I'm working on an app for a client that requires an SSL connection with an API. I've been provided with three files; a trust root certificate (.cer) file, an intermediate certificate (.cer) file and a signed response file. The instructions I've been given to install this relate to either IIS or the Java keytool program; I'm building the app in Ruby on Rails so neither is an option (as far as I am aware).
The certificates are self-signed by the organisation who runs the API service and it appears I get given client certificates to mutually authenticate an https connection. I'm unsure how to
use the certificates in my application to connect and use the API
what the signed response file does
I've read "Using a self-signed certificate" and this article on OpenSSL in Ruby but neither seems to quite hit the spot (and both have some reliance on Java/JRuby which confuses things).
Any pointers would be greatly appreciated.
Based on your comments, I'm assuming that the certificates are in DER format, which you can convert to PEM with the openssl x509 command (see: openssl x509 command):
openssl x509 -inform DER -outform PEM -in certfile.cer -out certfile.pem
After that, you can instruct the Ruby OpenSSL library to use the trusted root certificate to authenticate the SSL connection with something like this:
require 'socket'
require 'openssl'
tcp_sock = TCPSocket.new("my.host.tld", 443)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
#You may need to specify the absolute path to the file
ctx.ca_file = "certfile.pem"
ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
ssl_sock.sync_close = true
ssl_sock.connect
begin
ssl_sock.post_connection_check('my.host.tld')
rescue
puts "Certificate host did not match expected hostname"
end
After that, you should be able to read and write to ssl_sock like any other Ruby IO object. If you are given a client certificate to use to allow the server to authenticate you, you can configure the SSL context with:
ctx.cert = OpenSSL::X509::Certificate.new(File.read("my_cert.pem"))
ctx.key = OpenSSL::PKey::RSA.new(File.read("my_key.rsa"))
before you create ssl_sock. The OpenSSL library also supports other key types besides RSA, such as DSA (see: OpenSSL::PKey module.)
Finally, a last piece of advice, if you are accessing a RESTful API, you may want to consider using a gem like rest-client instead of handling all of the HTTP/S connection stuff directly. Whether or not such a library is appropriate or useful will depend on the service you are using, of course.
Related
I have been trying to get this to work for days, but can anyone point me in the right direction (tutorial ect.) for how to get LetsEncypt certs to run in Solr?
I have a Rails site running on 443 with LetsEncrypt and have added solr on the same machine, on a different port. The Solr is running SSL with self-signed certs.
Can i use the same Certs for the main site as both the site and the solr can be accessed on the same URL?
Obviously the solr instance is secured via IP tables as it seemed an easyier setup than reverse proxying while trying to use the same cert.
Any pointers or hints greatly appreciated!
Thanks
Sometimes i overlook the obvious!
As i have a key for the Domain already, and Solr responds on mydomain.com:8983 all that is needed is to create a Java Key Store (jks) from the existing keys on the system.
So all that was needed is
openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -out pkcs.p12 -name NAME
specifing the location of the Lets-Encrypt Cert (on my system /etc/letsencrypt/live/mydomain.com/)
Then convert the PKCS12 key to a jks...
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME
replacing password where needed.
I would have thought the best practace here would be to Automate this in a bash script to be run when the Lets-encrypt certs are renewed.
I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.
I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.
So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a .cer file. I then converted the cer into a pem
openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem
Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:
Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).
Exporting my default system private key as a p12 and then converting it, per AWS instructions, into a pem key.
Trying to generate a new CSR directly from my system private key in Keychain Access
However, whenever I follow the instructions to "test" the private/public key pair (openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem), I get this:
error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:
I've looked at the following questions, but haven't been able to use their answers to figure this out:
Does the apple push notification distribution certificate signing request need to be the same as that used for the distribution cert to sign the app? - When I try to "expand" the cert in Keychain Access, all I see is info. There is no private key info, and I can't "Export 2 items"
Apple Push Notification error setting private key (the self-given answer here conflicts with the above, and at any rate, I no longer have the original CSR)
Unable to load client certificate private key file - My private key file isn't empty, and I did enter the passphrase correctly
Any idea what could be going on? I'm just shooting in the dark here.
Don't use Apple's instructions to generate the CSR.
Generate key:
openssl genrsa -out $app.key 2048
Generate CSR:
openssl req -new -key $app.key -out $app.csr
And enter the relevant data.
Upload CSR to Apple. Download certificate.
Convert certificate to PEM:
openssl x509 -inform DER -in $app.cer -out $app.pem
Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).
I bought an SSL certificate and all I've got is a .crt file.
I need to configure a https server on Delphi correctly. I use a module named sgcWebSockets 3.2. As I can see in manual, I need to set the following parameters:
1) SSLOptions/ CertFile/ KeyFile/ RootCertFile: you
need a certificate in .PEM format in order to encrypt
websocket communications.
2) SSLOptions/ Password: this is optional and only
needed if certificate has a password.
3) SSLOptions/ Port: port used on SSL connections.
But I have only a .crt file. I think I can convert it to .pem format using openssl. But what is this file will be? Is this a CertFile or RootCertFile? I haven't a KeyFile anyway. Will it works only with one cert file? I also haven't got any password. Should I leave this field empty? Please help.
You can convert your crt file to a pem file with OpenSSL as follows:
openssl x509 -inform der -in certificate.crt -out certificate.pem.
But that isn't the only file you need. You also need your private key which was used to generate your csr that you sent to the certificate authority and that also has to be in pem format. I'm not sure how you generated your csr, so I'd need more information to help you extract that or convert it to pem format.
I have created development and production pem files. I have followed this steps:
1) developer.apple.com : AppIDs section check Bundle id supports Development SSL Certificate
if no then create that certificate (which supports APNS)
2) open key chain
3) right click on our certificate and export certificate.
4) you will get .p12 file from here : like : hope_APNS.p12
5) open console(terminal) and run following command (use created .p12 file here as input)
openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
6) you will get .pem file for the same. (like hope_APNS.pem)
Developement pem file is working fine. But there is some in production pem file. When i set production pem file and send push notification from console. I won't get push on my device.
That's an old thread but I was looking for the same answer and hope this solution help someone... worked for me.
You can test your PEM key using the following command, which should hang if successful until you press enter:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
The above tests the PEM Key in sandbox mode. For production mode, use the following command:
openssl s_client -connect gateway.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
Thanks to Craig at https://www.pubnub.com/knowledge-base/discussion/234/how-do-i-test-my-pem-key
There are many reasons why you may not be getting push notifications via a production .pem certificate on your device. Besides making sure you generated the distinct production certificate correctly, here are few things to check:
You have an Ad-Hoc or Distribution build running on your test device
when testing a production certificate
You have successfully
collected the production push token of said device (which will
always be different from the development push token)
You are able to connect to Apple Push Notification PRODUCTION servers
(gateway.push.apple.com, port 2195) with the new certificate (ie/
you're able to open a socket connection and it does not close
immediately)
You have checked that your certificate is not expired
Failing all that, you really need to check what is going on at the network level when you send something via that certificate. If it's invalid, it won't connect at all to Apple. If it's valid but the push token you're sending is not recognized by Apple, an error code will be returned (if you are using the binary interface) or the connection will be severed. You may also want to look into the APNS Feedback API to gain more insight on what is going wrong.
You may want to check out this answer and this other answer for more tips.
I'm trying to set up a Rails application using the Rapns library to send push notifications. The project already has this gem configured, I am working toward upgrading it to Rpush. However, I'm having a lot of trouble setting up my certificates.
I've generated all the key pairs and certificates I need with much help from the following articles:
Apple Push Notifications, how do I properly export my cert?
http://quickblox.com/developers/How_to_create_APNS_certificates
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Running the following command
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts
returns the following
Verify return code: 20 (unable to get local issuer certificate)
So with help from Apple's docs I downloaded a CA certificate and ran the following
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts -CAfile /path/to/my/entrust_2048_ca.cer
and got
Verify return code: 0 (ok)
Success! However, my call to run the notifying application
bundle exec rapns development
Outputs 2 lines initially
[2014-08-04 14:29:42] [my app ID] Started, 1 handler.
[2014-08-04 14:29:43] [my app ID] Connected to feedback.sandbox.push.apple.com:2196
but then does nothing as I attempt to trigger notifications. Additionally it will re-prompt me for my PEM pass phrase periodically, making me think it's not really authenticating (which may be a symptom of the return code 20 from before).
I didn't actually fix the certificate itself (I don't think) by downloading the CA certificate. How do I incorporate that into the PEM so this works, or otherwise configure Rapns such that I don't need the CA cert?