Specify CA chain in AppEngine - google-app-engine

I am using a SSL certificate for my custom domain. This certificate needs five intermediate authorities to get to the root CA, and without them some browsers (pronounce: Chrome) will work, but others (Firefox, Android browsers) will fail.
Is there any way to specify more than two CAs in the PEM file? AppEngine complains when I try to put the whole certification chain (as documented, it accepts only two CAs in the PEM file). Is it my only option to drop my current certificate and go with Verisign?

Just to answer my own question, there is no way to do this at the present time. Switch to a CA that uses a single intermediate authority (DigiCert combines this with a superb technical support) and move on.
UPDATE: Starting today, GAE is supporting a chain of up to five CA authorities.

Related

Server's chain certificate verification failed in azure Client

I am trying to run my IoT-client on Threadx-Os Client which doesn't have file- system/certificate trusted store kind of things like in linux. When i look into Wireshark the client closing connection with Fatal,Bad certificate error. I tried all possible options which are suggested in different forums to solve this issue. Which haven't solved my problem. The solution i tried mentioned below.
By using below API to added only above Baltimore root certificate available in cert.c.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT,
certificates);
it's not working for me because we don't have trusted store like linux.
ifdef SET_TRUSTED_CERT_IN_SAMPLES
// Setting the Trusted Certificate. This is only necessary on system with without
// built in certificate stores.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT, certificates);
endif // SET_TRUSTED_CERT_IN_SAMPLES
I need answers for two important questions.
1) Do i need to Add entire certificate string in cert.c (or) only first Baltimore root as CA root to my client.
2) Without trusted store, how client can tell to azure-cloud i have trusted root.
Any help would be appreciated.

Generating GCP compatible Cloudflare SSL certificate

I'm trying to configure SSL for Google Cloud's App Engine.
You can upload your own custom SSL certificate + private key in GCP (see screenshot).
I'm using Cloudflare for DNS, and would like to use the "Full (strict)" SSL policy in Cloudflare. This would mean I have to add a certificate and key, created by Cloudflare, in GCP (in same screenshot).
I've managed to convert the private key to a valid (PEM) format that GCP will accept. The only thing not working is the Certificate part.
When entering both certificate and key in GCP, upon clicking upload, the following error is returned:
The certificate data is invalid. Please ensure that the private key and public certificate match.
After some googling, I found the following resources on GCP's documentation, explaining I need a have the full certificate-chain uploaded in the certificate field. So next thing I tried, is to concat my certificate from cloudflare together with the root certificate of cloudflare itself, as explained in the GCP docs.
So I ran the following command to create this chain:
cat domain.crt cloudflare-root-ca.crt > concat.crt
... and uploaded that one in GCP in the certificate field.
That didn't work either, even while the checksums of both private key and the certificate-chain match as explained by GCP docs, by running:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
...and comparing the md5 outputs.
So now I'm completely without Idea's. GCP's error messages are limited to the one above, and one other saying your PK is not a valid format.
Same problems when trying via CLI (gcloud)
When trying this process through the cli gcloud, we get the same errors.
Trying the following command:
gcloud app ssl-certificates create --display-name example.com --certificate ./cloudflare-concat.crt --private-key cloudflare-pk.key
...yields the following error:
ERROR: (gcloud.app.ssl-certificates.create)
INVALID_ARGUMENT: Invalid certificate.
`CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included,
and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits.
The requested private key and public certificate must match.
Any help on uploading a valid certificate (from Cloudflare) and private key in GCP is much appreciated.
Update 1
I found this (cached) paged describing all the root and intermediate certs of Cloudflare. I've tried a couple of them to concatenate agains my domain cert, but no luck so far. It's also not clear which one to use...
Update 2
I've beginning to think that this won't work, ever. Because I'm using an 'Origin Certificate' from Cloudflare, I believe this is a self-signed cert from Cloudflare itself, meaning that App Engine won't ever recognize this as valid.
The reason I think this is the case, is because I tried to use the cfssl tool from cloudflare to 'create a bundle-cert' automatically. The response I get from running
cfssl bundle -cert domain.crt
Returns the following result:
[INFO] bundling certificate for {Country:[] Organization:[CloudFlare, Inc.] OrganizationalUnit:[CloudFlare Origin CA] Locality:[] Province:[] StreetAddress:[] PostalCode:[] SerialNumber: CommonName:CloudFlare Origin Certificate Names:[{Type:2.5.4.10 Value:CloudFlare, Inc.} {Type:2.5.4.11 Value:CloudFlare Origin CA} {Type:2.5.4.3 Value:CloudFlare Origin Certificate}] ExtraNames:[]}
{"code":1220,"message":"x509: certificate signed by unknown authority"}
Extra info
I'm using a free Cloudflare subscription.
Everything works fine when using the 'flexible' setting from Cloudflare,
But I would like to use the 'full (strict)' setting
I discovered a recent blogpost, describing how to solve this.
After following the steps described, the certificate was accepted in Google Cloud, and everything worked for the 'full (strict) ssl' option in cloudflare!
In short: it involved a bit of tweaking the keys, by manually adding 'RSA' to it, as described in the blogpost.
See this link:
https://blog.woohoosvcs.com/2019/11/running-google-app-engine-behind-cloudflare/
EDIT:
This is probably the same end-result as using the shell commands as described by #Andrei
Can you please verify you are using free Cloudflare or paid Cloudflare account.
Because if you are free using than I think SSL strict is not going to work make it flexible and redirect all HTTP request to https request.

Inline certificate for libcurl instead of using an external bundle?

I am using libcurl for a small c application. The project uses https and requires a validation of both, server and client certificates. I cannot use an option to suppress the verification, since I work in an insecure environment.
I am currently trying to get the server side certificate validated. First attempts gave me an expected error:
Peer certificate cannot be authenticated with given CA certificates
As said an expected error, I understand what the message means. I dug into the documentation of libcurl and found that it supports "certificate bundles", and that younger versions do not come with a bundle all. All options I found (and also all explanations) refer to certificate files read at runtime and obviously suggest to include the required CA certificate in the local bundle.
Instead I would prefer to include a single certificate inline into the application, so compiled in. This does make sense for this special case, since the application only tries to access a single, hard coded url, so server. I accept that I'd have to replace all deployed copies of the application if the server certificate gets changed. However I do not find any options for that in the documentation. I would prefer this strategy, since it allows a much more compact deployment of the application: a single file instead of a structure and runtime configuration.
So my question is: does libcurl offer to include a CA certificate at compile time which can be used at runtime without having to rely on an external bundle?
In libcurl the part that verifies certificates is handled by openssl. You could use SSL_CTX_use_certificate to install your certificate at runtime or use SSL_CTX_set_verify to overwrite the SSL verification function with your own.
Check curlx.c for an example.

did I mess up with multiple certificates?

I'm quite confused :S
scenario:
I m trying to add a certificate to my domain serverName. com.
I create a active directory sercer (DC) with ad.servername. com and cms.servername. com for Alfresco page.
and as far as I know, because it's alfresco bundle, it already has a tomcat with java and a Alfresco certificate configured (expire 2112).
then i generated my own .cer with microsoft certificate services with "servername. com" and imported to my java keystore (alfresco/java/jre/lib/security/cacert) expires 2014
later I decide to try a free trial third-party CA startssl. com and I generated for "servername. com" but they asked me to put an alternative, so I put cms.servername.com and I also imported to my alfresco/java key store (expire 2013)
now, whenever I put https://servername:8443/myApp or https://cms.servername:8443 browser shows using Alfresco certificate. did I mess up with certificates or java or something is just selecting the older expiring date certificate to use?
Hi did you put the right certificates and keys etc. in the right directory?
Like alf_data/keystore and in the tomcat config the 8443 points to the alfresco keys.

How to check certificate and key pair created by CSP or PKCS?

I have a problem with keypair and certificate generate in token using csp or pkcs, and i must to distict this then i want to know
"How to check certificate and key pair created by CSP or PKCS ??".
You should check their respective API as the first step.
For PKCS, you should read PKCS11 standard as mentioned on: http://www.rsa.com/rsalabs/node.asp?id=2133
This API interface will contains the method to check on the certificate.
Take note that in general, CSP is used by only Microsoft Product, while PKCS is used by the other software vendors.

Resources