Currently, I have used the MySQL 6.5 and PostgreSQL 9.5 version. I need to enable(Configure) SSL in both servers. I have now (.pfx) SSL certificate. Can you please suggest me to how to configure the SSL in both servers. I have searched a lot of documents on online but I didn't get any clear idea about that.
OS: Windows 10
For PostgreSQL you will need a crt and key file.
To get the crt, Key file you can use following commands -
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
Note you may have to use pkcs8/pkcs7 depending on your pfx file.
this is now to be used in your postgresql.conf file, refer the article to identify the attributes that you need to set in here - https://www.postgresql.org/docs/9.5/static/runtime-config-connection.html
keys are - ssl_cert_file ,ssl_key_file
Related
I have to authenticate the openshift cluster via .kube/config file. For that, I have generated a x509 client certificate and key using OpenSSL.I converted that certificate into .pem format using the following command x509 -in xyz.crt -out xyz.pem -outform PEM I had generated one .kube/config file for openshift authentication I put the ca.pem, xyz.pem and xyz_key.pem into that openshift .kube/config file.But I am
facing Error like error tls- failed to find any PEM data in certificate input
Kinds regard and thank you for your patience.
I'm using PhpStorm 2018.2 and attempting to connect to remote host using SSH key (I can connect via ssh on terminal).
When I enter the (newly created) rsa key into the remote host settings I get the error "'{path/to/key}_rsa' is corrupt or has unknown format" ... see image attached.
I have seen some bits about converting the key to an ssh2 key using this command
ssh-keygen -e -f ~/.ssh/key_rsa > ~/.ssh/key_rsa_ssh2
and using that in PhpStorm instead but with no luck.
To expand on #eugenemorozov's answer. I had to do these 2 points.
add the private key(s) to ssh-agent using ssh-add command;
i did this by following this guide.
choose OpenSSH Config and authentication agent authentication type option when configuring SFTP Deployment Connection options.
The SSH library we use doesn't support these keys.
We're looking for solutions currently, as a workaround, please use ssh-agent and choose this authentication type in the Deployment Configuration.
https://youtrack.jetbrains.com/issue/PY-24325
What worked for me was to convert the key in puttygen, like this: https://youtrack.jetbrains.com/issue/IDEA-284623
I've deployed Keycloak on WildFly 10 via Docker. SSL support was enabled via cli. Final standalone.xml has:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"
alias="mydomain" key-password="changeit"/>
</ssl>
</server-identities>
</security-realm>
Undertow subsystem:
<https-listener name="default-https" security-realm="UndertowRealm"
socket-binding="https"/>
Key was generated and placed in $JBOSS_HOME/standalone/configuration
keytool -genkey -noprompt -alias mydomain -dname "CN=mydomain,
OU=mydomain, O=mydomain, L=none, S=none, C=SI" -keystore
keycloak.jks -storepass changeit -keypass changeit
Port 8443 is exposed via Docker.
Accessing https://mydomain:8443/ in chrome results in ERR_CONNECTION_CLOSED. Firefox returns "Secure Connection Failed, the connection was interrupted..."
However, OpenSSL client works nicely:
openssl s_client -connect mydomain:8443
Input:
GET / HTTP/1.1
Host: https://mydomain:8443
This returns the Keycloak welcome page.
So clearly WildFly is working but I am being blocked by the browsers for whatever reason. What could this reason be? I was under the impression that I should be able to add an exception for self signed certificate in either browser. Maybe the generated key length is too short or maybe I am hitting some other security constraint imposed by Firefox/Chrome?
Using these parameters in keytool solved the problem: -keyalg RSA -keysize 2048
... -dname "CN=mydomain
The certificate is probably malformed. The Browsers and other user agents, like cURL and OpenSSL, use different policies to validate a end-entity certificate. The browser will reject a certificate if the hostname is in the Common Name (CN), while other user agents will accept it.
The short answer to this problem is, place DNS names in the Subject Alternate Name (SAN), and not the Common Name (CN).
You may still encounter other problems, but getting the names right will help immensely with browsers.
However, OpenSSL client works nicely:
openssl s_client -connect mydomain:8443
OpenSSL prior to 1.1.0 did not perform hostname validation. Prior version will accept any name.
cURL or Wget would be a better tool to test with in this case.
For reading on the verification you should perform when using OpenSSL, see:
SSL/TLS Client
For reading on the rules for hostnames and where they should appear in a X509 certificate, see:
How do you sign Certificate Signing Request with your Certification Authority?
How to create a self-signed certificate with openssl?
I need postman to connect to my server which requires client certificate. After some research, it seems that postman does not handle certificates itself but relies on Chrome certificates instead. My next step was to try to install the certificates in Chrome, my cert structure is like this:
Self-signed root CA => intermediate CA 1 => intermediate CA 2 => client cert
I have a file certchain.pem that contains client cert followed by intermediate CA 2 cert then intermediate CA 1 cert, I also have client.key file. I tried to install the chain in Chrome but it seems that Chrome requires pkcs12 so I split off certchain.pem into client.crt and middle.pem, then I convert everything to pkcs12 by:
openssl pkcs12 -in client.crt -inkey client.key -certfile middle.pem -export -out client.p12
I could install client.p12 into Chrome but it doesn't seem to retain the intermediate certs, when I choose View, it only shows info about client cert.
I've tested that client.p12 works by installing it into Firefox, there I can see info about the intermediate certs. I've tested that my certs work by doing a curl with them. Any other idea?
I write a HTTPS Server by Openssl. Using Chrome to connect the server, It has ERR_CONNECTION_REFUSED. But Using Firefox to connect the server,It work fine.
I follow the sites http://blog.jorisvisscher.com/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
The result is the same.
How can I solve it!
Thanks for reading this Q!
Your chrome probably refused the connection because it was unsecure (here Firefox Developer Edition also refused). By default, openssl uses weak DH parameters, and unsupported protocols (like SSLv3), you should add additional options to secure your server.
First, generate stronger DH params:
openssl dhparam -out dhparam.pem 2048
Use at least 2048, the bigger, the better (I usually use 4096). Then run your server with this command instead:
openssl s_server -key key.pem -cert cert.pem -accept 44330 \
-no_ssl3 -dhparam dhparam.pem -www
Be aware that SSLv2 is also in ways of being deprecated (PCI compliance will fail for SSLv2 by the middle of this year), and there are also several ciphers that are unsecure.
If you'd like a really strong dhparam, consider installing a service for generating more entropy, like haveged (before generating dhparams):
apt-get install haveged