recentpopularlog in

kme : certificate   37

Fixing SSL CA certificates with OpenSSL from MacPorts - andatche.com
MacPorts now offers a Methode that syncs certificates from the system keychain:
<code class="language-bash">sudo port install certsync
sudo port load certsync</code>
As for the missing dependency, consider filing a bug.
openssl  macports  macos  ca  cacert  certificate  curl  maybesolution 
september 2019 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
How to View a Certificate Thumbprint as SHA-256, SHA-1 or MD5 using OpenSSL How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
openssl  x509  crypto  ssl  certificate  sha1  sha256  hash  fingerprint  commandline  solution 
june 2019 by kme
Certbot
Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.
webdevel  webmaster  tls  certificate  letsencrypt  crypto  alternativeto  selfsignedcertificate 
june 2019 by kme
LFTP FTPS and Certificate Verification » Versatile Web Solutions | https://www.versatilewebsolutions.com/
<code class="language-bash">
openssl s_client -showcerts -connect example.com:21 -starttls ftp
</code>
lftp  cryto  cacert  certificate  woes  maybesolution  troubleshooting 
april 2019 by kme
ssl - How to add an enterprise certificate authority (CA) to git on cygwin (and some linux distros) - Stack Overflow
git-remote-https will read the following files for ca certificates:
<code>/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
</code>

If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.

The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:
<code class="language-bash">curl -sL http://ca.pdinc.us > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust
</code>

The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:
<code class="language-bash">man update-ca-trust</code>
cacert  certificate  openssl  curl  cygwin  sysadmin  solution 
january 2018 by kme
security - What is the difference between a cer, pvk, and pfx file? - Stack Overflow | https://stackoverflow.com/
Windows .cer files are ASN.1 DER encoded (you can decoded these with 'dumpasn1' on Linux or use http://www.lapo.it/asn1js/ for a web version--don't upload private keys there, though).

You can also decode with OpenSSL:

<code class="language-bash">
openssl asn1parse -inform der -in SomeIssuer.cer

# or, given a .cer file from Windows, something like this works:
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1
</code>

This was a helpful guide for decoding the various file extensions:

<code>Here are my personal, super-condensed notes, as far as this subject pertains to me currently, for anyone who's interested:

Both PKCS12 and PEM can store entire cert chains: public keys, private keys, and root (CA) certs.
.pfx == .p12 == "PKCS12"
fully encrypted
.pem == .cer == .cert == "PEM"
base-64 (string) encoded X509 cert (binary) with a header and footer
base-64 is basically just a string of "A-Za-z0-9+/" used to represent 0-63, 6 bits of binary at a time, in sequence, sometimes with 1 or 2 "=" characters at the very end when there are leftovers ("=" being "filler/junk/ignore/throw away" characters)
the header and footer is something like "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" or "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----"
Windows recognizes .cer and .cert as cert files
.jks == "Java Key Store"
just a Java-specific file format which the API uses
.p12 and .pfx files can also be used with the JKS API
"Trust Stores" contain public, trusted, root (CA) certs, whereas "Identity/Key Stores" contain private, identity certs; file-wise, however, they are the same.</code>
ca  certificate  x509  webmaster  webdevel  fileextension  fuckina  solution 
january 2018 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL | Symantec | https://knowledge.symantec.com/
Seems to work, even though '-fingerprint' doesn't seem to be in the 'openssl' man page:
<code class="language-bash">
# SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

# SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

# MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]</code>

If they came from Windows (in .cer) format, use '-inform der' (DER = Distinguished Encoding Rule). Der!
<code class="language-bash">
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1 -noout
</code>
ssl  openssl  cacert  ca  certificate  fingerprint  commandline  cli  solution 
january 2018 by kme
ssl - How to create a self-signed certificate with openssl? - Stack Overflow | https://stackoverflow.com/
You can do that in one command:
<code class="language-bash">
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
</code>

You can also add -nodes if you don't want to protect your private key with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (365) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults.

Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA.
openssl  cs  selfsignedcertificate  selfsigned  certificate  webmaster  reference 
december 2017 by kme
Firefox 3 and Self-Signed Certs | https://www.gerv.net/
Leaving aside the fact that many people who use this model for SSH don't bother to do 1) in practice but just say "OK" and hope, it is our assertion that no-one has yet come up with a UI that makes this model of crypto (known as Key Continuity Management - KCM - or "the SSH model") understandable to Joe Public. You can't provide him with a string of hex characters and expect it to read it over the phone to his bank. What he does instead is just click "OK", which might as well be labelled "Yeah, Whatever", and hopes for the best. The same thing happens when he gets "key changed!" warnings, even scary ones.

The first important thing to note about this model is that key changes are an expected part of life. No-one does or should use the same key for ever, and key compromise or discovered weakness means that keys change. So the user is going to get a series of alerts over time, some of which indicate an OK condition, and some of which indicate a dangerous condition. It is our assertion that no UI can navigate Joe through this complexity in a safe way.

Usability research tells us that repeated security dialogs and warnings habituate users into just clicking "OK" - it's the "Yeah, Whatever" thing again. If that dialog mostly indicates a benign condition but occasionally indicates a serious one, then the problem is compounded. This happens no matter what the dialog says. UI designers can work on the wording for a year, but whatever it is, it'll eventually just get ignored.


Also:
However, running your own CA has its own hidden costs - and you normally discover them after a key compromise when you have to update all the certificates at once, and everyone has to learn a lot about crypto really quickly. A simpler solution is just to get in touch with StartCom, or budget for a few expenditures of $14.95 or whatever, and use the same public CA system everyone else does.
firefox  ssl  ca  security  selfsignedcertificate  selfsigned  certificate  browser  crypto 
december 2017 by kme
Certificate Decoder - Decode certificates to view their contents
<code class="language-bash">openssl x509 -in certificate.crt -text -noout</code>

This works for .pem files, but not .crt files, because I still don't know the difference.
certificate  ssl  decoder  openssl  ca  webapp  webmaster  solution 
november 2017 by kme
bitbucket - Smartgit SHA fingerprint of the certificate does not match - Stack Overflow
What I was flipping out about was actually the SHA1 hash for the SSL cerficate for the GitLab host, *not* the SHA1 SSH host fingerprint.

I wasn't getting man-in-the-middled by SmartGit after all.
syntevo  smartgit  ssl  sha1  certificate  hash  solution 
october 2017 by kme
security - How to verify the SSL fingerprint by command line? (wget, curl, ...) - Ask Ubuntu
The Syntevo SmartGit client was asking me to verify a SHA1 fingerprint that I thought was the SSH fingerprint, but it was this. And here's how to get that fingerprint:

<code class="language-bash">
echo -n | openssl s_client -connect torproject.org:443 \
-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> ./torproject.pem
</code>

Get SHA-1 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha1
</code>

Get SHA-256 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha256
</code>
ssl  openssl  certificate  sha1  fingerprint  sysadmin  webmaster  solution 
october 2017 by kme
How to install certificates for command line - Ask Ubuntu
The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates.

Note that it mentions a directory different from the other answers here:

/usr/local/share/ca-certificates/

After copying into /usr/local/share/ca-certificates/ you can then update the cert's permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.


Also notable (not strictly true, since .cer files are a Windows thing, binary, in ASN.1/DER format):
Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form.
ssl  certificate  ubuntu  linux  sysadmin  howto  solution  ca 
june 2017 by kme
php - Authenticating a self-signed certificate for LDAPS connection - Stack Overflow
You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:

TLS_REQCERT never
ssl  tls  selfsigned  certificate  php  ldap  solution 
february 2016 by kme

Copy this bookmark:





to read