ContentType.Pfx, "YourPassword");
File.WriteAllBytes(#"C:\YourCert.pfx", certificateData);
And generally (if you're using IE 8) you might want to have a look at this answer on SO:
How to make IE8 trust a self-signed certificate in 20 irritating steps
Hope that helps you.

Related

HTTPS in Nodejs - error:06065064 digital envelope routines evp_decryptfinal_ex bad decrypt

We tried to install our Hapis (Nodejs Version 14) Web service on our customer's server. It ran under HTTP for months, but when we went to enable HTTPS with the appropriate paths to the cert and key it fails when the service starts up with:
error:06065064:digital envelope routines:EVP_Decryptfinal_ex:bad decrypt
Their certificate and key are generated using the Venafi online portal. It gave them a crt and key. The crt uses a Signature algorithm: sha256RSA, Signature hash algorithm of sha256, and Thumbprint algorith: sha1.
Also, the private key is a RSA PRIVATE KEY with Proc-Type: 4,ENCRYPTED and DEK-Info: DES-EDE3-CBC.
I am not sure what is going on, because HTTPS works fine on our development servers.
Is the problem in HapiJS?
Is the problem with the certificate or key themselves?
Is there an Node option I need to be passing in when creating the service?
Please help.
The specified error 06065064:digital envelope routines:EVP_Decryptfinal_ex:bad decrypt occurs in an SSL/TLS connection using OpenSSL (which is what nodejs modules like tls and https actually use) when the privatekey is encrypted (with a passphrase) and the correct passphrase is not provided to decrypt it. The described file format, beginning with a line -----BEGIN RSA PRIVATE KEY----- followed by lines Proc-Type: and DEK-Info: is indeed one of the encrypted formats used by OpenSSL. Specifically this is the encrypted 'traditional' or 'legacy' format; the PKSC8 format added about 2000 but still considered new(!) uses -----BEGIN ENCRYPTED PRIVATE KEY----- and no 822-style headers, only base64 (of the encrypted structure defined by PKCS8); see ursinely-verbose https://security.stackexchange.com/questions/39279/stronger-encryption-for-ssh-keys/#52564 about OpenSSH's use of OpenSSL, which is basically the same as nodejs's use.
The tls module and others that build on it including https ultimately read the key(s) and cert(s) using tls.createSecureContext which accepts in options a member passphrase, or if you need to use multiple keys (and certs) you can provide a passphrase for each key as described in the linked doc.
Alternatively you can avoid the need for a passphrase by converting the key to an unencrypted file, if acceptable under applicable security policies and regulations. (Good policies may prohibit this, but they usually also prohibit getting the privatekey from or providing it to any other system, especially one 'online' somewhere, and your customer is doing the latter.) To retain traditional format do
openssl rsa -in oldfile -out newfile
# and give the passphrase when prompted, or see the man page about -passin
or you can use the 'new' PKCS8 format with
openssl pkey -in oldfile -out newfile
# technically only in release 1.0.0 up, but pretty much everyone is there now
#
# or in all versions back to about 2000
openssl pkcs8 -topk8 -nocrypt -in oldfile -out newfile
For me this error occured after pulling some old code that was workign to a fresh system, I was using too current of a node Version, I downgraded from 17 to 16 and that solved my problem.
Tried checking the github issues related to the TLS, handshake and versions. But couldn't find any.
The final fix was the one suggested by #Greggory Wiley.
Installed nvm - downgraded the node and npm versions. Recomplied the code. And it worked.
In my case I was exporting a certificate from windows to linux inside a docker using openSSL and facing this error.
The problem was in the versions of OpenSLL, when I was converting .pfx file to .crt and .key I was using 3.0.x version on windows, and on linux I had 1.1.1 installed. After I did the same using the same version of OpenSLL on windows it worked.
I had the same issue, I would say that the accepted answer is good expect it does not provide an example where the passphrase is used.
Here's code that worked in my case for express.js
const server = https
.createServer(
{
key: fs.readFileSync("./root/ca/cakey.pem"),
cert: fs.readFileSync("./root/ca/cacert.pem"),
passphrase: "abcdefg",
},
app
)
.listen(PORT, () => {
console.log(`Secure server listening on port:${PORT}`);
});

Connect to an SFTP server

I am trying to setup a SFTP server on AWS.
I am using ssh2-sftp-client as a client to connect to my server on AWS.
I have tried this before connecting to a local server and was working successfully, the only difference now is that I am trying to use a ppk instead of a password.
I used PuttyGen to convert my pub-key into a ppk but still doesn't like it.
This is what my connection looks like:
await sftp.connect({
host: process.env.SFTP_HOST,
port: process.env.SFTP_PORT,
username: process.env.SFTP_USERNAME,
privateKey: fs.readFileSync('./transfer_key.ppk')
})
and this is the error I get:
Error: ENOENT: no such file or directory, open './transfer_key.ppk'
Any idea how to connect to AWS transfer in this way?
Thank you
The error message implies it cant find the file, but maybe it means it cant find a valid file? I think your issue could be the .ppk file created by PuttyGen is the wrong kind of key file. The client is expecting a private key in "OpenSSH format", ppk files are only used with Windows applications like putty/pageant/winscp afaik.
Try loading your .ppk into puttygen, make sure the password is set and then use the Conversions menu --> Export OpenSSH key option. This creates a new text file that contains a header line, your encoded private key and a footer that would look something like this (only longer) if viewed in a text editor:
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBDIKCAQEAmnsdLEsp2hkdz+kVoCuL6JYiu5t/jUZCeaQc8TRyEeLUsk2H
0wMA8azMyzt+a1JcNa2j+jrE5Fd6UiJ7do6OQFgqLxv48QCpwNximS20yavKNCGs
5HCsP4feVq2/2/IaCMNLEcv2XBweipYyY0ME+w1wSojWwCetMw==
-----END RSA PRIVATE KEY-----

Keybase private PGP key export fails but decryption is working as expected. So where is my private key?

I use Keybase and I want to export my private PGP key, but I don't know where it is.
Encryption and decryption with keybase pgp [encrypt|decrypt] works as expected with messages sent to and from other people, but neither keybase nor gpg know where my private key is:
$ keybase pgp push-private --all
ERROR No secret key found for fingerprint
$ keybase pgp pull-private --all
ERROR .keys doesn't exist
$ gpg --list-secret-keys
(no output)
Given this information, how can I determine where my private key is and export it? I'm using macOS.
Had the same problem and found the answer here: https://daniellemarco.nl/wp/2019/04/19/pretty-good-privacy-with-keybase-io/
The steps:
Make sure that in the linked device to your keybase.io account the option “Forbid account changes from the website” is disabled in the advanced settings. By disabling this option more possibles are enabled on the keybase.io site. One of them is to export your private key.
After you have disabled this option on your device, go to the website of keybase.io and visit your profile page. And find an “edit” link behind the signature of the public key. Select the edit link and you get the option to export your private key. Save it in a file and then you can then import it with:
gpg2 --allow-secret-key-import --import PrivateKeyFile
Also save your public key to a file. And import this one with the following command.
gpg2 --import PublicKeyFile
This will replace the generation of a PGP key pair with GnuPG and import your keybase.io key pair.
At the end you should trust your key.
gpg2 --edit-key KeyId
and then trust and save.

Access .pem file which has been automatically generated by the Chrome Webstore

I have the following problem: my Google Chrome extension has been submitted before the packaging mechanism (i.e. ship your own pem file to the webstore) was introduced.
Now I'd like to update the extension but since I don't have a pem file the webstore will automatically generate a new one, hence, my extension will have a new ID which causes the update mechanism to fail and I'd loose my existing user base.
Is it possible to get a pem file for the old extension or can I provide my own pem file w/o breaking the update mechansim.
Thanks,
Peter
If your extension is already in the Chrome Web Store, then you don't need to have a .pem file to submit an update. If your extension is not in the Web Store, but you'd like to move it there and keep the same ID, then you can upload your old .pem file with the name key.pem (see the documentation for details).
This isn't really an ideal solution but you can call it Plan B. The updated extension (with a new id) can automatically disable the old one, by looking for the old one's id.
chrome.management.getAll(function(ext){
if(ext.length===1) return;
for(var i=0; i<ext.length; i++){
if(ext[i].id!=="ENTER_OLD_EXTENSION_ID_HERE") continue;
chrome.management.setEnabled(ext[i].id,false);
}
});

Create x509 certificate with openssl/makecert tool

I'm creating a x509 certificate using makecert with the following parameters:
makecert -r -pe -n "CN=Client" -ss MyApp
I want to use this certificate to encrypt and decrypt data with RSA algoritm.
I look to generated certificate in windows certificate store and everything seems ok (It has a private key, public key is a RSA key with 1024 bits and so on..)
Now i use this C# code to encrypt data:
X509Store store = new X509Store("MyApp", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Client", false);
X509Certificate2 _x509 = certs[0];
using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)_x509.PublicKey.Key)
{
byte[] dataToEncrypt = Encoding.UTF8.GetBytes("hello");
_encryptedData = rsa.Encrypt(dataToEncrypt, true);
}
When executing the Encrypt method, i receive a CryptographicException with message "Bad key".
I think the code is fine. Probably i'm not creating the certificate properly.
Any comments?
Thanks
---------------- EDIT --------------
If anyone know how to create the certificate using OpenSsl, its also a valid answer for me.
To allow the key to be used for encryption, you should use the -sky-option. Per default ´makecert` uses the AT_SIGNATURE key specification, which will not work with encryption/decryption. Instead have it use the AT_KEYEXCHANGE specification by issuing the following command:
makecert -r -pe -n "CN=Client" -ss MyApp -sky Exchange
(Remember to delete the previous key or use another container-name).
This was another page I stumbled across when I was trying to find examples of makcert usage with x509 certificates and rsa using c#, and unfortunately it only provided part of the solution. I put all the bits together in a blog entry that people might be interested in, and it can be found here:
http://nick-howard.blogspot.com/2011/05/makecert-x509-certificates-and-rsa.html

Resources