I'm starting some C++ programming to read certificates with libcrypto (OpenSSL) and I'm curious about the format of a certificate ("crt" or "cert") file.
In the file, when I look at it with a text editor, there are multiple certificate sections like so:
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
YYYYYYYYYYYY
-----END CERTIFICATE-----
When I look at this certificate in Windows (simply by double clicking the ".crt" file, it shows only a single entry in the certificate path. Is there some defined order to what these certificate sections are?
And on a side note, when I use C# to read the certificate like such:
X509Certificate2 cert = new X509Certificate2(#"E:\somePath\device.crt");
var bytes = cert.GetRawCertData();
string temp = Convert.ToBase64String(bytes);
The variable temp only show contains the data from the first begin/end section in the file. That is, temp contains "XXXXXXXXXXXX"
Also the certificate is a client certificate.
So I'm curious: What are the two "certificates" in the one file?
Thanks!
In normal cases, a .crt file contains just one certificate. However, in some contexts, some applications may allow that a file contains multiple certificates.
For example, some applications may expect that a file contains all or some certificates of a certificate chain. However, in typical cases, such file has .p12 (PKCS#12) or .pfx as its extension.
The extension .crt indicates that the content of the file is a certificate, but the extension does not tell anything about the file format. The file format may be PEM (Privacy-Enhanced Mail) (RFC 7468), DER (Distinguished Encoding Rules) (X.690) or something else. If the file's content is text data and contains -----BEGIN ?????----, the file format is PEM. On the other hand, if the file contains binary data, it is highly likely that the file format is DER.
Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).
I guess that the .crt file at your hand represents the entire or a part of a certificate chain.
Related
I want to create an encrypted XML file. Encrypted as a whole.
I have one big class, which I serialize to a string. Then I convert it to bytes (f.e in one test case it takes 1128 bytes) and I want to encrypt those bytes.
I need to have a certificate which no admin user has access to, so I created my cert like this:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -FriendlyName "XD" -NotAfter
(Get-Date).AddYears(10) -KeyAlgorithm RSA -KeyLength 2048 -Subject "test"
Then in my C# app I get to that cert by .Subject and I want to encrypt my bytes using it. The problem is, that I get the exception with bad length message, which suggest, that I want to encrypt too many bytes with RSA.
Now I know I can use AES or something else, but I need to have this key in the certificate in the store, so no one except admin user, which creates that cert has access to it. And as I've read the documentation for New-SelfSignedCertificate - it cannot create a cert with f.e AES key.
So my question here would be: Is there a way to create a cert with a particular key algorithm which would be able to encrypt at least 2-3k bytes?
RSA can only encrypt messages that are smaller than the modulus of the key pair. Some bytes should be reserved for padding, and the exact number depends on the padding scheme you are using.
In practice, asymmetric algorithms like RSA are usually used for key transport, not directly for message encryption. If you have a long message, encrypt it with AES, using a random key. Then encrypt the AES key with RSA, using the public key of the message recipient.
Standards like TLS, PGP, and S/MIME use RSA in this way.
Summary: how can I generate key.pem file used for packaging google extension using c#?
As far as I know the pem file used in Google extension generated by using below code
openssl pkcs8 -topk8 -nocrypt -out key.pem
and it's pkcs8 key , I tried to use bouncycastle to generate it from RSA XML file like discriped in this post , but the final generated .pem file dose not accepted by google chrome, it's structure is correct but length of the file is almost half of the one generated by chrome browser in the packaging proccess.
the final key required by google chrome is something like below
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC0Bo/mh3bSiOiP
CUxtpa0c8IhDNJqaRDNWaKiqothEjgI7D/IU/uHacPotyedjzLFNr0cnhgguO4dQ
dNaSN+tAlgBqcexBbAl31+BEghNy+1PB189VNVSf8G+qOfF0SIKuBbb/+Q4TrvOD
XPrzulQpLcHMqRGqRE4PkT6574pKyiQGJvjeLBLEQtiobKkzoG3HOFkl9RsKae1f
Tuf8f25aVhKjoUyWp1mOfhHwdfT+76rmrz7F9X1s6M7pxigIfCiYPXHrWh02GTbj
EVLKTpVBg31JmrKErNJsv/j5P3wuSI12TCW4u1RXfahBHhi263oGCQ/2JO/Fm4+v
5wtX20x5AgMBAAECggEBAJjceZPlsp9SYSYTXzI7W6MXGpz2LdCP2IemlpFNdRXA
/2PnRkdNpbk19TisGC5FwMeV7XVB+fBH274Vd5zwnnFY7UF1OobSlbeNNoD1ck5P
2e7esM5JWnH0VtzUFpIGf/AEKj9v2uQbyenhKbWKoavVjpmZdcZ9+Up+qiR3oZWe
YiScMlYm5KL+pTD1IMZQ46DoxU17VhOVxbZoZOf+a5iAPtskjJyz12EOVldHASGz
VZkM54C+BrCTdJjOB5C7cth94D7J7nhgovBP0jz6A7WZtDpgBB6j1lFBwKSWw0U4
0LGZb/Mlb29txAoeR1YSHCe6RKuyyY3oas6fJ1kdRgECgYEA12r1nkK8fjNybMbp
No+TsWD9YDTLZrndHBMIR+GtUKWCXTpw7EwT0BCU4ATm6TiTje0ZI9kZW1tnbB4W
iCIyU8o/OeIBBbqKMLtk2iN82KFrNbIbA4IER0J441evYZTnh9NbkJks8iyATPdC
hypRiOi1V4n9CFDguGHj+IsKpLUCgYEA1fC65ASTYGhQ5iQ56G48iKV5XIBldKad
MFcaxzAA/Hp6GMywHqEiYvk/WmCakDmIK1g7Rf7LURvWTYp1nytRBzTRDvrf4ESU
WF4z5Mr6EcnqKEpqDO/tDCwUp+4BReXMrf99KXRAWYig9zjq8garYEmIznoIc02i
4Q/X1uu1RzUCgYEAxzQFxj/4hsuUeLrIVsgWz+Tc6eZoYapmqdt/wNkUqIslLoko
e5suhy2OPkrKLck/yfMDWH8eT7kKvpRkSac12v4f0asJPv7tY3snHAHNJZa/yXvW
Nzw4MJ1rpPAlIpvML3JoLiM3yQsV6haM0ulzVKO9biIQd2wzIs6DPgd15DECgYEA
lQ2vaAW4GEcVdgJvRfznt9xx/XyHMwqSIYfOZFCRn1ZFktmpKu3g40v8U59SkIFE
2c4THeUzCkN2v3dkE40+WuL1dJZdPAcLw7V+Oj0glRw0Q/X0hSbz5LMhgQ5VXLmK
LP//183it351h0jkh9MVu3QAGLr1AEBq5pr/KgH2vrECgYEAr6y3cCo/gdUi6v3Y
39B6LTcmqeKZbpqh3LzBl+I6Ke9t/TOqCZhwtuolMDkFLhZ9woGDeB1VBfV7yUW4
xyF3rE6uMSEZyD5ivku7VC2Gsz/2XuRGl8iToGXgGxzzg6HMQr6Hw36+0VFzzxSo
xn9/6PuHd1bNooOv1S3s0WVkTJw=
-----END PRIVATE KEY-----
I have been attempting to create an SSL server that loads a certificate from a .crt. I have tried both X509Certificate.CreateFromCertFile(#".\Secure\Certificate\" + CertName + ".crt"); and the cert.import, and neither works. On both, I get an issue saying "The server mode SSL must use a certificate with the associated private key". And the key is there! My directory:
Secure/
Certificate/
ZeusHTTP.crt
ZeusHTTP.csr
ZeusHTTP.key
Plugins/
...
The certs are created with OpenSSL.
A simple read of the docs tells us that you should be using a pkcs7 file that usually has file suffix p7b. You'll need to either convert your OpenSSL cert to this format, or find a utility that can generate one from scratch.
The server mode SSL must use a certificate with the associated private key". And the key is there...
As other have stated, they must be in the same file. Here are the steps to do it.
First
Copy ZeusHTTP.crt to ZeusHTTP-chain.crt:
cp ZeusHTTP.crt ZeusHTTP-chain.crt
Second
Open ZeusHTTP-chain.crt and ensure it has all the intermediates certificates required to validate the server certificate. So you will have 2 or more certificates:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Add certificates as required. For example, if you got a free Startcom certificate, then you need to add the sub.class1.server.ca.pem intermediate from StartSSL's Index of Certs.
Sending all certificates is required to solve the "which directory" problem in PKI. Its a well known problem in PKI, and essentially it means a client does not know where to go to fetch missing intermediate certificates.
Third
Perform the following to generate a PKCS 12 file:
openssl pkcs12 -export -in ZeusHTTP-chain.crt -inkey ZeusHTTP.key -out ZeusHTTP.p12
Fourth
Finally, install the certificate on IIS as a test.
For your code, I believe you need to load it into a Certificate2 and not a Certificate.
Also see How to read a .p12 file in my web service on Stack Overflow and how to create x509 certificate and use it in sslstream on MSDN.
The code on the Site here (shown below) encrypts app.config. I ran this on a button press to encrypt my config.
When am i supposed to run the code - (e.g at application start-up in case it is not already encrypted)?
In my bin folder i have 2 xml configuration files (Applicationname.exe.config and Applicationname.vshost.exe - this code only encrypts the first one of them - When i deploy my program how do i ensure that the my customer doesn't accidentally get the unencrypted file also as this would be a major issue ?(Or does the windows installer take care of ensuring this)?
C# Code
Configuration config = ConfigurationManager.OpenExeConfiguration(
ConfigurationUserLevel.None);
SectionInformation appSettingsSecInfo = config.GetSection(
"appSettings").SectionInformation;
if (!appSettingsSecInfo.IsProtected)
{
Console.WriteLine("The configuration file has NOT been protected!");
// Encrypt this section by using security provider
// (RsaProtectedConfigurationProvider or DpapiProtectedConfigurationProvider).
appSettingsSecInfo.ProtectSection("RsaProtectedConfigurationProvider");
appSettingsSecInfo.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
Please follow steps at this page. Author of the code snippet that you reference also does mention this page. But he is wrong about it not working on app.config files. All you have to do is rename yourapp.exe.config file to web.config, encrypt the sections you want and rename back to yourapp.exe.config.
Now to your scenario. The page that I have referenced also states the following:
You can easily export and import RSA keys from server to server. This makes RSA encryption particularly effective for encrypting configuration files used on multiple servers in a Web farm.
And it has a section about exporting and importing RSA keys.
So you could encrypt the configuration on your PC, export RSA key used for encryption and put it in your installer. The installer would then import the RSA encryption key into machine or user store on PC on which the application is being deployed.
But you should realize that when the application is starting, encrypted configuration has to be decrypted using private part of RSA encryption key (that we imported or it originated on the PC). Therefore if the application can get access to the private key so might the customer (I presume that the customer has physical access to the PC with your application). What you could do is use a user key container of user that only the application will run under for RSA encryption key but if the customer has administrator rights you will not be able to forbid him from decrypting the configuration.
So much for standard solutions. But you can always put sensitive data in a custom xml file, encrypt it and the encryption key compile into you application. Then the application would have to implement a logic to decrypt the xml itself. The customer would have to decompile your application to get to the RSA encryption key.
I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.