OpenSSL deprecated a set of hash functions in the 3.0 release. (See OpenSSL_3.0#Provider_implemented_digests.)
For a library I maintain, I need some of them for backward compatibility, e.g., RIPEMD160.
However, since OpenSSL 3.0 gets rolled out through various distributions, it now starts to fail on my Github actions with the latest Ubuntu 22.4 LTS image because it is now disabled by default.
So, further down the OpenSSL wiki page it explains how to enable the legacy features in the SSL config for the system. However, when I try to modify the system's openssl config file, I get a permission denied error even after using sudo.
sudo sed -i '/^\default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sudo sed -i '/^\[default_sect\]/a activate = 1' /etc/ssl/openssl.cnf
sudo echo "[legacy_sect]" >> /etc/ssl/openssl.cnf
sudo echo "activate = 1" >> /etc/ssl/openssl.cnf
shell: /usr/bin/bash -e {0}
/home/runner/work/_temp/9f9803fe-a061-4d59-bed1-83d345569dbe.sh: line 3: /etc/ssl/openssl.cnf: Permission denied
If I cannot modify the config, how do I enable the OpenSSL 3.0 legacy provider Github Actions?
You don't need modify the system config file. You can create a new config file somewhere and then set the OPENSSL_CONF environment variable to point at it. Any process that uses openssl will use that environment variable as the location for its config file in preference to the system default location.
I am attempting to use client certificates to limit secure access to an apache2 web server. However after installation google chrome returns a ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED error.
First I set up the CA for the Web Server by creating a CA key and an X509 PEM file:
openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem
I already have an existing certificate for the web site set in apache2 for https communication allocated by a trusted third party. The following is the apache2 conf setting for this website where I have included SSLCACertificateFile for the certificate generated above, the SSLOptions, SSLVerifyClient and SSLVerfiyDepth directives:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName site.aname.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/site
<Directory /var/www/html/site>
Options FollowSymLinks
AllowOverride All
Require all granted
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCACertificateFile /etc/apache2/ssl/site/CA.pem
SSLCertificateFile /etc/apache2/ssl/site/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/site/privkey.pem
Include /etc/apache2/ssl/site/options-ssl-apache.conf
</VirtualHost>
</IfModule>
This completes the web server configuration and test without a client certificate and get the expected error.
I then generate a client certificate and sign with the CA and then package in pkcs12 with private key with the following:
GENERATE:
openssl genrsa -out user.key 2028
openssl req -new -key user.key -out user.csr
SIGN WITH:
openssl x509 -sha256 -req -in user.csr -out user.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095
CREATE PKCS12:
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
The resultant user.pfx is then installed on the user machines running chrome.
When attempting to connect, chrome asks for the key which is selected with the result being the error ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Version of Chrome running under Windows 10 is: Version 74.0.3729.169 (Official Build) (64-bit)
Update:
I can connect successfully with curl from another linux server using:
curl --cert user.crt --key user.key --pass password https://site.aname.com/
however, the same from windows 10 command line results in:
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80090027) - The parameter is incorrect
Solved by ensuring that the signed user certificate was a "version 3" X.509 certificate and specifying both Key Usage and Enhanced Key Usage attributes within the v3 extension. This was achieved my modifying the openssl.conf file for the X509 sign request or if you use the openssl CA command.
I try to generate a self-signed certificate for a custom local domain pointing to 127.0.0.1:
# /etc/hosts
127.0.0.1 subdomain.domain.local
I've generated a self-signed certificate using openssl and remember that everything worked in the past. But it seems that since Chrome 58, there are far more restrictions on using self-signed certificates.
My attempts conclude with "Your connection is not private" following with one of the below errors:
"security certificate is not trusted" if I proceed like in the past.
"not a certification authority" when trying to import it into Chrome.
"subject alternative name missing" when using a certificate after importing its CA.
I'm pretty sure I'm missing something in the process. Please, can anyone provide the valid configuration to handle alternative names along with the exact steps to create the corresponding CA and a certificate so that Chrome and Firefox can handle my local custom domain?
TLDR
Create the file generate.sh
#!/usr/bin/env bash
find . \( -name "$1.*" -o -name "*.srl" \) -type f -delete
cp /usr/lib/ssl/openssl.cnf $1.cnf
python <(
cat << "END"
import sys
from ConfigParser import ConfigParser
from StringIO import StringIO
domain = sys.argv[1]
config = ConfigParser()
config.optionxform = lambda option: option
name = "{}.cnf".format(domain)
with open(name, "rb") as stream:
config.readfp(StringIO("[top]\n" + stream.read()))
config.set(" v3_ca ", "subjectKeyIdentifier", "hash")
config.set(" v3_ca ", "authorityKeyIdentifier", "keyid:always,issuer")
config.set(" v3_ca ", "basicConstraints", "critical, CA:TRUE, pathlen:3")
config.set(" v3_ca ", "keyUsage", "critical, cRLSign, keyCertSign")
config.set(" v3_ca ", "nsCertType", "sslCA, emailCA")
config.set(" v3_req ", "basicConstraints", "CA:FALSE")
config.set(" v3_req ", "keyUsage", "nonRepudiation, digitalSignature, keyEncipherment")
config.set(" v3_req ", "subjectAltName", "#alt_names")
config.remove_option(" v3_req ", "extendedKeyUsage")
config.add_section(" alt_names ")
config.set(" alt_names ", "DNS.1", domain)
config.set(" alt_names ", "DNS.2", "*.{}".format(domain))
config.set(" req ", "req_extensions", "v3_req")
with open(name, "wb") as stream:
config.write(stream)
END
) $1
tail -n +2 $1.cnf > $1.cnf.tmp && mv $1.cnf.tmp $1.cnf
echo "$1\n" | openssl genrsa -aes256 -out $1.ca.key 2048
chmod 400 $1.ca.key
openssl req -new -x509 -subj "/CN=$1" -extensions v3_ca -days 3650 -key $1.ca.key -sha256 -out $1.ca.crt -config $1.cnf
openssl genrsa -out $1.key 2048
openssl req -subj "/CN=$1" -extensions v3_req -sha256 -new -key $1.key -out $1.csr
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in $1.csr -CA $1.ca.crt -CAkey $1.ca.key -CAcreateserial -out $1.crt -extfile $1.cnf
openssl x509 -in $1.crt -text -noout
Call ./generate.sh example.com
Requires Python 2
All credits go to this excellent article by Fabian Lee.
Create a trusted CA and SAN certificate using OpenSSL
Customize openssl.cnf
Create CA certificate
Create Server certificate with SAN signed by CA
Prerequisite
As a prerequisite, ensure the SSL packages are installed:
$ sudo apt install libssl1.0.0 -y
Customized openssl.cnf
The first step is to grab the openssl.cnf template available on your system. On Ubuntu this can be found at /usr/lib/ssl/openssl.cnf. You may find this in /System/Library/OpenSSL/ on MacOS, and /etc/pki/tls on Redhat variants.
export prefix="mydomain"
cp /usr/lib/ssl/openssl.cnf $prefix.cnf
$prefix.cnf needs be modified with the specific information about the cert we are going to generate.
Under the [ v3_ca ] section, add the following values. For the CA, this signifies we are creating a CA that will be used for key signing.
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
Then under the [ v3_req ] section, set the following along with all the valid alternative names for this certificate.
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = mydomain.com
DNS.2 = *.dydomain.com
Also uncomment the following line under the [ req ] section so that certificate requests are created with v3 extensions.
req_extensions = v3_req
When we generate each type of key, we specify which extension section we want to use, which is why we can share $prefix.cnf for creating both the CA as well as the SAN certificate.
Create CA Certificate
Now we will start using OpenSSL to create the necessary keys and certificates. First generate the private/public RSA key pair:
openssl genrsa -aes256 -out ca.key.pem 2048
chmod 400 ca.key.pem
This encodes the key file using an passphrase based on AES256.
Then we need to create the self-signed root CA certificate.
openssl req -new -x509 -subj "/CN=myca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config $prefix.cnf
You can verify this root CA certificate using:
openssl x509 -in ca.pem -text -noout
This will show the root CA certificate, and the Issuer and Subject will be the same since this is self-signed. This is flagged as CA:TRUE meaning it will be recognized as a root CA certificate; meaning browsers and OS will allow it to be imported into their trusted root certificate store.
Issuer: CN=myca
...
Subject: CN=myca
...
X509v3 Basic Constraints:
critical CA:TRUE, pathlen:3
X509v3 Key Usage:
critical Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
Create Server certificate signed by CA
With the root CA now created, we switch over to the server certificate. First generate the private/public RSA key pair:
openssl genrsa -out $prefix.key.pem 2048
We didn’t put a passphrase on this key simply because the CA is more valuable target and we can always regenerate the server cert, but feel free to take this extra precaution.
Then create the server cert signing request:
openssl req -subj "/CN=$prefix" -extensions v3_req -sha256 -new -key $prefix.key.pem -out $prefix.csr
Then generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in $prefix.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out $prefix.crt -extfile $prefix.cnf
The $prefix.key.pem is the server private key and $prefix.crt is the server certificate. Verify the certificate:
openssl x509 -in $prefix.crt -text -noout
This will show the certificate, and the Issuer will be the CA name, while the Subject is the prefix. This is not set to be a CA, and the Subject Alternative Name field contains the URLs that will be considered valid by browsers.
Issuer:
CN=myca
...
Subject:
CN=mydomain
...
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mydomain.com, DNS:*.mydomain.com
Browser Evaluation
When you first point Chrome or Firefox at the site with your SAN cert with CA signing, it will throw the same type of exceptions as a self-signed SAN cert. This is because the root CA cert is not known as a trusted source for signed certificates.
Chrome
Linux
On Linux, Chrome manages its own certificate store and again you should import ca.pem into the Authorities. This should now make the security icon turn green.
Windows
In Chrome settings (chrome://settings), search for certificates and click on Manage Certificates. On Windows this will open the Windows certificate manager and you should import the ca.pem file at the Trusted Root Certification Authorities tab. This is equivalent to adding it through mmc.exe, in the local user trusted root store (not the computer level).
Firefox
In Firefox Options about:preferences, search for certificates and click View Certificates. Go to the Authorities tab and import ca.pem. Check the box to have it trust websites, and now the lock icon should turn green when you visit the page.
Getting "openssl not installed on this system" when running mysql_ssl_rsa_setup.
I installed openssl and mysql from source, both times keeping the default paths for installation (/usr/local/openssl for openssl [I actually renamed it to openssl from ssl to see if that was the problem], /usr/local/mysql for mysql).
The docs say it gets the path from the PATH environment variable, but there's no option to specify it in the command line. What is the default? How to change it? I have seen that you can modify /etc/environment to add PATH there, but the file is empty by default.
According to 4.4.5 mysql_ssl_rsa_setup — Create SSL/RSA Files, mysql_ssl_rsa_setup uses the openssl command line tool:
Note
mysql_ssl_rsa_setup uses the openssl command, so its use is contingent
on having OpenSSL installed on your machine.
What is the default?
OpenSSL's default installation location is /usr/local/ssl
How to change it?
Use --openssldir when you configure the library. Also see Compilation and Installation on the OpenSSL wiki.
You should not install OpenSSL in /usr/bin (and the libraries in /usr/lib). Its creates too many problems.
Instead, let the library install itself in /usr/local/ssl. Then you should be able to create a shell script located at /usr/local/bin/openssl that performs the following:
$ cat /usr/local/bin/openssl
#!/usr/bin/env bash
LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH; /usr/local/ssl/bin/openssl "$#"
Be sure to chmod a+x /usr/local/bin/openssl.
You can verify the OpenSSL tool being used with:
$ which openssl
/usr/local/bin/openssl
If needed, add /usr/local/bin to your PATH:
$ cat ~/.bash_profile
export PS1="\\h:\\W$ "
export UMASK=0022
export EDITOR=emacs
export PATH="/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin"
...
I need the MD5 fingerprint to generate an API key for google maps. When I run the keytool command, I don't get the MD5 fingerprint. Instead I get the SHA1 fingerprint which is not what I want.
C:\Program Files\Java\jdk1.7.0_15\bin>keytool -list -alias androiddebugkey
-keystore C:\Users\Psiu\.android\debug.keystore -storepass android -keypass android
androiddebugkey, 26-Feb-2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): FA:66:B5:2A:05:8D:6E:2D:AA:89:D0:7F:97:6D:8D:9D:3A:1F:64:A1
How do I get the MD5 fingerprint?
Please use the -v option to your keytool command and the tool will list all the different algorithms supported and you will get the SHA1 and MD5 listed.
For e.g. keytool -v -list [...rest of your command]