I'm trying to create a self-signed certificate for a test web server running Sun Webserver 6.1 using certutil. I am open to using keytool or openssl if someone has better instructions which work with Sun Webserver.
Here are the commands that I use:
certutil -S -P "https-myWebapp-" -d . -n myCA -s "CN=myWebserver.com CA,OU=myCompany,C=US" -x -t "CT,CT,CT" -m 102 -v 301 -5
and I select option 5 - SSL CA and "yes" to the critical extension question. The CA is created successfully. Now that I have created the certificate authority, I try to sign the actual cert with the following command:
certutil -S -P "https-myWebapp-" -d . -n myServer -s "CN=myWebserver.com,C=US" -c myCA -t "u,u,u" -m 102 -v 300 -5
At the certutil prompt, I select option 1 to create a SSL server with critical extensions enabled. This produces the following error:
certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
What did I do wrong? I think that I may have a failed SSL certificate, but I get the following when running certutil -L -d . -P "https-myWebapp-"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myCA CTu,Cu,Cu
In the second command, I needed to change the -m property to a new serial id number.
That fixed the error message and created the certificate.
Related
I have installed openLDAP on a Centos 7 server that is already running FreeIPA for user authentication. http://www.tecmint.com/setup-ldap-server-and-configure-client-authentication
The purpose of openLDAP is for a Nodejs application to manage users for the app. and will be running on separate server.
I can see that slapd is running (ps -ef | grep slapd):
ldap 1287 1 0 06:40 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
So I was trying to change the defaults using the ldapadd command and I suspect to be connecting to the FreeIPA LDAP that is configured on the box (on some coammands using -x -h it is asking for a password which hasn't been set yet):
sudo ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
If I run an ldapsearch then I seem to be able to connect to openLDAP:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=co
I thought maybe that I could connect externally using a Windows LDAP tool but I get a connection error. I did confirm that the port is open and visible externally.
nmap -p 389 10.18.16.243
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-28 11:25 GMT Daylight Time
Nmap scan report for 10.18.16.243
Host is up (0.00s latency).
PORT STATE SERVICE
389/tcp filtered ldap
MAC Address: BB:BB:BB:BB:BB:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds
I tried using -h instead of -H:
sudo ldapadd -a -x -h localhost -p 389 -D cn=Manager,dc=my-domain,dc=com -W -f ldaprootpasswd.ldif
This prompts me for a password but I have only just installed openLDAP and not set a password yet (olcRootPW is in the ldif file I am trying to apply).
Does anyone have experience with openLDAP for user authentication or have any ideas what config needs changing to get this up an running?
The secret incantation was:
sudo ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Since "-a" forces add new entries when using ldapmodify this would be the same as above:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
"-Q" -- Enable SASL Quiet mode. Never prompt.
"-Y" -- Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
I need to migrate from a windows based proxy to a linux one.
In the old server Squid uses mswin_auth.exe to authenticate user against an Active Directory domain. For this reason my users now enter ntdomain\username in the browser popup for proxy authentication.
In the linux Centos server Squid will use basic_ldap_auth, in this case the ntdomain must not be entered by the user. It will be very annoying for my users to change the old habit. Is there a way to automatically remove the ntdomain from the entered username?
In squid.conf I have
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ntdomain.parentd.it
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it -S
thanks in advance
Use -K option in your request (it Strip Kerberos realm from usernames):
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -K -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it and all be fine.
This is my solution: I created to small bash script based on sed to strip the domain and used it squid.conf as in
auth_param basic program /usr/local/bin/squid_auth
where the file /usr/local/bin/squid_auth is
#!/bin/bash
/usr/bin/sed -u "s/^ve[\\]//i"|/usr/bin/sed -u "s/^ve%5c//i"|/usr/lib64/squid/basic_ldap_auth -R -b "dc=ve,dc=dipvvf,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ve,DC=dipvvf,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ve.dipvvf.it
The domain name is ve
I want to search a user using ldapsearch, but the hosting provider gave me a certificate from the CA. I added that certificate in my ldapconf.
Before executing the ldapsearch command I am running openssl as follows
openssl s_client -connect hostname -CAfile /certificate.pem
After connecting via openssl, I execute the following command in another terminal
ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
Now I want to know, is there any way to use the certificate while executing the ldapsearch command?
This should be doable by performing:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
although, I'd use:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D uid=mailid#domain.con, dc=global,dc=example,dc=net
to ensure that it tries with ldaps, rather than heuristics.
If you're getting errors still, you can add -ZZ which will give better error messages.
An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:
subject=/C=IE/CN=hostname.domain.local
you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)
A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).
This is my code:
ssh-keygen -t rsa -C "$APP"
This works perfectly. However it then asks me to specify location and password. I was hoping I can automate this all in one go, however this command fails:
ssh-keygen -t rsa -C "$APP" -P "$SSHKEYPASS" -T ~/.ssh/id_rsa.pub
This command seems to fail though, when I specify the password I want for the key and location in the same line. I don't really understand the man page:
http://linux.die.net/man/1/ssh-keygen
Can anyone tell me where I have gone wrong?
-P is for the old passphrase, to create a key I assume you want -N for the new passphrase.
-T is for DH group test output it appears (not that I know what that is exactly).
You want -f to specify the key filename. And you specify the private key file not the public key file.
So try:
ssh-keygen -t rsa -C "$APP" -N "$SSHKEYPASS" -f ~/.ssh/id_rsa
How can I grab the root SSL certficate, together with any intermediates, to a file from a given url? Ideally through some linux shell compatible commandline, but manually will do if I have to. Update: Interactively, using Chrome, if I examine a certificate I can optionally export it. And there's a way to grab the entire chain, if applicable. So now I'm only looking for a scriptable method.
Background:
mono nuget.exe install ./packages.config -o ./packages
will install project packages on ubuntu, as long as the required certificates are installined in the machine's Trust store. In part, it's done like this:
$ certmgr -ssl https://nugetgallery.blob.core.windows.net
This command, with the -ssl option, grabs the certificate and any intermediates from the specified url, and requires user confirmation. I'm trying to automate server builds, so I'd like to get the certificates added without requiring user confirmation.
I've tried piping the response into the command - i.e.:
$ echo "Yes" | certmgr -ssl https://nugetgallery.blob.core.windows.net
That doesn't work. I've tried to export the certficates to a file, so I can add them to my build project, but mono certmgr hasn't implemented 'put' yet.
Assuming openssl is installed, this commandline:
echo | openssl s_client \
-showcerts \
-connect nugetgallery.blob.core.windows.net:443 2>&1 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
produces a file that contains all three certificates involved in this chain.
Thanks to this answer to this question: Using openssl to get the certificate from a server for the solution to get the chain. The following commands will get the saved certificates loaded into the Trust store.
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
certmgr -add -c -m Trust ./cert.p7b