I bought an SSL certificate and all I've got is a .crt file.
I need to configure a https server on Delphi correctly. I use a module named sgcWebSockets 3.2. As I can see in manual, I need to set the following parameters:
1) SSLOptions/ CertFile/ KeyFile/ RootCertFile: you
need a certificate in .PEM format in order to encrypt
websocket communications.
2) SSLOptions/ Password: this is optional and only
needed if certificate has a password.
3) SSLOptions/ Port: port used on SSL connections.
But I have only a .crt file. I think I can convert it to .pem format using openssl. But what is this file will be? Is this a CertFile or RootCertFile? I haven't a KeyFile anyway. Will it works only with one cert file? I also haven't got any password. Should I leave this field empty? Please help.
You can convert your crt file to a pem file with OpenSSL as follows:
openssl x509 -inform der -in certificate.crt -out certificate.pem.
But that isn't the only file you need. You also need your private key which was used to generate your csr that you sent to the certificate authority and that also has to be in pem format. I'm not sure how you generated your csr, so I'd need more information to help you extract that or convert it to pem format.
Related
I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.
I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.
So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a .cer file. I then converted the cer into a pem
openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem
Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:
Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).
Exporting my default system private key as a p12 and then converting it, per AWS instructions, into a pem key.
Trying to generate a new CSR directly from my system private key in Keychain Access
However, whenever I follow the instructions to "test" the private/public key pair (openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem), I get this:
error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:
I've looked at the following questions, but haven't been able to use their answers to figure this out:
Does the apple push notification distribution certificate signing request need to be the same as that used for the distribution cert to sign the app? - When I try to "expand" the cert in Keychain Access, all I see is info. There is no private key info, and I can't "Export 2 items"
Apple Push Notification error setting private key (the self-given answer here conflicts with the above, and at any rate, I no longer have the original CSR)
Unable to load client certificate private key file - My private key file isn't empty, and I did enter the passphrase correctly
Any idea what could be going on? I'm just shooting in the dark here.
Don't use Apple's instructions to generate the CSR.
Generate key:
openssl genrsa -out $app.key 2048
Generate CSR:
openssl req -new -key $app.key -out $app.csr
And enter the relevant data.
Upload CSR to Apple. Download certificate.
Convert certificate to PEM:
openssl x509 -inform DER -in $app.cer -out $app.pem
Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).
I'm trying to generate a new push notifications certificate on my IIS.
In the past I used to go to IIS mamager --> Server Certificates then select "Create Certificate Request", fill out the details and it generated a txt file which I uploaded to apple to generate and download the cer file.
My problem is that for some reason I can't upload this text file. I get this message:
Invalid CSR
Select a valid Certificate Signing Request
anyone encountered this issue?
Finally got it working.
This is what I did:
In IIS using Cygwin:
Generate private key:
openssl genrsa -out myAppName.key 2048
Generate csr file from private key:
openssl req -new -sha256 -key myAppNameCSR.key -out myAppName.csr
Upload csr file to apple to generate certificate
Download the certificate
Convert certificate to pem file
openssl x509 -in aps_development.cer -inform der -out myAppNameCert.pem
Generate pfx file
openssl pkcs12 -export -out myAppNameKey.pfx -inkey myAppNameCSR.key -in myAppNameCert.pem
To install the certificate in Windows Server:
Click Start > Run.
At the prompt, type in mmc, and then click OK to open the Microsoft Management Console.
Click File, and then click Add/Remove Snap-in.
Click Certificates from the list of available snap-ins, and then click Add..
Click Computer account.
Click Next, and then click Finish.
Click OK.
Right-click the Personal tree node and select All Tasks >Import.
Follow the Wizard, pointing it to the pfx file generated and provide the password used to secure it during creation.
Under the Personal tree node, double-click the Certificates folder.
Right-click the newly installed certificate.
Select All Tasks > Manage Private Keys.
In the Security tab, add the Network Service account providing Read access.
add the group IIS_IUSRS to the private key, and make sure it has full control.
Making a PEM File with Cygwin
So now you have these files:
The private key as a pfx file
The SSL certificate, aps_development.cer as pem file
Convert the pfx file to pem file:
openssl pkcs12 -nocerts -out myAppNameKey.pem -in myAppNameKey.pfx
Finally, combine the certificate and key into a single .pem file:
cat myAppNameCert.pem myAppNameKey.pem > ckDevelopment.pem
Hope this saves someone some time...
use Your keychain Access to genarate Certificate Signing Request
this tutorial might help you -
http://quickblox.com/developers/How_to_create_APNS_certificates
i am working push notifications .i downloaded all required certificate csr and ssl certificates all things and also converting .pem format my webservices team providing services in asp.net
so now we need to convert .pem format to .pfx format.how can we do this thing
i am using following commands and links. but it is not working for me
openssl pkcs12 -export -in Certificates.cer -inkey key.pem -out Certificates.pfx -certfile CA.cer
And i was follow these link also but i got error.
https://support.servertastic.com/convert-pem-to-pfx/
i have these files
Certificate.p12
key.p12
Certificates.pem
key.pem
ck.pem
Certificates.cer
What i will suggest is, Instead of converting the .PEM file to .PFX on your end , send the .PEM file to server from your side and ask the Web-Service developer to change the .PEM to .PFX on his end.
I am working on an application where I will retrieve a public key for a user from our server. Once I have it, I need to do a RSA encryption using the public key. The public key obtained from the server is Base64 encoded.
How do I load the public key into the iOS KeyChain so that I can perform RSA cryptographic functions with it? Certificate loading seems to be trivial, but raw public keys don't.
This is not supported because it is the "wrong" way.
The "right" way is to use a certificate.
To quote "Quinn The Eskimo!".
This is surprisingly easy. You don't need to add the certificate to the keychain to handle this case. Rather, just load the certificate data (that is, the contents of a .cer file) in your application (you can either get this from your bundle or off the network) and then create a certificate ref using SecCertificateCreateWithData. From there you can extract a public key ref using a SecTrust object (SecTrustCreateWithCertificates, SecTrustEvaluate -- you can choose to ignore the resulting SecTrustResultType -- and SecTrustCopyPublicKey). And from there you can encrypt and verify using the SecKey APIs (SecKeyEncrypt, SecKeyRawVerify).
A tutorial on how to create a self-signed certificate is here.
The basic steps are:
#Make the -----RSA PRIVATE KEY----- file in PEM format
openssl genrsa -out privKey.pem 2048
#Make the -----CERTIFICATE REQUEST-----
openssl req -new -key privKey.pem -out certReq.pem
#Make the actual -----CERTIFICATE-----
openssl x509 -req -days 30 -in certReq.pem -signkey privKey.pem -out certificate.pem
#Make the DER certificate.crt file from the certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.cer
If you double click that .cer on a Mac machine, it will offer to import it into keychain.
Resources:
How to generate self signed certificates
Common SSL commands
The usual way of transporting a public key -is- inside a certificate, signed by some CA to prove that it is authentic.
Or maybe you are talking about a ssh public key?
in that case you would need a special ssh capable app to use it, these keys are usually not stored in the iOS keychain.
I found the necessary code on the Apple Site describing how to strip the ASN.1 header from the Public Key and load it into the KeyChain.
I'm working on an app for a client that requires an SSL connection with an API. I've been provided with three files; a trust root certificate (.cer) file, an intermediate certificate (.cer) file and a signed response file. The instructions I've been given to install this relate to either IIS or the Java keytool program; I'm building the app in Ruby on Rails so neither is an option (as far as I am aware).
The certificates are self-signed by the organisation who runs the API service and it appears I get given client certificates to mutually authenticate an https connection. I'm unsure how to
use the certificates in my application to connect and use the API
what the signed response file does
I've read "Using a self-signed certificate" and this article on OpenSSL in Ruby but neither seems to quite hit the spot (and both have some reliance on Java/JRuby which confuses things).
Any pointers would be greatly appreciated.
Based on your comments, I'm assuming that the certificates are in DER format, which you can convert to PEM with the openssl x509 command (see: openssl x509 command):
openssl x509 -inform DER -outform PEM -in certfile.cer -out certfile.pem
After that, you can instruct the Ruby OpenSSL library to use the trusted root certificate to authenticate the SSL connection with something like this:
require 'socket'
require 'openssl'
tcp_sock = TCPSocket.new("my.host.tld", 443)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
#You may need to specify the absolute path to the file
ctx.ca_file = "certfile.pem"
ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
ssl_sock.sync_close = true
ssl_sock.connect
begin
ssl_sock.post_connection_check('my.host.tld')
rescue
puts "Certificate host did not match expected hostname"
end
After that, you should be able to read and write to ssl_sock like any other Ruby IO object. If you are given a client certificate to use to allow the server to authenticate you, you can configure the SSL context with:
ctx.cert = OpenSSL::X509::Certificate.new(File.read("my_cert.pem"))
ctx.key = OpenSSL::PKey::RSA.new(File.read("my_key.rsa"))
before you create ssl_sock. The OpenSSL library also supports other key types besides RSA, such as DSA (see: OpenSSL::PKey module.)
Finally, a last piece of advice, if you are accessing a RESTful API, you may want to consider using a gem like rest-client instead of handling all of the HTTP/S connection stuff directly. Whether or not such a library is appropriate or useful will depend on the service you are using, of course.