I am using OpenSSL to secure a socket connection in an IOS application.
Currently, I am using SSL_CTX_load_verify_locations to point OpenSSL at a cacert.pem file containing root certificates, but keeping this file fresh is hard.
How does one go about integrating OpenSSL with the IOS Operating System maintained certificate store?
With a .pem file I setup OpenSSL to validate the cert like this
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_load_verify_locations(ctx,"cacert.pem",NULL);
I don't think IOS has a convenient cacert.pem file so I think the correct approach is to perform my own validation and pass SSL_VERIFY_NONE to prevent OpenSSL attempting to verify the certificate, and implement some kind of check using the verify_callback?
Related
I'd like to create a certificate from Apple developer account and use it to sign Apple Wallet passes / passbook. So I can implement a server to generate the wallet passes to serve up my mobile app.
The challenge to me is I'm on linux (Ubuntu to be specific). There are a bunch of npm modules as far as I can see, that can be used to implement a server to generate the pass but the first step is to create a certificate from Apple. So my question is it seems to me that is not even possible without a Mac? Does anyone know if it is even possible to create that certificate from a linux machine like Ubuntu?
Thanks
You do not create the certificate yourself, you create a private key and certificate signing request and upload the certificate signing request to Apple. They then issue a certificate that matches your private key.
This can be done on any operating system using OpenSSL. When creating the CSR you can provide any values as Apple will ignore them and replace with the PassTypeIdentifier, Team Name and Team Id.
The OpenSSL commands you need are:
openssl genrsa -out /path/to/my-private-key.pem 2048
openssl req -new -key /path/to/my-private-key.pem -out /path/to/my-request.csr
I am working on a Rails application that is hosted on AWS-Beanstalk and uses RDS Aurora - PostgreSQL database.
My Application has 3 environments: Dev, Staging and Production
I saw this message on RDS console that says:
Update your Amazon RDS SSL/TLS certificates before March 5, 2020
To avoid interruption of your applications using RDS and Aurora databases, update the Certificate Authority (CA) certificates for these databases before March 5, 2020. We strongly recommend making your updates before February 5, 2020, to leave time for deployments, testing, and validation. New databases created after January 14, 2020, will default to using the new CA certificates. Make sure that you update your client applications with the new certificates first.
Later I saw that Dev and Staging's RDS instance are already upgraded to the latest SSL certificate and this message is appearing only for Production's RDS instance
So I tried to bring Dev and Staging's RDS instance to use older SSL certificate (Same as production's one) -> Downloaded the latest certificate file from https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html and then inside my config/database.yml appended these 2 lines:
production:
sslmode: 'verify-full'
sslrootcert: /path/to/cert/file
After making this change, I deployed the changes on Dev -> Result: build succeeded. Then, from RDS console, I tried upgrading SSL cert of Dev instance to latest one and it worked
There are couple of things I would like to gain more clarity
This change in YML file wasn't there before. It seems adding those lines making the environment less flexible. This can be avoid - But how?
Initially when Dev and Staging's RDS instances were upgraded to latest SSL certs my app was working but I have no idea/clue that my Dev and Staging applications are using the latest SSL certificates or not! Is there any way I can confirm that my apps are also upgraded to latest SSL/TSL certs?
RDS uses self signed certificates and hence you need to explicitly trust it in your client. Not sure which client setup you are running (I'm guessing RoR given the tags on the question), but basically you need to research on how you can add a private root CA cert into your trust store. If you had a Java client, then the way you'd do this is to download the rootCA cert file and explicitly add it to your java truststore (there are multiple ways to do this). You'd need to find the mechanism to do the same thing for your client stack, should be fairly straightforward to find that.
Use openssl and talk to your DB endpoint from your client instance and describe your certificate. The certificate detail should list the issue date and expiry of your DB's certificate, and also the issuer CA's details. You need to confirm that the CA is the new 2019 (or 2020, not sure) RDS root CA.
Something like:
openssl s_client -showcerts -servername endpoint.goes.here -connect endpoint.goes.here:3306 2>/dev/null | openssl x509 -inform pem -noout -text
I am trying to implement Elasticsearch 5.x with https(using Safeguard) and NEST client.
I am failing on, how to generate a X509certificate of Elasticsearch installed in server.
Found some code in below link how to create a NEST connection to Elasticsearch with X509 certificate.
How to use X509 certificate with the Nest Elastic Client
But I have no idea how to achieve this. I need to know how the below things:
How to generate a X509 certificate of Elasticsearch 5.x(Elasticsearch installed in a server and is accessible through some url like https://elas:9300)
What could be the value for "path_to_cert" in the above link's answer(I understood it is the path to X509 certificate file). It need to be a shared path or that certificate need to be included in application
I tried searching all the web and still no idea. Please help on this.
Thanks in advance.
Your question is not clear if it is about the Elasticsearch server to configure, or only the client. Is the server already running with SSL (is it reachable at https://elas:9300 ?). If no, then you need to create a java keystore containing a self-signed certificate (I suppose it's enough for your need). If already running in SSL and your question is only about the client, then store the certificate that you can get when browsing https://elas:9300 in this file that you suggested (path_to_cert)
I have bought my domain from whois and my site (Asp.Net MVC) in deployed in Azure. I want to add SSL which I want to buy from GoDaddy.com. To do that I have to generate CSR (certificate signing request) in Azure so that I can use it to get my SSL certificate from GoDaddy.
So how can I generate CSR in Azure?
We can't generate CSR in Azure. We could used IIS ,Certreq.exe or makecert.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX. More details about how to bind custom-ssl, please refer to official tutorial. The following is details about how to use makecert.exe to create CSR:
Create a cert with makecert.exe that is under the VS folder after install the VS. The following code is just for demo
makecert -sky exchange -r -n "CN=[CertificateName]" -pe -a sha1 -len 2048 -ss My "[CertificateName].cer
After that we could export Base64-encoded .cer file
Update:
Requirements for your SSL certificate, the following is the snippet from the tutorial
To use a certificate in App Service, the certificate must meet all the following requirements:
Signed by a trusted certificate authority
Exported as a password-protected PFX file
Contains private key at least 2048 bits long
Contains all intermediate certificates in the certificate chain
If we want to use self signature certificate we need to Export a Certificate with the Private Key. And then we could follow official tutorial to upload the .PFX file to Azure WebApp.
Note: If we use self signature certificate , it will be not trusted.
Azure doesn't provide any mechanism to generate CSR. There are several ways to generate CSR:
Using certificate MMC
Using IIS Manager
using certreq.exe
using openssl
and many more
I would suggest you to use the Digicert's CSR generation tool. It can be used to generate a CSR and then you can use this to submit to GoDaddy. Here are the instructions on how to do this: CSR Creation in Azure App Service
Once you submit the CSR to the CA, they will provide you a .cer/.crt/.der file, which doesn't contain the private key.
You will first need to import this certificate to bind the private key with the cert. Once done, export the certificate with the private key so that you can generate a .PFX file, which the Azure App Services needs. You can again use Digicert's certificate utility to export the certifiate in pfx format. See this: How to Export Your SSL Certificate w/Private Key Using the DigiCert Certificate Utility
Or you can use the certificate console via MMC. See this:
Add the Certificates Snap-in to an MMC
Export a Certificate with the Private Key
I am going to use a linux server for push notifications.
Is the following correct?
Generate a CSR of the linux server
Upload the file to Apple to generate a cert
Change this cer to pem and then conbine with my private key pem of linux
Use the combined pem in my code
Is this correct? Since I get confused by the Apple document, I can now only test push notifications in my mac book, and can't test on other servers.
You don't have to generate the CSR on your linux server.
You can use the pem or p12 file you created (using your mac book) on any server.
If your code works when you test it on your mac book, it will work on any server. You just have to copy the pem or p12 file to that server.