I have been attempting to create an SSL server that loads a certificate from a .crt. I have tried both X509Certificate.CreateFromCertFile(#".\Secure\Certificate\" + CertName + ".crt"); and the cert.import, and neither works. On both, I get an issue saying "The server mode SSL must use a certificate with the associated private key". And the key is there! My directory:
Secure/
Certificate/
ZeusHTTP.crt
ZeusHTTP.csr
ZeusHTTP.key
Plugins/
...
The certs are created with OpenSSL.
A simple read of the docs tells us that you should be using a pkcs7 file that usually has file suffix p7b. You'll need to either convert your OpenSSL cert to this format, or find a utility that can generate one from scratch.
The server mode SSL must use a certificate with the associated private key". And the key is there...
As other have stated, they must be in the same file. Here are the steps to do it.
First
Copy ZeusHTTP.crt to ZeusHTTP-chain.crt:
cp ZeusHTTP.crt ZeusHTTP-chain.crt
Second
Open ZeusHTTP-chain.crt and ensure it has all the intermediates certificates required to validate the server certificate. So you will have 2 or more certificates:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Add certificates as required. For example, if you got a free Startcom certificate, then you need to add the sub.class1.server.ca.pem intermediate from StartSSL's Index of Certs.
Sending all certificates is required to solve the "which directory" problem in PKI. Its a well known problem in PKI, and essentially it means a client does not know where to go to fetch missing intermediate certificates.
Third
Perform the following to generate a PKCS 12 file:
openssl pkcs12 -export -in ZeusHTTP-chain.crt -inkey ZeusHTTP.key -out ZeusHTTP.p12
Fourth
Finally, install the certificate on IIS as a test.
For your code, I believe you need to load it into a Certificate2 and not a Certificate.
Also see How to read a .p12 file in my web service on Stack Overflow and how to create x509 certificate and use it in sslstream on MSDN.
Related
I'm starting some C++ programming to read certificates with libcrypto (OpenSSL) and I'm curious about the format of a certificate ("crt" or "cert") file.
In the file, when I look at it with a text editor, there are multiple certificate sections like so:
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
YYYYYYYYYYYY
-----END CERTIFICATE-----
When I look at this certificate in Windows (simply by double clicking the ".crt" file, it shows only a single entry in the certificate path. Is there some defined order to what these certificate sections are?
And on a side note, when I use C# to read the certificate like such:
X509Certificate2 cert = new X509Certificate2(#"E:\somePath\device.crt");
var bytes = cert.GetRawCertData();
string temp = Convert.ToBase64String(bytes);
The variable temp only show contains the data from the first begin/end section in the file. That is, temp contains "XXXXXXXXXXXX"
Also the certificate is a client certificate.
So I'm curious: What are the two "certificates" in the one file?
Thanks!
In normal cases, a .crt file contains just one certificate. However, in some contexts, some applications may allow that a file contains multiple certificates.
For example, some applications may expect that a file contains all or some certificates of a certificate chain. However, in typical cases, such file has .p12 (PKCS#12) or .pfx as its extension.
The extension .crt indicates that the content of the file is a certificate, but the extension does not tell anything about the file format. The file format may be PEM (Privacy-Enhanced Mail) (RFC 7468), DER (Distinguished Encoding Rules) (X.690) or something else. If the file's content is text data and contains -----BEGIN ?????----, the file format is PEM. On the other hand, if the file contains binary data, it is highly likely that the file format is DER.
Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).
I guess that the .crt file at your hand represents the entire or a part of a certificate chain.
I just got my hands on Cryptography the first time. I have a few questions, espacially about sharing a public Key between two programs:
I have two different applications.
One is coded in C++ and running on a Linux Ubuntu Server. The other one is coded in C# and running on my local Windwos 7 Home-PC.
The two applications connect over TCP and I want to create a secure connection between them. I decided to use the RSA-Algorithm.
I created a Key-Pair on the Serverside and hard-coded them into the C++ application. The Public-Key of the server is also hardcoded into the C# application. Now, when the C# Application (Client) connects to the C++ application (Server), it should generate a personal Key-Pair and send the Public-Key to the server. From here on both sides can encrypt their data and send it to each other.
My problem is that I can't bring the Public-Keys to the "same layout". On the serverside I have to use the OpenSSL-Library since C++ does not come with a inbuilt RSA-Library. So the Key-Pair looks like this (example):
$ openssl genrsa -out private_key.pem 2048
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA0DTV2eG8BrhPVWgrqR1PhI5BwLCsuAiBCCDmSShaOsh1uKFW
j7lgBGWyGT77X55DAgXwvjNg+odDfili71poeH/f5/1kCTTC6FFoV6inY0nAcOZ3
...
...
...
...
mxTUFS1Q+vPsmoPCN+C5bP+zv415usUg1Mx8sSly5IS0IQzp2kR8EekhqKLQb06p
2qZfVCuGEXzT+NoT10SOGtZ2+izb+EZM/yRkJFUQS2YwpwPmcZGbAUg=
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DTV2eG8BrhPVWgrqR1P
...
...
...
eH/f5/1kCTTC6FFoV6inY0nAcOZ3Ang1/fywxz5GVm430GuAqloZqNo/iwMZtHcU
aQIDAQAB
-----END PUBLIC KEY-----
And when I create a Key-Pair in C#, it is in XML-Format:
<RSAKeyValue>
<Modulus>w0tU2IBTdZkLB3G9sze92KR67hM3qdbnYCujrp/GflJ/EMgP1dQxTuHOueq+3DzZnUZDVtYic2QDAdJDVDqRiIFbff7+l5IE24kcgIJSN6vJdnSVAVbSzfyZkftsd4faYx055ZYSH3N4Ev52QepgXVKz7G3S+n2xslzFs09SDOVKiUvmXQEG4CsRef4uB1Kk2ElrZBBpuU3G/V4gNpGkQ/TuPbizQL/Oao3HNhxnCsqxzOOCmNoPSiCesWSWpoPTJrBm2jfX5nDJi+l5u3dYrRLpT8h844Y2yplCeDe4M3/maee3d+0+7Ul7m7H73o9nI+cBLWPOy6IYxPMl/kaJxw==</Modulus>
<Exponent>AQAB</Exponent>
<P>4NcTOPdRa05QZy7wKRO6wIYA+tKlc4KkrAMy//xkupYyuTpnt8Zt0B0nsltaOenpJSGMOJOb1VfCH+2R6ol8xNr3yyzz2izHGzNdQAk7V2ant3TIjdUiHS9h8ftTjiANPFO1XZlUyeXQiqe3Qzrjubv8J51Nmk7TssH2fheqrAE=</P>
<Q>3lwFj3P8NLJVWRBEpPDJdjRRF4Qz7SNxthRdtvoifUtcMXw3UDnzsEDZ7A736vUUaaZArjAzO+x3arDaAJfQQk354ushwWw6MGoM0CudfCeUrxy9hi5afnxueWFbhJ+/k9nwPxn9EBBrqfYhNZbGW9vz6ZfHLUX95a5M2+9+1cc=</Q>
<DP>vC0FV44WRJrczB8KvTZX/L2qoEIgWxaiP5zF2F0i6M7AUSpCmBqo2Z8tFCdE0meky4DSXJ+dsuaqABLTJto+5HrnHNLYnGcRlQBeMTQIyFOQVwiUubABxy9a6C2Sdsb4jN76UgX8YqXG7eUEim4FHfPpTDZpNpZ2s4uGg23HWAE=</DP>
<DQ>eER/gWqzc/Es9oI1Dp1p6fQ8FCMeTtoH6/qyAYDjXK+BCwbriAoAQ0mgVOx3rW6nfsk8XLqXS4cHw/4pu35hVyuDx/dzh4G5K2yAx6t/f6KM6fX6kHPL4HP+8Mn2zRH2dcrABfFRjfnDseb9aVXGrfKWx7afNV6RCESxL5gnGws=</DQ>
<InverseQ>wlndxTYxYmAo0+BcyJjVri6Iui/l5p+AGUi6xglmI8HHE3itgyCjfyfsKmsphH88uYYu/qdA80PTIKLdxo7HbUhOiT7f2vtBsCFzo7oB9kTDWrJ70xsQss4jkJGY8rJj4K7Dqwqa6s78ih1heeQhCJuevg8xiEUoqHOx5FtlQ4w=</InverseQ>
<D>NlIczn+bN0mTdMWhY1ks2Daf7tqvj/EzuF9LDwZoGrjtmQhcxzhXYr6SVspBvla6nPFvR5cWTAxUfcwzaBlGY7a/cSNdQ2GdMkdIA0K8hbmltuokjBPPXPZW7PEHMZQ7HXiCoyaD8fWXP4lB8YG0viCD5U6C8aPGqnr9jquQgf9EwXxEZvdktOWLO5PJvd4XaQRk47UcNBkjWnwxO1vq28/OSWTNaoEQqpLNwimHEFHl3MN2IuME1zV4MvKyGsKsKO9EytLk/RD28UDFZGlxU6uNAEjOjQp++CgbFRCEHNOCas5kTa1/fuxVg8RdnFeowAq2otWwhwGlwGiJjjmoAQ==</D>
</RSAKeyValue>
Finally, my questions:
Is "----- BEGIN RSA PRIVATE KEY -----" etc. actually a part of the Key? I'm pretty sure it's not, but I'm better making sure. The confusing thing is that when I leave this text in the key and encrypt/decrypt on the C++ application, it works (with OpenSSL lib).
How can I bring the keys to the same structure so I can send them from one application to another and parse them correctly?
Thank you very much for your help!
Summary: how can I generate key.pem file used for packaging google extension using c#?
As far as I know the pem file used in Google extension generated by using below code
openssl pkcs8 -topk8 -nocrypt -out key.pem
and it's pkcs8 key , I tried to use bouncycastle to generate it from RSA XML file like discriped in this post , but the final generated .pem file dose not accepted by google chrome, it's structure is correct but length of the file is almost half of the one generated by chrome browser in the packaging proccess.
the final key required by google chrome is something like below
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC0Bo/mh3bSiOiP
CUxtpa0c8IhDNJqaRDNWaKiqothEjgI7D/IU/uHacPotyedjzLFNr0cnhgguO4dQ
dNaSN+tAlgBqcexBbAl31+BEghNy+1PB189VNVSf8G+qOfF0SIKuBbb/+Q4TrvOD
XPrzulQpLcHMqRGqRE4PkT6574pKyiQGJvjeLBLEQtiobKkzoG3HOFkl9RsKae1f
Tuf8f25aVhKjoUyWp1mOfhHwdfT+76rmrz7F9X1s6M7pxigIfCiYPXHrWh02GTbj
EVLKTpVBg31JmrKErNJsv/j5P3wuSI12TCW4u1RXfahBHhi263oGCQ/2JO/Fm4+v
5wtX20x5AgMBAAECggEBAJjceZPlsp9SYSYTXzI7W6MXGpz2LdCP2IemlpFNdRXA
/2PnRkdNpbk19TisGC5FwMeV7XVB+fBH274Vd5zwnnFY7UF1OobSlbeNNoD1ck5P
2e7esM5JWnH0VtzUFpIGf/AEKj9v2uQbyenhKbWKoavVjpmZdcZ9+Up+qiR3oZWe
YiScMlYm5KL+pTD1IMZQ46DoxU17VhOVxbZoZOf+a5iAPtskjJyz12EOVldHASGz
VZkM54C+BrCTdJjOB5C7cth94D7J7nhgovBP0jz6A7WZtDpgBB6j1lFBwKSWw0U4
0LGZb/Mlb29txAoeR1YSHCe6RKuyyY3oas6fJ1kdRgECgYEA12r1nkK8fjNybMbp
No+TsWD9YDTLZrndHBMIR+GtUKWCXTpw7EwT0BCU4ATm6TiTje0ZI9kZW1tnbB4W
iCIyU8o/OeIBBbqKMLtk2iN82KFrNbIbA4IER0J441evYZTnh9NbkJks8iyATPdC
hypRiOi1V4n9CFDguGHj+IsKpLUCgYEA1fC65ASTYGhQ5iQ56G48iKV5XIBldKad
MFcaxzAA/Hp6GMywHqEiYvk/WmCakDmIK1g7Rf7LURvWTYp1nytRBzTRDvrf4ESU
WF4z5Mr6EcnqKEpqDO/tDCwUp+4BReXMrf99KXRAWYig9zjq8garYEmIznoIc02i
4Q/X1uu1RzUCgYEAxzQFxj/4hsuUeLrIVsgWz+Tc6eZoYapmqdt/wNkUqIslLoko
e5suhy2OPkrKLck/yfMDWH8eT7kKvpRkSac12v4f0asJPv7tY3snHAHNJZa/yXvW
Nzw4MJ1rpPAlIpvML3JoLiM3yQsV6haM0ulzVKO9biIQd2wzIs6DPgd15DECgYEA
lQ2vaAW4GEcVdgJvRfznt9xx/XyHMwqSIYfOZFCRn1ZFktmpKu3g40v8U59SkIFE
2c4THeUzCkN2v3dkE40+WuL1dJZdPAcLw7V+Oj0glRw0Q/X0hSbz5LMhgQ5VXLmK
LP//183it351h0jkh9MVu3QAGLr1AEBq5pr/KgH2vrECgYEAr6y3cCo/gdUi6v3Y
39B6LTcmqeKZbpqh3LzBl+I6Ke9t/TOqCZhwtuolMDkFLhZ9woGDeB1VBfV7yUW4
xyF3rE6uMSEZyD5ivku7VC2Gsz/2XuRGl8iToGXgGxzzg6HMQr6Hw36+0VFzzxSo
xn9/6PuHd1bNooOv1S3s0WVkTJw=
-----END PRIVATE KEY-----
I'm using the SSLStream example from msdn here. The client code "seems" to work fine, as I can connect to google and it at least gets past authentication, but the server doesn't.
From the comments from the msdn page, I used the procedure on this page to generate my own private key, but it just doesn't work. I get an exception of System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. So I'm pretty sure whatever I'm doing is wrong.
So my question is simple: how do I get/generate keys that will work for my own little example program from msdn? It can be self-signed, whatever, but I'm too new to SSL to even know what exactly I need. All I want to do is to run the example as-given, except for specifying my own certificates for my local server. And it'd be great to know what I'd have to install on my 2nd machine if I just want to communicate between the two of them too (so it's not a 100% localhost example).
Personally I see this as a flaw in the example document. It should say "to run this, you need to do A, B, C, etc," but it doesn't.
You can get the example to work even with self-signed certificates. I've extracted the commands from the makecert tutorial that you're using with minor modifications:
makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk
makecert and cert2psc can be found in your Microsoft SDKs\Window\v7.0A\Bin folder.
The pvkImport.exe installer can be downloaded here (Provided by #Jospeph and VirusTotal verified). This used to be downloadable from the Microsoft Site, but they have since taken it down. Alternatively, #Dweeberly pointed us to a new Microsoft-provided replacement, pvk2pfx.
For this next step make sure that you select to EXPORT the private key when the dialog from pvkimprt comes up:
pvkimprt -pfx TempCert.spc TempCert.pvk
pvkimprt will prompt you for a password when you elect to include the private key. You will need to provide this password later when you import the generated .pfx file into the personal store of your server machine
Next, import RootCATest.cer into your Computer store's Trusted Root Certification Authorities (on both the server and client). Notice that the certificate is issued to FakeServerName. This must match the server name that the SslTcpClient expects: sslStream.AuthenticateAsClient(serverName), where serverName is the value of the second argument passed to SslTcpClient.exe.
When your client connects, the server presents a certificate that tells the client "I'm FakeServerName". The client will accept this claim if the client machine trusts the CA that issued the certificate, which is achieved by importing RootCATest.cer into the client's Trusted Root Certification Authorities.
Finally, you need to import the private key that the server is going to use into the server machine's Personal store. This step is important because it addresses The server mode SSL must use a certificate with the associated private key.. This is achieved by importing the .pfx file that you generated earlier. Make sure that you change the file type filter to "all files" so that you can see the .pfx file that you generated:
The sample code provided by MSDN uses port 443 (which is the standard ssl port). Since I created console applications, I changed the port used by the sample classes to 8080:
SslTcpServer:
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
SslTcpClient:
TcpClient client = new TcpClient(machineName, 8080);
Here's the output:
you would launch your server like this:
SslTcpServer.exe TempCert.cer
from the client, you would connect like this:
SslTcpClient.exe <ip to your server> FakeServerName
generate your certificate using this command:
makecert -r -pe -n "CN=localhost" -m 12 -sky CertSubject -ss my serverCert.cer
and then from client connect to the server like this (assuming we are using MSDN example you mentioned):
SslTcpClient.RunClient ("localhost", "CertSubject");
you will get validation errors in ValidateServerCertificate() call - but that's expected - you are using self-signed certificate. Just return true there.
UPDATE:
I disagree with Tung's suggestion of adding self-signed certificate into the client's Trusted Root Certification Authorities. I think it can cause issues later on if you plan to distribute/support your software. For example, client might reinstall windows, or move his profile to another PC, or whatever - and understanding WHY your software suddenly stopped working will be a pain (again, i'm talking long-term - a year or two from now, when you completely forget this little "trick").
Instead i would rather suggest to "hardcode" your certificate (by comparing subject and thumbprint) into client's logic, something like this:
X509Certificate2 certificate = (X509Certificate2)cert;
if (certificate.Subject.StartsWith("CN=FAKE_SERVER_WHATEVER") &&
!string.IsNullOrEmpty(certificate.Thumbprint) &&
certificate.Thumbprint.ToLower() == "11c4446c572a9918ced3618728b91b3a07982787")
{
return true;
}
return false;
As the Microsoft link to download pvkimprt is broken and I am a fan of OpenSSL here I leave two solutions with OpenSSL.
VARIANT #1 - Self Signed Certificate
First you will need download OpenSSL and this configuration file. #Tung has said you can use perfectly self-signed certificate. Copy the downloaded configuration file in the same folder where you will run OpenSSL commands.
Lets generate the private key and certificate of Certification Authority:
openssl req -x509 -config openssl.cnf -newkey rsa:4096 -sha256 -out ssl-cacert.pem -keyout ssl-cakey.pem -outform PEM
*Use -nodes parameter to omit the passphrase, but for safety reasons personally I do not recommend it.
If you desire inspect the information of CA certificate, execute the follow command:
openssl x509 -purpose -in ssl-cacert.pem -inform PEM
Lets create the certificate request, Common Name must be set with the machine name:
openssl req -config openssl.cnf -newkey rsa:2048 -keyout ssl-serverkey.pem -sha256 -out ssl-server.csr -outform PEM
*Same note for -nodes parameter.
If you want inspect the certificate request information execute the command:
openssl req -text -noout -verify -in ssl-server.csr
Sign the certificate request with the generated CA certificate:
openssl x509 -req -days 365 -CA ssl-cacert.pem -CAkey ssl-cakey.pem -CAcreateserial -in ssl-server.csr -out ssl-server-certificate.pem
Lets make the self-signed certificate with PFX format:
openssl pkcs12 -export -out ssl-certificate.pfx -inkey ssl-serverkey.pem -in ssl-server-certificate.pem -certfile ssl-cacert.pem -name "SSL Self Signed Certificate"
Now you should import the .pfx certificate.
Double click on ssl-certificate.pfx file.
Select "Local Machine" option and Next.
Type the password and select the checkbox "Mark this key as exportable."
Select the radio button "Place all certificates in the following store".
Select Personal store and click in Next.
With this steps must work.
VARIANT #2 - Generate CA Certificate and Server Certificate
Personally I prefer this solution over the first because only I have to distribute the Root CA certificate to the clients.
First download this configuration file.
We will generate the Root CA certificate with the corresponding private key:
openssl req -x509 -config openssl.cnf -newkey rsa:4096 -sha256 -keyout ssl-cakey.pem -out ssl-cacert.pem -outform PEM
Lets check certificate properties:
openssl x509 -purpose -in ssl-cacert.pem -inform PEM
The information must show should look like this:
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
-----BEGIN CERTIFICATE-----
MIIGLjCCBBagAwIBAgIJANCzs7UBFJMpMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
...
im1yDnB5nPwkPwZ9eRmlzIc6OaLZcfbFfSeSw8/ipKZcEJ1u+EFrB0JhuSbeLXtQ
N/8=
-----END CERTIFICATE-----
Create the certificate request with the following command:
openssl req -config openssl.cnf -newkey rsa:2048 -sha256 -keyout ssl-serverkey.pem -out ssl-servercert.csr -outform PEM
It's very important set the Common Name with the machine name of server.
Verify the information of this certificate request:
openssl req -text -noout -verify -in ssl-servercert.csr
The information shows must have the following format, check that the CN field in the section Subject is the name of server machine.
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=..., L=..., O=..., OU=..., CN=SERVERNAME
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:92:bd:87:75:18:6c:c0:23:3f:0b:5a:46:1a:
...
fe:13
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
7E:7D:79:F4:CD:71:0E:90:3A:9A:F8:3F:83:7D:89:90:4D:D4:F0:12
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
Signature Algorithm: sha256WithRSAEncryption
34:e1:b4:db:b2:87:cc:11:3e:85:3c:ed:ac:8d:d9:43:ae:b0:
...
56:84:29:f9
Create the certificates folder:
mkdir certificates
Create the database index file:
Windows: type NUL > index.txt
Unix: touch index.txt
Create the serial.txt file where is stored the current serial number:
echo '01' > serial.txt
Create the server certificate signing the certificate request for 2 years with the command. You will be prompted the pass phrase of CA certificate depending if you used -nodes parameter:
openssl ca -config openssl.cnf -days 730 -policy signing_policy -extensions v3_req -out ssl-servercert.pem -infiles ssl-servercert.csr
Then is displayed a text with the format:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'...'
localityName :ASN.1 12:'...'
organizationName :ASN.1 12:'...'
organizationalUnitName:ASN.1 12:'...'
commonName :ASN.1 12:'SERVERNAME'
Certificate is to be certified until Jul 4 23:26:59 2018 GMT (730 days)
Sign the certificate? [y/n]:
Select y and will prompted the follow text, select y one more time:
1 out of 1 certificate requests certified, commit? [y/n]
Export the generated certificate to PFX format:
openssl pkcs12 -export -out ssl-certificate.pfx -inkey ssl-serverkey.pem -in ssl-servercert.pem -name "SSL Signed Certificate"
You will need do the follow steps to enable SSL without problem:
On Server Machine:
Import the Root CA certificate (ssl-cacert.pem file) on Trusted Root Certification Authorities store selecting Computer account.
Import Server Certificate for SSL (ssl-certificate.pfx file) on Personal store selecting Computer account.
On Client Machines:
In each client machine you will need import the Root CA certificate (ssl-cacert.pem file) on Trusted Root Certification Authorities store selecting Computer account.
Feel free to make any changes or suggestions.
I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.