I need the MD5 fingerprint to generate an API key for google maps. When I run the keytool command, I don't get the MD5 fingerprint. Instead I get the SHA1 fingerprint which is not what I want.
C:\Program Files\Java\jdk1.7.0_15\bin>keytool -list -alias androiddebugkey
-keystore C:\Users\Psiu\.android\debug.keystore -storepass android -keypass android
androiddebugkey, 26-Feb-2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): FA:66:B5:2A:05:8D:6E:2D:AA:89:D0:7F:97:6D:8D:9D:3A:1F:64:A1
How do I get the MD5 fingerprint?
Please use the -v option to your keytool command and the tool will list all the different algorithms supported and you will get the SHA1 and MD5 listed.
For e.g. keytool -v -list [...rest of your command]
Related
OpenSSL deprecated a set of hash functions in the 3.0 release. (See OpenSSL_3.0#Provider_implemented_digests.)
For a library I maintain, I need some of them for backward compatibility, e.g., RIPEMD160.
However, since OpenSSL 3.0 gets rolled out through various distributions, it now starts to fail on my Github actions with the latest Ubuntu 22.4 LTS image because it is now disabled by default.
So, further down the OpenSSL wiki page it explains how to enable the legacy features in the SSL config for the system. However, when I try to modify the system's openssl config file, I get a permission denied error even after using sudo.
sudo sed -i '/^\default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sudo sed -i '/^\[default_sect\]/a activate = 1' /etc/ssl/openssl.cnf
sudo echo "[legacy_sect]" >> /etc/ssl/openssl.cnf
sudo echo "activate = 1" >> /etc/ssl/openssl.cnf
shell: /usr/bin/bash -e {0}
/home/runner/work/_temp/9f9803fe-a061-4d59-bed1-83d345569dbe.sh: line 3: /etc/ssl/openssl.cnf: Permission denied
If I cannot modify the config, how do I enable the OpenSSL 3.0 legacy provider Github Actions?
You don't need modify the system config file. You can create a new config file somewhere and then set the OPENSSL_CONF environment variable to point at it. Any process that uses openssl will use that environment variable as the location for its config file in preference to the system default location.
I have a file with pgp encryption. I want to decrypt the file using SSIS. Whenever I run the package it prompts me to enter passphrase. How can I bypass this?
I'm using execute process task to run the decrypt command from command prompt.
\C echo XXXXXXXXX|gpg --keyring "\\LSRSQL08\Share\DataServices_Key\public.pgp" --secret-keyring "\\LSRSQL08\Share\DataServices_Key\private.pgp" --batch --yes --passphrase-fd 0 -o \\LSRSQL08\Share\WorkingFolders\ACXM\DataLoad\Razor_FEB21_Install.txt -d \\LSRSQL08\Share\WorkingFolders\ACXM\Razor_FEB21_Install.txt.pgp
I have extracted public and private key like below:
gpg --output public.pgp --armor --export DataServices#company.com
gpg --output private.pgp --armor --export-secret-key DataServices#company.com
Below command worked for me. Just we need to make sure that we import the key in same account under which SSIS package will be running.
--pinentry-mode=loopback --passphrase XXXXXX -o \\LSRSQL08\Share\WorkingFolders\ACXM\DataLoad\Razor_FEB21_Install.txt -d \\LSRSQL08\Share\WorkingFolders\ACXM\DataLoad\Razor_FEB21_Install.txt.pgp
I am attempting to use client certificates to limit secure access to an apache2 web server. However after installation google chrome returns a ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED error.
First I set up the CA for the Web Server by creating a CA key and an X509 PEM file:
openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem
I already have an existing certificate for the web site set in apache2 for https communication allocated by a trusted third party. The following is the apache2 conf setting for this website where I have included SSLCACertificateFile for the certificate generated above, the SSLOptions, SSLVerifyClient and SSLVerfiyDepth directives:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName site.aname.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/site
<Directory /var/www/html/site>
Options FollowSymLinks
AllowOverride All
Require all granted
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCACertificateFile /etc/apache2/ssl/site/CA.pem
SSLCertificateFile /etc/apache2/ssl/site/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/site/privkey.pem
Include /etc/apache2/ssl/site/options-ssl-apache.conf
</VirtualHost>
</IfModule>
This completes the web server configuration and test without a client certificate and get the expected error.
I then generate a client certificate and sign with the CA and then package in pkcs12 with private key with the following:
GENERATE:
openssl genrsa -out user.key 2028
openssl req -new -key user.key -out user.csr
SIGN WITH:
openssl x509 -sha256 -req -in user.csr -out user.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095
CREATE PKCS12:
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
The resultant user.pfx is then installed on the user machines running chrome.
When attempting to connect, chrome asks for the key which is selected with the result being the error ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Version of Chrome running under Windows 10 is: Version 74.0.3729.169 (Official Build) (64-bit)
Update:
I can connect successfully with curl from another linux server using:
curl --cert user.crt --key user.key --pass password https://site.aname.com/
however, the same from windows 10 command line results in:
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80090027) - The parameter is incorrect
Solved by ensuring that the signed user certificate was a "version 3" X.509 certificate and specifying both Key Usage and Enhanced Key Usage attributes within the v3 extension. This was achieved my modifying the openssl.conf file for the X509 sign request or if you use the openssl CA command.
Getting "openssl not installed on this system" when running mysql_ssl_rsa_setup.
I installed openssl and mysql from source, both times keeping the default paths for installation (/usr/local/openssl for openssl [I actually renamed it to openssl from ssl to see if that was the problem], /usr/local/mysql for mysql).
The docs say it gets the path from the PATH environment variable, but there's no option to specify it in the command line. What is the default? How to change it? I have seen that you can modify /etc/environment to add PATH there, but the file is empty by default.
According to 4.4.5 mysql_ssl_rsa_setup — Create SSL/RSA Files, mysql_ssl_rsa_setup uses the openssl command line tool:
Note
mysql_ssl_rsa_setup uses the openssl command, so its use is contingent
on having OpenSSL installed on your machine.
What is the default?
OpenSSL's default installation location is /usr/local/ssl
How to change it?
Use --openssldir when you configure the library. Also see Compilation and Installation on the OpenSSL wiki.
You should not install OpenSSL in /usr/bin (and the libraries in /usr/lib). Its creates too many problems.
Instead, let the library install itself in /usr/local/ssl. Then you should be able to create a shell script located at /usr/local/bin/openssl that performs the following:
$ cat /usr/local/bin/openssl
#!/usr/bin/env bash
LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH; /usr/local/ssl/bin/openssl "$#"
Be sure to chmod a+x /usr/local/bin/openssl.
You can verify the OpenSSL tool being used with:
$ which openssl
/usr/local/bin/openssl
If needed, add /usr/local/bin to your PATH:
$ cat ~/.bash_profile
export PS1="\\h:\\W$ "
export UMASK=0022
export EDITOR=emacs
export PATH="/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin"
...
Has anyone came across where they have to deal with .truststore file? and knowing how to import .cer into .truststore file?
I am not sure if I have to use Java Keytool or Linux command (such as openssl command).
Thanks
# Copy the certificate into the directory Java_home\Jre\Lib\Security
# Change your directory to Java_home\Jre\Lib\Security>
# Import the certificate to a trust store.
keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit [Return]
Trust this certificate: [Yes]
changeit is the default truststore password
Instead of using sed to filter out the certificate, you can also pipe the openssl s_client output through openssl x509 -out certfile.txt, for example:
echo "" | openssl s_client -connect my.server.com:443 -showcerts 2>/dev/null | openssl x509 -out certfile.txt
The way you import a .cer file into the trust store is the same way you'd import a .crt file from say an export from Firefox.
You do not have to put an alias and the password of the keystore, you can just type:
keytool -v -import -file somefile.crt -alias somecrt -keystore my-cacerts
Preferably use the cacerts file that is already in your Java installation (jre\lib\security\cacerts) as it contains secure "popular" certificates.
Update regarding the differences of cer and crt (just to clarify)
According to Apache with SSL - How to convert CER to CRT certificates? and user #Spawnrider
CER is a X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
It is not the same encoding.