I'm currently inside the 30-day free trial for Google Apps for business (billing set up, so will start non-free trial soon). I'm attempting to set up SSL for a custom domain for a Google App Engine app, but am a bit of a noob at this stuff and the files I've accumulated aren't accepted by the Apps submission form.
I went through the following process:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
After filling in the cert. request information (with name www.mydomain.com), I had the two files CSR.csr and privateKey.key.
I used an SSL provider CheapSSLs.com to provide me with a certificate off this CSR.csr, and they've responded with a cert www_mydomain_com.crt.
However, on going through Google Apps Dashboard -> Security -> SSL for Custom Domains and uploading www_mydomain_com.crt and privateKey.key I'm given the error:
Both the private key and SSL certificate should be in unencrypted PEM format.
Any help? As far as I can tell, they are in that format: the private Key looks like:
-----BEGIN PRIVATE KEY-----
MIIEv...
...
...CftTU=
-----END PRIVATE KEY-----
and the .crt file looks like:
-----BEGIN CERTIFICATE-----
MIIFy...
...
...WJjk=
-----END CERTIFICATE-----
This was answered by a friendly member of the community and then immediately deleted (not sure why...) but not before I spotted his answer and used it, to great effect :)
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
The above two commands produce private.pem and public.pem, which are accepted fine by Google Apps dashboard.
Thank you!
For me, it was because my private.key was in the wrong format.
If your key starts with ---BEGIN PRIVATE KEY--- then you need to convert it to an RSA key.
openssl rsa -in private.key -out private_rsa.key
Then you should see ---BEGIN RSA PRIVATE KEY--- at the beginning of the private_rsa.key which you use with GAE.
Generate a new 2048-bit RSA key:
openssl genrsa -out myServer.key 2048
Convert an existing key to RSA:
openssl rsa -in myServer.key -out myServer-rsa.key
Related
I'm setting up a https certificate for my react web page using create-react-app, and I've managed to make it work using an autosigned rsa certificate but not with an elliptic curve autosigned certificate (nor with a real certificate using ec signed by a ca).
I've made .key and .crt with openssl:
rsa (works):
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out my_rsa.crt -keyout my_rsa.key
ecc (does not work):
openssl ecparam -genkey -name secp384r1 | openssl ec -out my_ecc.key && openssl req -x509 -new -key my_ecc.key -out my_ecc.crt
Also i've made a signed by ca certificate with elliptic curve as explained in:
https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache-opensslmodsslnginx-heroku/
But it's not working either.
I'm using a .env.development file with the enviroment variables:
HTTPS=true
SSL_CRT_FILE=../../.ssl/my_.xxx.crt
SSL_KEY_FILE=../../.ssl/my_xxx.key
but when trying execute npm start y get this error:
The certificate "/home/ba/.ssl/my_ecc.crt" is invalid.
error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype
Any help?
Thanks.
Getting ready to move our IdentityServer4 setup from dev to test and I need to get the AddSignerCredentials() piece migrated from AddDeveloperCredentials(). I can generate a private and public RSASecurityKey but I'm unclear as to what RsaSecurityKey to pass to AddSignerCredentials(). The discovery endpoint somehow knows about the public key, but we'd want to sign tokens with the private key. Neither seems to work
Is there an example of how to use this somewhere in the documentation that I missed?
Use openSSL to create the certificate using the following demo command in your command prompt:
->OpenSSL req -x509 -newkey rsa:4096 -sha256 -nodes -keyout
IdentityServer4.key -out IdentityServer4.crt -subj
"/CN=IdentityServer4.com" -days 3650
->OpenSSL pkcs12 -export -out IdentityServer4.pfx -inkey
IdentityServer4.key -in IdentityServer4.crt -certfile IdentityServer4.crt
Install that certificate to your current user profile.
Replace
AddDeveloperSigningCredential()
with
AddSigningCredential("ThumbprintOfCertificate", StoreLocation.CurrentUser,NameType.Thumbprint)
That's it.
I'm trying to setup SSL for a custom domain on appengine. The app is presently working fine with http on the custom domain.
My certificate provider asked me to use openssl to do the following:
openssl req -nodes -newkey rsa:2048 -keyout newkey.key -out newcsr.csr
This produced two new files, a .key and a .csr
I used the .csr in the process of creating the certificate and I have seen references to comodo so I am presuming they have provided the signing. My provider now gives me the option to download the certificate and an intermediate certificate. When I download the certificate, it is saved as a .crt file by Google Chrome.
The .key file begins with -----BEGIN PRIVATE KEY-----
The .crt file begins with -----BEGIN CERTIFICATE-----
AppEngine requires a cert file and a key file. I have tried two upload the .crt file and the .key file but no slots are used.
I have tried to convert the .crt to a PEM with:
openssl x509 -in certificate-xxxxx.crt -out mycert.pem -outform PEM
That gives me a .pem but that also fails to be accepted.
I'd appreciate any comments as not being a security expert I am flying blind here.
UPDATE -----
It seems that both my certificate and key file ARE in .pem format.
I thought that there was an issue with the key file since it began with -----BEGIN PRIVATE KEY----- rather than -----BEGIN RSA PRIVATE KEY----- but I was being led astray by older pages - see https://www.globalsign.com/blog/ssl-with-google-app-engine.html.
It seems the difference is just traditional format rather than PKCS8 format - see Convert pem to key, SSL virtual host apache redhat aws
Interestingly, now when loading my cert file and key file, I get an error of 'Both the private key and SSL certificate should be in unencrypted PEM format'. I am wondering whether the issue is to to with being encrypted or whether as the certificate provider was not Comodo that I need to incorporate an interim certificate as well somehow.
RESOLVED ----
The key file was in PEM format but not RSA. I used:
openssl rsa -in newkey.key -out newkey.pem
and the files are now accepted by Google.
The newkey.pem file starts with -----BEGIN RSA PRIVATE KEY----- so clearly you need this for it to be accepted by Google.
I followed a similar approach and succeeded.
The difference is my key file begins with:
-----BEGIN RSA PRIVATE KEY-----
I used this line to generate the key and csr:
openssl req -new -newkey rsa:2048 -nodes -out mydomain.com.csr -keyout mydomain.com.key -subj "/C=FR/ST=Essonne/L=Paris/O=MyCompany/CN=mydomain.com"
I suppose you tried to import it on ? :
https://admin.google.com/yourdomain.com/AdminHome?fral=1#SecuritySettings:flyout=ssl
I hope that will help you.
I'm currently inside the 30-day free trial for Google Apps for business (billing set up, so will start non-free trial soon). I'm attempting to set up SSL for a custom domain for a Google App Engine app, but am a bit of a noob at this stuff and the files I've accumulated aren't accepted by the Apps submission form.
I went through the following process:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
After filling in the cert. request information (with name www.mydomain.com), I had the two files CSR.csr and privateKey.key.
I used an SSL provider CheapSSLs.com to provide me with a certificate off this CSR.csr, and they've responded with a cert www_mydomain_com.crt.
However, on going through Google Apps Dashboard -> Security -> SSL for Custom Domains and uploading www_mydomain_com.crt and privateKey.key I'm given the error:
Both the private key and SSL certificate should be in unencrypted PEM format.
Any help? As far as I can tell, they are in that format: the private Key looks like:
-----BEGIN PRIVATE KEY-----
MIIEv...
...
...CftTU=
-----END PRIVATE KEY-----
and the .crt file looks like:
-----BEGIN CERTIFICATE-----
MIIFy...
...
...WJjk=
-----END CERTIFICATE-----
This was answered by a friendly member of the community and then immediately deleted (not sure why...) but not before I spotted his answer and used it, to great effect :)
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
The above two commands produce private.pem and public.pem, which are accepted fine by Google Apps dashboard.
Thank you!
For me, it was because my private.key was in the wrong format.
If your key starts with ---BEGIN PRIVATE KEY--- then you need to convert it to an RSA key.
openssl rsa -in private.key -out private_rsa.key
Then you should see ---BEGIN RSA PRIVATE KEY--- at the beginning of the private_rsa.key which you use with GAE.
Generate a new 2048-bit RSA key:
openssl genrsa -out myServer.key 2048
Convert an existing key to RSA:
openssl rsa -in myServer.key -out myServer-rsa.key
Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!
http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386
Am I missing something ?
To expand on the above:
The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:
openssl genrsa -out yourdomain.com.key 1024
openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
Disclaimer: It works but I do not know what I'm doing
Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.
1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)
cd $HOME
openssl genrsa -out rsa_private_key.key 2048
2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.
openssl req -new -key rsa_private_key.key -out request.csr
You will be asked the following questions:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Illinois
Locality Name (eg, city) []: Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: checkout.customedomain.com
Email Address []:
I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.
A side note regarding Custom Domains:
Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.
Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com
This is reposted from my answer at:
How to get .pem file from .key and .crt files?
I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter
Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",
and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.