I'm currently trying to create a chat based on the SslStream class.
I was going through that msdn link: click here
I realized that I need to get an X509Certificate to establish that task. But I really don't know how can I get one? I know that there are ones who cost money, but there aren't free ones available?
P.S: I'm coming here after doing some search in google about that subject but haven't found any helpfull infomation.
So my question is: Where can I get an x509 certificate?
Thank you.
You can create certificates with the makecert tool.
Or, if your're only interested in encrypting the traffic, without signing it, and you control the client and the server, just use a CryptoStream.
You can generate your own, and sign it yourself, using openssl, though keep in mind if the client tries to verify it, and by client I usually mean the browser, since this is their most common use, though not the only one, they won't be able to.
I know that there are ones who cost money, but there aren't free ones available?
Basically what you are paying for is for a CA, certificate authority to sign it, as such when clients go and verify who you are with with CA it'll pass.
openssl: http://www.openssl.org/
This is the command I ussually use openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem
server.pem is your certificate and server.key is your private key.
Giving that you probably already have .NET SDK installed maybe makecert is a better/eassier approach since you would need to build openssl.
Stil I went to their docs and I couldn't find how to set the key size, though apparently the default is 1028 and I think using RSA , but I did find this:
makecert -pe -ss MY -$ individual -n "CN=your name here" -len 2048 -r
from MakeCert - Is it possible to change the key size? to http://www.mazecomputer.com/sxs/help/shared.htm
openssl supports many types not just RSA but maybe you don't need them.
These guys http://www.cacert.org/ have been giving away free certificates for years.
Read through this for clarity. You can sign your public key using Symantec's Verisign service. It is definitely not cheap. For testing, you can make your own certificate using a dummy CA.
Related
I have a linux command and I'm trying to figure out how to mimic it in C# to get what is expected but can't seem to get it. It has to do with hashing a url with a secret key. The linux command is (fake site and numbers just for example):
echo -n "http://example.com/deliver?id=8247653546577888776655553d323453-3h78-7y42-b3d7-8u4q111y5hr6×tamp=1556034591" | openssl dgst -sha1 -hmac "567gy324-6666-4444-fr46-2h7arwdh5555"
I don't really know what the commands mean so not sure where to even start with how to try and get this kind of call in C#.
This OpenSSL command is calculating an HMAC of the data passed to it on stdin (i.e. the output from the echo command). HMAC is a type of Message Authentication Code (MAC) and is used to verify the integrity of the message, i.e. if an attacker were to modify the message in any way then the MAC code would no longer match (it would fail to verify). HMAC combines a key with an underlying hash algorithm (SHA1 in this case) to generate the output MAC value.
The Microsoft docs provide a full example of how to perform an HMAC with SHA1 operation here:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha1?view=netframework-4.8
I can send notifications to my iPhone device succeffully using Push Sharp via sandbox APNS server but I am having a problem.
I have generated .cer and .p12 files and then installed them on my windows 8 development machine successfully.
I used this tutorial to install the certificates on my windows 8 machine.
Yesterday things were working fine and I was sending the notification successfully. I shutdown my system and then next day when I try to run the code I was getting following exception:
the message was unexpected or badly formatted pushsharp
I tried different solution available on Google but nothing helped. Then I delete the certificates from my machine and then re-install them and things started to work again.
In order to make the service fool proof I shutdown the system to check if notification sending fails or not, and yes it fail again with the same exception.
I again deleted the certificates and re-install them to correct the issue. I do not know whats the actuall problem? what makes PUSHSharp to stop sending notification after shutdown.
Note: Windows firwall is disabled.
Any idea?
I have been working with PushSharp for the past few weeks and have not had this problem. My environment is Windows 7 however. After you've created the appropriate Push Notification Certificate in iPhone Developer Program Portal you should have downloaded a file named something like apn_developer_identity.cer. If you have not done so already, you should open/import this file into Keychain, into your login section.
Finally, if you filter Keychain to show your login container's Certificates, you should see your Certificate listed. Expand the certificate, and there should be a Key underneath/attached to it.
Right Click or Ctrl+Click on the appropriate Certificate and choose Export. Keychain will ask you to choose a password to export to. Pick one and remember it. You should end up with a .p12 file. You will need this file and the password you picked to use the Notification and Feedback Libraries here.
OpenSSL
Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest
Convert apn_developer_identity.cer (der format) to pem:
openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM}
Next, Convert p12 private key to pem (requires the input of a minimum 4 char password):
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
(Optional): If you want to remove password from the private key:
openssl rsa -out private_key_noenc.pem -in private_key.pem
Take the certificate and the key (with or without password) and create a PKCS#12 format file:
openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name "apn_developer_identity" -out apn_developer_identity.p12
Once you generate the p12 file using these steps you will not really need to snap it to your console. You will just need to make changes in your code as follows:
var appleCert = File.ReadAllBytes("C:/Certificate/aps_dev_identity.p12");
Hope this helps.
I have been working on MOON APNS since 2012 and it's working fine but from last few days i am getting below error message
Error Message : System.Security.Authentication.AuthenticationException: A Call to SSPI failed, see inner exception.
System.ComponentModel.Win32Exception: The message received was
unexpected or badly formatted
Solution : in PushNotification.cs file replace
_apnsStream.AuthenticateAsClient(host, certificates, System.Security.Authentication.SslProtocols.Ssl3, false);
with
_apnsStream.AuthenticateAsClient(host, certificates, System.Security.Authentication.SslProtocols.Tls, false);
As, I didn't find any confirmation from apple side but from github.com I found solution for this and it's work for us.
It's seems that apple depricate "unsafer" protocol SSL.
Check first if you can do the notifications with C# code like this one first, then worry about the installation. I had the same message when I was trying to execute the code, I didn't care about installation, and solved it by making sure that I use a certificate of type .p12 and not .pem and to make sure that the .p12 had a password. I can now send notifications to my iPhone from a console C# app in my pc.
I'm using the SSLStream example from msdn here. The client code "seems" to work fine, as I can connect to google and it at least gets past authentication, but the server doesn't.
From the comments from the msdn page, I used the procedure on this page to generate my own private key, but it just doesn't work. I get an exception of System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. So I'm pretty sure whatever I'm doing is wrong.
So my question is simple: how do I get/generate keys that will work for my own little example program from msdn? It can be self-signed, whatever, but I'm too new to SSL to even know what exactly I need. All I want to do is to run the example as-given, except for specifying my own certificates for my local server. And it'd be great to know what I'd have to install on my 2nd machine if I just want to communicate between the two of them too (so it's not a 100% localhost example).
Personally I see this as a flaw in the example document. It should say "to run this, you need to do A, B, C, etc," but it doesn't.
You can get the example to work even with self-signed certificates. I've extracted the commands from the makecert tutorial that you're using with minor modifications:
makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk
makecert and cert2psc can be found in your Microsoft SDKs\Window\v7.0A\Bin folder.
The pvkImport.exe installer can be downloaded here (Provided by #Jospeph and VirusTotal verified). This used to be downloadable from the Microsoft Site, but they have since taken it down. Alternatively, #Dweeberly pointed us to a new Microsoft-provided replacement, pvk2pfx.
For this next step make sure that you select to EXPORT the private key when the dialog from pvkimprt comes up:
pvkimprt -pfx TempCert.spc TempCert.pvk
pvkimprt will prompt you for a password when you elect to include the private key. You will need to provide this password later when you import the generated .pfx file into the personal store of your server machine
Next, import RootCATest.cer into your Computer store's Trusted Root Certification Authorities (on both the server and client). Notice that the certificate is issued to FakeServerName. This must match the server name that the SslTcpClient expects: sslStream.AuthenticateAsClient(serverName), where serverName is the value of the second argument passed to SslTcpClient.exe.
When your client connects, the server presents a certificate that tells the client "I'm FakeServerName". The client will accept this claim if the client machine trusts the CA that issued the certificate, which is achieved by importing RootCATest.cer into the client's Trusted Root Certification Authorities.
Finally, you need to import the private key that the server is going to use into the server machine's Personal store. This step is important because it addresses The server mode SSL must use a certificate with the associated private key.. This is achieved by importing the .pfx file that you generated earlier. Make sure that you change the file type filter to "all files" so that you can see the .pfx file that you generated:
The sample code provided by MSDN uses port 443 (which is the standard ssl port). Since I created console applications, I changed the port used by the sample classes to 8080:
SslTcpServer:
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
SslTcpClient:
TcpClient client = new TcpClient(machineName, 8080);
Here's the output:
you would launch your server like this:
SslTcpServer.exe TempCert.cer
from the client, you would connect like this:
SslTcpClient.exe <ip to your server> FakeServerName
generate your certificate using this command:
makecert -r -pe -n "CN=localhost" -m 12 -sky CertSubject -ss my serverCert.cer
and then from client connect to the server like this (assuming we are using MSDN example you mentioned):
SslTcpClient.RunClient ("localhost", "CertSubject");
you will get validation errors in ValidateServerCertificate() call - but that's expected - you are using self-signed certificate. Just return true there.
UPDATE:
I disagree with Tung's suggestion of adding self-signed certificate into the client's Trusted Root Certification Authorities. I think it can cause issues later on if you plan to distribute/support your software. For example, client might reinstall windows, or move his profile to another PC, or whatever - and understanding WHY your software suddenly stopped working will be a pain (again, i'm talking long-term - a year or two from now, when you completely forget this little "trick").
Instead i would rather suggest to "hardcode" your certificate (by comparing subject and thumbprint) into client's logic, something like this:
X509Certificate2 certificate = (X509Certificate2)cert;
if (certificate.Subject.StartsWith("CN=FAKE_SERVER_WHATEVER") &&
!string.IsNullOrEmpty(certificate.Thumbprint) &&
certificate.Thumbprint.ToLower() == "11c4446c572a9918ced3618728b91b3a07982787")
{
return true;
}
return false;
As the Microsoft link to download pvkimprt is broken and I am a fan of OpenSSL here I leave two solutions with OpenSSL.
VARIANT #1 - Self Signed Certificate
First you will need download OpenSSL and this configuration file. #Tung has said you can use perfectly self-signed certificate. Copy the downloaded configuration file in the same folder where you will run OpenSSL commands.
Lets generate the private key and certificate of Certification Authority:
openssl req -x509 -config openssl.cnf -newkey rsa:4096 -sha256 -out ssl-cacert.pem -keyout ssl-cakey.pem -outform PEM
*Use -nodes parameter to omit the passphrase, but for safety reasons personally I do not recommend it.
If you desire inspect the information of CA certificate, execute the follow command:
openssl x509 -purpose -in ssl-cacert.pem -inform PEM
Lets create the certificate request, Common Name must be set with the machine name:
openssl req -config openssl.cnf -newkey rsa:2048 -keyout ssl-serverkey.pem -sha256 -out ssl-server.csr -outform PEM
*Same note for -nodes parameter.
If you want inspect the certificate request information execute the command:
openssl req -text -noout -verify -in ssl-server.csr
Sign the certificate request with the generated CA certificate:
openssl x509 -req -days 365 -CA ssl-cacert.pem -CAkey ssl-cakey.pem -CAcreateserial -in ssl-server.csr -out ssl-server-certificate.pem
Lets make the self-signed certificate with PFX format:
openssl pkcs12 -export -out ssl-certificate.pfx -inkey ssl-serverkey.pem -in ssl-server-certificate.pem -certfile ssl-cacert.pem -name "SSL Self Signed Certificate"
Now you should import the .pfx certificate.
Double click on ssl-certificate.pfx file.
Select "Local Machine" option and Next.
Type the password and select the checkbox "Mark this key as exportable."
Select the radio button "Place all certificates in the following store".
Select Personal store and click in Next.
With this steps must work.
VARIANT #2 - Generate CA Certificate and Server Certificate
Personally I prefer this solution over the first because only I have to distribute the Root CA certificate to the clients.
First download this configuration file.
We will generate the Root CA certificate with the corresponding private key:
openssl req -x509 -config openssl.cnf -newkey rsa:4096 -sha256 -keyout ssl-cakey.pem -out ssl-cacert.pem -outform PEM
Lets check certificate properties:
openssl x509 -purpose -in ssl-cacert.pem -inform PEM
The information must show should look like this:
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
-----BEGIN CERTIFICATE-----
MIIGLjCCBBagAwIBAgIJANCzs7UBFJMpMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
...
im1yDnB5nPwkPwZ9eRmlzIc6OaLZcfbFfSeSw8/ipKZcEJ1u+EFrB0JhuSbeLXtQ
N/8=
-----END CERTIFICATE-----
Create the certificate request with the following command:
openssl req -config openssl.cnf -newkey rsa:2048 -sha256 -keyout ssl-serverkey.pem -out ssl-servercert.csr -outform PEM
It's very important set the Common Name with the machine name of server.
Verify the information of this certificate request:
openssl req -text -noout -verify -in ssl-servercert.csr
The information shows must have the following format, check that the CN field in the section Subject is the name of server machine.
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=..., L=..., O=..., OU=..., CN=SERVERNAME
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:92:bd:87:75:18:6c:c0:23:3f:0b:5a:46:1a:
...
fe:13
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
7E:7D:79:F4:CD:71:0E:90:3A:9A:F8:3F:83:7D:89:90:4D:D4:F0:12
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
Signature Algorithm: sha256WithRSAEncryption
34:e1:b4:db:b2:87:cc:11:3e:85:3c:ed:ac:8d:d9:43:ae:b0:
...
56:84:29:f9
Create the certificates folder:
mkdir certificates
Create the database index file:
Windows: type NUL > index.txt
Unix: touch index.txt
Create the serial.txt file where is stored the current serial number:
echo '01' > serial.txt
Create the server certificate signing the certificate request for 2 years with the command. You will be prompted the pass phrase of CA certificate depending if you used -nodes parameter:
openssl ca -config openssl.cnf -days 730 -policy signing_policy -extensions v3_req -out ssl-servercert.pem -infiles ssl-servercert.csr
Then is displayed a text with the format:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'...'
localityName :ASN.1 12:'...'
organizationName :ASN.1 12:'...'
organizationalUnitName:ASN.1 12:'...'
commonName :ASN.1 12:'SERVERNAME'
Certificate is to be certified until Jul 4 23:26:59 2018 GMT (730 days)
Sign the certificate? [y/n]:
Select y and will prompted the follow text, select y one more time:
1 out of 1 certificate requests certified, commit? [y/n]
Export the generated certificate to PFX format:
openssl pkcs12 -export -out ssl-certificate.pfx -inkey ssl-serverkey.pem -in ssl-servercert.pem -name "SSL Signed Certificate"
You will need do the follow steps to enable SSL without problem:
On Server Machine:
Import the Root CA certificate (ssl-cacert.pem file) on Trusted Root Certification Authorities store selecting Computer account.
Import Server Certificate for SSL (ssl-certificate.pfx file) on Personal store selecting Computer account.
On Client Machines:
In each client machine you will need import the Root CA certificate (ssl-cacert.pem file) on Trusted Root Certification Authorities store selecting Computer account.
Feel free to make any changes or suggestions.
I am loading a certificate from string like this:
public static void Test()
{
byte[] arrayCertificate;
arrayCertificate = Convert.FromBase64String("CERT_STRING");
X509Certificate2 clientCertificateFromXml = new X509Certificate2(arrayCertificate);
Console.Write(clientCertificateFromXml);
Console.ReadKey();
}
But this certificate doesn't have a "Subject Unique Identifier"
Take a look at this:
http://en.wikipedia.org/wiki/X.509 (The part of Structure of a certificate)
And I want to know how can I read that value from my .NET code (I looked that I can get SerialNumber, Thumbprints and others but there is no Subject UID anywhere).
Also, I will really appreciate If anyone can share an openssl command to include this UID for the certificate :-) (pfx one)
And I want to know how can I read that value from my .NET code
IIRC this is not exposed in the .NET BCL, either from X509Certificate or the newer (better but still incomplete) X509Certificate2.
But you can use Mono.Security assembly (or just the code you want from it), from the Mono project. It's open source, MIT.X11 licensed and it includes it's own X509Certificate.
This version expose just about everything in X.509 certificates, including a SubjectUniqueIdentifier property.
I will really appreciate If anyone can share an openssl command to include this UID for the certificate
I do not recall for openssl... but you can use the X509CertificateBuilder from Mono.Security to create your own certificates. See Mono's makecert tool source code for an example.
Disclaimer: I wrote the code :-)
I would like to know if x509 certificate's password allows multi-passwords per certificate - or just one?
And if it is possible, what scenario would it be applied?
Thanks for your time.
Because GnuPG is easily available to me, it'd be my tool of choice; each admin would create a public/private key pair and export the public portion:
gpg --gen-key
gpg --export --armor [keyid] > key_file_[admin_name]
Import all the public keys into the keyring of whoever 'owns' the unencrypted x509 cert:
cat key_file_* | gpg --import
Then encrypt the cert with all the keys:
gpg -r keyid1 -r keyid2 -r keyid3 ... -o encrypted_cert -e plaintext_cert
Now encrypted_cert can be decrypted by whoever has one of the private keys and that private key's passphrase:
gpg encrypted_cert
PGP could also do the job, and probably with only slight modifications to the commands here.
Because all this is doing is encrypting a single symmetric key multiple times, once to each public key (and storing the results in a file format prepared to handle multiple copies of the encrypted symmetric key), it would be easy enough to re-implement in whatever language you'd like, if your trial wrappers work well enough.
It allows just one password and it is used to secure private key in the certificate. If you want to access private key you must provide a password.