recentpopularlog in

kme : ca   32

Fixing SSL CA certificates with OpenSSL from MacPorts -
MacPorts now offers a Methode that syncs certificates from the system keychain:
<code class="language-bash">sudo port install certsync
sudo port load certsync</code>
As for the missing dependency, consider filing a bug.
openssl  macports  macos  ca  cacert  certificate  curl  maybesolution 
september 2019 by kme
openssl - how to extract issuer certificate from other certificate - Stack Overflow |
This might work *if* the certificate embeds a URL for the issuer. This wasn't the case for my organization.
openssl  ssl  ca  certs  issuer  commandline  sysadmin  networking  sortof  solution 
january 2019 by kme
security - What is the difference between a cer, pvk, and pfx file? - Stack Overflow |
Windows .cer files are ASN.1 DER encoded (you can decoded these with 'dumpasn1' on Linux or use for a web version--don't upload private keys there, though).

You can also decode with OpenSSL:

<code class="language-bash">
openssl asn1parse -inform der -in SomeIssuer.cer

# or, given a .cer file from Windows, something like this works:
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1

This was a helpful guide for decoding the various file extensions:

<code>Here are my personal, super-condensed notes, as far as this subject pertains to me currently, for anyone who's interested:

Both PKCS12 and PEM can store entire cert chains: public keys, private keys, and root (CA) certs.
.pfx == .p12 == "PKCS12"
fully encrypted
.pem == .cer == .cert == "PEM"
base-64 (string) encoded X509 cert (binary) with a header and footer
base-64 is basically just a string of "A-Za-z0-9+/" used to represent 0-63, 6 bits of binary at a time, in sequence, sometimes with 1 or 2 "=" characters at the very end when there are leftovers ("=" being "filler/junk/ignore/throw away" characters)
the header and footer is something like "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" or "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----"
Windows recognizes .cer and .cert as cert files
.jks == "Java Key Store"
just a Java-specific file format which the API uses
.p12 and .pfx files can also be used with the JKS API
"Trust Stores" contain public, trusted, root (CA) certs, whereas "Identity/Key Stores" contain private, identity certs; file-wise, however, they are the same.</code>
ca  certificate  x509  webmaster  webdevel  fileextension  fuckina  solution 
january 2018 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL | Symantec |
Seems to work, even though '-fingerprint' doesn't seem to be in the 'openssl' man page:
<code class="language-bash">
# SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

# SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

# MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]</code>

If they came from Windows (in .cer) format, use '-inform der' (DER = Distinguished Encoding Rule). Der!
<code class="language-bash">
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1 -noout
ssl  openssl  cacert  ca  certificate  fingerprint  commandline  cli  solution 
january 2018 by kme
curl - SSL CA Certificates |
Yeah, except the '--cacert pemfile.pem' option never seems to work without just resorting to '--insecure' also.
If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server:
<code class="language-bash">openssl s_client -showcerts -servername server -connect server:443 > cacert.pem</code>
- type "quit", followed by the "ENTER" key
- The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
- If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.
- If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.

Convert from crt (IE / Windows, DER format) to PEM format:
<code class="language-bash">openssl x509 -inform DES -in yourdownloaded.crt -out outcert.pem -text</code>
webdevel  debugging  curl  ssl  certs  ca  security  dammitbrain  reference 
december 2017 by kme
Firefox 3 and Self-Signed Certs |
Leaving aside the fact that many people who use this model for SSH don't bother to do 1) in practice but just say "OK" and hope, it is our assertion that no-one has yet come up with a UI that makes this model of crypto (known as Key Continuity Management - KCM - or "the SSH model") understandable to Joe Public. You can't provide him with a string of hex characters and expect it to read it over the phone to his bank. What he does instead is just click "OK", which might as well be labelled "Yeah, Whatever", and hopes for the best. The same thing happens when he gets "key changed!" warnings, even scary ones.

The first important thing to note about this model is that key changes are an expected part of life. No-one does or should use the same key for ever, and key compromise or discovered weakness means that keys change. So the user is going to get a series of alerts over time, some of which indicate an OK condition, and some of which indicate a dangerous condition. It is our assertion that no UI can navigate Joe through this complexity in a safe way.

Usability research tells us that repeated security dialogs and warnings habituate users into just clicking "OK" - it's the "Yeah, Whatever" thing again. If that dialog mostly indicates a benign condition but occasionally indicates a serious one, then the problem is compounded. This happens no matter what the dialog says. UI designers can work on the wording for a year, but whatever it is, it'll eventually just get ignored.

However, running your own CA has its own hidden costs - and you normally discover them after a key compromise when you have to update all the certificates at once, and everyone has to learn a lot about crypto really quickly. A simpler solution is just to get in touch with StartCom, or budget for a few expenditures of $14.95 or whatever, and use the same public CA system everyone else does.
firefox  ssl  ca  security  selfsignedcertificate  selfsigned  certificate  browser  crypto 
december 2017 by kme
Certificate Decoder - Decode certificates to view their contents
<code class="language-bash">openssl x509 -in certificate.crt -text -noout</code>

This works for .pem files, but not .crt files, because I still don't know the difference.
certificate  ssl  decoder  openssl  ca  webapp  webmaster  solution 
november 2017 by kme
How to install certificates for command line - Ask Ubuntu
The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates.

Note that it mentions a directory different from the other answers here:


After copying into /usr/local/share/ca-certificates/ you can then update the cert's permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.

Also notable (not strictly true, since .cer files are a Windows thing, binary, in ASN.1/DER format):
Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form.
ssl  certificate  ubuntu  linux  sysadmin  howto  solution  ca 
june 2017 by kme
Can a BlueCoat SSL Proxy steal your password? : networking
If there's a certificate in the chain that doesn't match, it's most likely an internal certificate from your organisation. If it is, then they're performing TLS inspection and they can see your details.
ssl  tls  proxy  ca  snooping  surveillance  security  privacy 
june 2017 by kme
How to install certificates for command line - Ask Ubuntu
For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

Go to /usr/share/ca-certificates/
Create a new folder, i.e. "sudo mkdir school"
Copy the .crt file into the school folder
Make sure the permissions are OK (755 for the folder, 644 for the file)
Run "sudo update-ca-certificates"
sysadmin  ubuntu  linux  ca  certificates  ssl  github  mitm  solution 
june 2017 by kme
Error:The Private Key for this Client Certificate is missing or invalid. · Issue #579 · jlund/streisand · GitHub
I had this problem importing root CAs into Chrome, but I was on the "Your Certificates" tab; just switch to "Servers" or "Authorities" and try again. You might need to manually check "Trust this certificate for identifying web sites," too.
Error:The Private Key for this Client Certificate is missing or invalid. #579
errormessage  chromium  chrome  certificates  rootcertificates  ca  solution 
april 2017 by kme
This script lives in lib/ in current curl distributions.
ssl  certs  curl  certificates  ca  solution 
march 2016 by kme
curl: SSL certificate problem: unable to get local issuer certificate · Issue #2 · torch/ezinstall · GitHub

Solution 2 in Post#3 is the correct and secure way to do it.
2. Actually install root certificates. Curl guys extracted for you certificates from mozilla:

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
solution  curl  ssl  ca  castore  certificates  openssl  git 
march 2016 by kme
Fixing HTTPS Certificate Errors in Wget and Ruby • 55 Minutes Blog
<code class="language-bash"># Install curl-ca-bundle
sudo port install curl-ca-bundle

# Add CA_CERTIFICATE to ~/.wgetrc
echo certificate=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc</code>
mac  osx  ca  certs  https  wget  errormessage  commandline  solution  macos 
march 2013 by kme
Certificate Installation with OpenSSL - Other People's Certificates
(Partial) solution to verifying a CA certificate using 'certtool' and a "trusted" MD5 fingerprint.

Used this on 1/1/2010 to verify the SPI (Software in the Public Interest) CA for getting the Debian 'apt' keys.
openssl  webmaster  sysadmin  solution  certificates  castore  ca  ssl 
january 2010 by kme

Copy this bookmark:

to read