I am using the following script to generate a new ROOT CA that will be used to generate sub-ca's and client certificates.
New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=$certificateCleanName" -KeySpec Signature -KeyUsage CertSign -TextExtension #("2.5.29.19 ={critical} {text}ca=1")
This works perfectly, but I would prefer to generate them in the Key Vault Directly (via Powershell).
I know you can generate a self signed certificate in the key vault directly with this command:
$manualPolicy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=something.com" -ValidityInMonths 24 -IssuerName Self -RenewAtNumberOfDaysBeforeExpiry 100
$certificate = Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $manualPolicy
However, with the command above, I am not able to generate the exact same certificate properties as in the first command that use to generate the certificate locally.
Any idea how I can specify the following arguments to create the certificate with the exact same settings directly in the KeyVault?
-KeyUsage CertSign -TextExtension #("2.5.29.19 ={critical} {text}ca=1")
Related
i've a jwt token from an aws cognito login process. this token needs to be sent from the application to some other apis (via cookie or bearer header, i've not yet decided).
the receiving apis has been proxied behind nginx/openresty, so i'm thinking to validate the jwt token before the upstream
i'm using this library (the seems the most updated)
https://github.com/cdbattags/lua-resty-jwt
then i followed these steps:
download the jwks file from my account
wget https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_5zCVSiMVH/.well-known/jwks.json
convert the jwks to pem with jwks2pem
cat jwks.json| jwks2pem > key.pem
then this code
local jwt = require "resty.jwt"
local key = [[ -----BEGIN PUBLIC KEY-----
(content of key.pem)
-----END PUBLIC KEY-----
]]
local jwt_token = ""
local jwt_obj = jwt:load_jwt(jwt_token)
local verified = jwt:verify_jwt_obj(key, jwt_obj)
ngx.say(cjson.encode(jwt_obj))```
the code fails:
$ resty jwt.lua
{"valid":false,"reason":"invalid algorithm: RS256","verified":false}
where i'm wrong?
ok, the problem is the key.
i've successfully obtained the pem key from jwks with this other tool https://www.npmjs.com/package/jwk-to-pem
the validation now works
I generated a public_privatekey.pfx via the xero instructions and was able to access a Xero demo file from a Visual Studio solution that used Xerp.Api.Sdk.Core
Now I want to put the certificate in an Azure Key Vault so that I can port my code to an Azure Function App.
However when I try to use the Azure Portal to load the certificate via
Create a secret -> Certificates ->Create a certificate
I get an error
Your certificate file was invalid, or the password was incorrect
I can load the certificate using Powershell.
Connect-AzureRmAccount -tenantid mytenantid
$pfxFilePath = 'C:\OpenSSL-Win64\bin\AzureXeroSync\public_privatekey.pfx'
$pwd = 'mypassword'
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName 'MyAzureFunctionsVault' -Name 'XeroPfxSecret' -SecretValue $Secret -ContentType $secretContentType
what am I missing using the portal ?
You mentioned this in your question:
Create a secret -> Certificates ->Create a certificate
I think the issue here is that you're starting with "Create a secret". Uploading/Importing a certificate as a secret is a deprecated feature as you can see in screenshot.
Can you try doing the same thing, but starting from "Certificates" and then do an import instead?
I'm getting an authentication error when trying to connect ssh host.
The goal is to connect to the host using local forwarding. The command below is an example using drop bear ssh client to connect to host with local forwarding.
dbclient -N -i /opt/private-key-rsa.dropbear -L 2002:1.2.3.4:2006 -p 2002 -l
test_user 11.22.33.44
I have this code so far which returns empty connection
ip = "11.22.33.44"
user = "test_user"
port = 2002
ssh_config = [
user_interaction: false,
silently_accept_hosts: true,
user: String.to_charlist(user),
user_dir: String.to_charlist("/opt/")
]
# returns aunthentication error
{:ok, conn} = :ssh.connect(String.to_charlist(ip), port, ssh_config)
This is the error Im seeing
Server: 'SSH-2.0-OpenSSH_5.2'
Disconnects with code = 14 [RFC4253 11.1]: Unable to connect using the available authentication methods
State = {userauth,client}
Module = ssh_connection_handler, Line = 893.
Details:
User auth failed for: "test_user"
I'm a newbie to elixir and have been reading this erlang ssh document for 2 days. I did not find any examples in the documentation which makes it difficult to understand.
You are using non-default key name, private-key-rsa.dropbear. Erlang by default looks for this set of names:
From ssh module docs:
Optional: one or more User's private key(s) in case of publickey authorization. The default files are
id_dsa and id_dsa.pub
id_rsa and id_rsa.pub
id_ecdsa and id_ecdsa.pub`
To verify this is a reason, try renaming private-key-rsa.dropbear to id_rsa. If this works, the next step would be to add a key_cb callback to the ssh_config which should return the correct key file name.
One example implementation of a similar feature is labzero/ssh_client_key_api.
The solution was to convert dropbear key to ssh key. I have used this link as reference.
Here is the command to convert dropbear key to ssh key
/usr/lib/dropbear/dropbearconvert dropbear openssh /opt/private-key-rsa.dropbear /opt/id_rsa
I bought a possitiveSSL certificate from ComodoSSL
these are the files I was received from them
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - domain_com.crt
How do I replace these files with the following embedded yaws configuration?
{ssl,[{keyfile, "/home/user/Develop/yaws-2.0.2/etc/yaws/yaws-key.pem"},
{certfile, "/home/user/Develop/yaws-2.0.2/etc/yaws/yaws-cert.pem"},
{depth,0},{dhfile,"/home/yser/Develop/yaws-2.0.2/etc/yaws/dhparams.pem"}]},
I have solved this problem by combining the following files into one filename.crt:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - domain_com.crt
Then I added the key signature I used to request the ssl certificate into a file.key file.
so the result is something like this:
{port, 443}
{ssl,[{keyfile, "/home/file.key"},
{certfile, "/home/filename.crt"},
{depth,0}]}
I have suddly started to get the next error when using the jenkins cli:
>java -jar <path to jenkins-cli>/jenkins-cli.jar -s <jenkins url> build <job name>
Exception in thread "main" java.io.EOFException
at java.io.DataInputStream.readBoolean(DataInputStream.java:244)
at hudson.cli.Connection.readBoolean(Connection.java:95)
at hudson.cli.CLI.authenticate(CLI.java:634)
at hudson.cli.CLI._main(CLI.java:474)
at hudson.cli.CLI.main(CLI.java:384)
what am I doing wrong ? using Jenkins ver. 1.567.
That looks like this issue. Parts of that issue have been fixed in Jenkins 1.617, so upgrading might help, but there are still reports that the issue remains "when a key is used but authentication is disabled".
how do you authenticate to the server ?
If you are using a public , private key authentication. Strongly Suggest you to generate a new one using
SSH Key gen for your reference
bash-4.1$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/users/xxxx/.ssh/id_rsa):
JenkinsCLI
Enter passphrase (empty for no passphrase):(leave blank)
Enter same passphrase again:(leave blank)
Your identification has been saved in JenkinsCLI.
Your public key has been saved in JenkinsCLI.pub.
The key fingerprint is:
f6:4c:be:fc:cb:cd:d3:ee:8c:80:26:a2:57:df:67:14 xxxxx#xxxxxx
The key's randomart image is: