How to get the Private Key of self-signed Certificate - windows-10-universal

I'm trying to sign my Appxbundle with a self signed Certificate via signTool from a secondary machine(VM), which gets me this error. It works from the machine where I created the self signed Certificate, only on other machine it gets me this error. And yes my Certificate is Valid.
I also tried everything as suggested in Signtool error: No certificates were found that...
SignTool Error: No certificates were found that met all the given criteria.
I created a self signed Certificate via Powershell
New-SelfSignedCertificate -Subject "CN=somthing" -DnsName "www.something.com" -Type CodeSigning -CertStoreLocation Cert:\Currentuser\My -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(3)
then I exported it to my Desktop
Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath C:\Users\user\Desktop\folder\mycert.crt
After creating the Appxbundle I'm signing it via signTool
.\signtool.exe sign /a /v /fd SHA256 /f C:\Users\user\Desktop\folder\mycert.crt C:\Users\user\Desktop\folder\myapp.appxbundle
with /Debug it was clear that my Private Key was missing on the other Machines, which made sense...
But I can't find the private key somehow as above shown I didn't create one. I tried to export my Certificate as PFX with private key but that was not Possible as it wasn't even an option in the export options.
It's important that I can do that on different Machines/VM's. Any idea what I can do?

Related

ssl connection with tls server and letsencrypt

I try to do ssl connection for my server in c.
i have take this code : https://wiki.openssl.org/index.php/Simple_TLS_Server and I have generated certificate with certbot:
sudo certbot certonly --standalone
I have copy cert.pem and privkey.pem present in /etc/letsencrypt/live/MY_DOMAIN/ on my program directory.
but when I try to connect with curl, I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
and my server print :
1996193792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1407:SSL alert number 48
thank you for your help !
That oversimple server does not handle a chain cert (or certs), also called intermediate, which every real CA this century requires, including LE. It is suitable only for test certs you generate yourself, or some limited environments like the intranet of a company that runs its own private CA.
Replace SSL_CTX_use_certificate_file on the cert.pem file with SSL_CTX_use_certificate_chain_file on the fullchain.pem file.
Also, SSLv23* methods have (finally!) been replaced by TLS* methods as of 1.1.0 in 2016, although the obsolete names remain as synonyms for now.

SQL Server service breaks after adding SSL certificates in Linux

I have set up a SQL Server database server on my Ubuntu 16 machine. To make it secure over a host network I am working on adding an SSL encryption certificate on it.
I tried following the steps as mentioned on this link ssl-encryption-mssql
But after restarting the service of SQL Server, it breaks giving the below exit code status
code=exited, status=1/FAILURE
I even tried to check the logs using journalctl -u mssql-server.service -b but it is not helpful at all. For the referrence, I am adding the screenshot of journalctl command below:
My /var/opt/mssql/mssql.conf looks something like this after following the steps from official doc.
[sqlagent]
enabled = false
[EULA]
accepteula = Y
[network]
tlscert = /etc/ssl/certs/cert.pem
tlskey = /etc/ssl/private/privkey.pem
tlsprotocols = 1.2
forceencryption = 1
EDIT-1: I further checked out the logs from /var/log/syslog, it stated the following log-
Error: 49940, Severity: 16, State: 1.Unable to open one or more of the user-specified certificate file(s). Verify that the certificate file(s) exist with read permissions for the user and group running SQL Server and found this question which seems similar, I tried the approach as told by Charles but it doesn't seem to work. Even I am using the Let's Encrypt Certificates.
EDIT-2: It is not a licensed version, could this be the reason?
How to resolve this error?
I just faced the same problem even though I followed the same steps as mentioned in the microsoft documentation. The actual problem seems to be with the permissions on the folder paths where the certificate files are located.
You can verify whether mssql user is able to connect or not using the openssl commands.
This command will do a basic verification on whether the certificates are valid or not.
sudo su - mssql -c "openssl verify -verbose -CAfile /etc/ssl/certs/mssql_ca.pem /etc/ssl/certs/cert.pem"
If you wanted to see if the combination of certificates are actually working or not (with key), you can start a openssl server service and then connect to it with another openssl client connection.
sudo su - mssql -c "openssl s_server -accept 8443 -cert /etc/ssl/certs/cert.pem -key /etc/ssl/private/privkeyrsa.pem -CAfile /etc/ssl/certs/mssql_ca.pem"
openssl s_client -connect localhost:8443
Another small correction from the documentation (I am using CA provided certificate), had to convert the key file format (might not require for you).
openssl rsa -in /etc/ssl/private/key.pem -out /etc/ssl/private/privkeyrsa.pem

How to setup SSL certificate on Google Cloud Platform without PEM encoded RSA private key

I have bought SSL certificate and would like to install it on my website hosted on google cloud platform. I have successfully installed the certificate on my Microsoft IIS 8 server and when I visit https://example.com connection is secured. However, I suppose, I need to finish installing process according to this guide.
This doc says I need to upload a new certificate on the page App Engine page. But it accepts only PEM encoded RSA private key. The seller of this certificate didn't provide this key in a proper file type and all my attempts to convert it via OpenSLL failed.
Is there another way to setup this certificate without difficult converting procedure?
To get the PEM and RSA key files required for the App Engine, do this:
Export the certificate from the IIS server in a PFX format (eg. server.pfx)
Transfer the file to a computer that has OpenSSL
Execute: openssl pkcs12 -in server.pfx -nokeys -out server.pem
Execute: openssl pkcs12 -in server.pfx -nocerts -out server.key
Execute: openssl rsa -in server.key -out server-no-password.key
Use the server.pem and server-no-password.key in your App Engine
As Dan Cornilescu mentioned openssl rsa -in <your_key_file> -text > <your_key_file>.pem is the way to convert request file.
If u got an error "Unable to load Private Key. Expecting any private key" the way to fix it is to replace ">" for "-out"

How do you configure SSL with google app engine with a custom domain using letsencrypt (2016)

Using letsencrypt and gethttpsforfree, i've created the following files:
account.key <- private key
domain.crt
domain.key
intermediate.pem
When I log into the (new for 2016) GAE console, it has the following fields required:
For the private key, I use the account.key. However for the 'public key certificate' i'm not sure what i need to use, and I cannot figure out which combination of files i need.
Not sure where from you got this files, but for Let's Encrypt you'll get following in live/www.yourdomain.com directory:
cert.pem
chain.pem
fullchain.pem
privkey.pem
For public key certificate you should use cert.pem
And for private key you have to convert it first by using following command:
openssl rsa \
-inform pem -in live/www.yourdomain.com/privkey.pem \
-outform pem > live/www.yourdomain.com/privkey_rsa.pem
The use resulting privkey_rsa.pem as a RSA private key
I followed the guide here at tx802's suggestion and it succeeded:
http://blog.seafuj.com/lets-encrypt-on-google-app-engine

Openssl : error "self signed certificate in certificate chain"

When I used openssl APIs to validate server certificate (self signed), I got following error :
error 19 at 1 depth lookup:self signed certificate in certificate
chain
As per openssl documentation, this error (19) is
"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
certificate chain - the certificate chain could be built up using the
untrusted certificates but the root could not be found locally."
Why this error occurs ? Any problems with my server certificate ?
You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.
To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.
Have a look at this link about installing self-signed certificates.
Here is one-liner to verify certificate to be signed by specific CA:
openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem
This doesn't require to install CA anywhere.
See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.
If you're running Charles and trying to build a docker container then you'll most likely get this error.
Make sure to disable Charles (macos) proxy under proxy -> macOS proxy
Charles is an
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
So anything similar may cause the same issue.
The solution for the error is to add this line at the top of the code:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"

Resources