PKI404

How to fix "One or More of the Object's Properties Are Missing or Invalid"

2024-06-10T00:36:00.000-07:00

Are you encountering the "Code Sign CSR Error: One or More of the Object's Properties Are Missing or Invalid" error in Microsoft Management Console (MMC)? This video will guide you through the steps to troubleshoot and resolve this common issue when generating a Certificate Signing Request (CSR).

Let's See how to fix below Error.

One or More of the Object's Properties Are Missing or Invalid

Please go through the below Video to resolve the issue, and subscribe to the channel as well to post such contents.

How to import CRL into MMC

2024-05-27T03:08:00.000-07:00

Please Open the MMC (Start > Run > MMC).

Go to File > Add / Remove Snap In
Double Click Certificates
Select Computer Account.
Select Local Computer > Finish
Click OK to exit the Snap-In window.
Click [+] next to Certificates > Trusted root certification authorities
Right click on folder and select All Tasks > Import
Click Next
Click Browse
Select the .crl you would like to import. Click Open.
Click Next
Select Automatically select the certificate store based on the type of certificate.
Click Finish & OK

Kindly perform same once for Intermediate certification authorities folder instead of trusted root certification authorities.

If you have closed the MMC, then please follow the above steps from 1-5 then continue the below steps.

Now Click [+] next to Certificates > Intermediate certification authorities
Right click on folder and select All Tasks > Import
Click Next
Click Browse
Select the .crl you would like to import. Click Open.
Click Next
Select Automatically select the certificate store based on the type of certificate.
Click Finish & OK

OPENSSL MOST USEFUL COMMANDS IN PKI

2021-12-11T08:09:00.000-08:00

Hello Everyone!! Welcome to another exciting article by PKI404, In this article we will see most common command used in openssl for pfx and key files on apache and other web servers So lets start without any further due.

OPENSSL MOST USEFUL COMMANDS

1. To Generate CSR and Private key

1. openssl req -new -newkey rsa:2048 -sha256 -nodes -out domainname.csr -keyout privatekey.key

2. openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key

Generate CSR and Private key from one command

openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key -subj "/C=IN/ST=Delhi/L=New Delhi/O=PKI404/OU=PKI/CN=www.pki404.com"

2. To Generate CSR and Encrypted Private key

openssl req -new -newkey rsa:2048 -sha256 -out domainname.csr -keyout privatekey.key

3.Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

4.Convert DER to PEM

openssl x509 -inform der -in certificate.der -out certificate.pem

5.Convert PEM/CRT to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt

6.Convert P7B to PEM/CRT

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

7.Convert PEM/CRT & Private Key to PFX/P12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

8.Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

9.Convert PFX to PEM/CRT and Private Key

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

10.OpenSSL command to remove private key password

openssl rsa -in file.key -out newfile.key
11.convert simple private to RSA private key

openssl rsa -in normal.key -out newrsa.key

12.Create RSA Private Key from PFX (private key without any password)

openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key

13.View CSR contents
openssl req -in mycsr.csr -noout -text

14.View Certificate X509 contents (.cer/,crt/.pem files)

openssl x509 -in certificate.crt -text -noout

15.To Match private key, CSR and certificate (output of all three commands should be the same)

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

16.openssl command print out md5 checksums of the certificate and key

openssl x509 -noout -modulus -in server.cer| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
17.Check which certificate is installed on 443 or 8443 port on server

openssl s_client -connect localhost:443

For TLS 1.1, 1.2,1.3 check (tls1_1, tls1_2, tls1_3)

openssl s_client -connect localhost or www.pki404.com:443 -tls1_2

18. Check installed SSL certificate on server with validity

openssl s_client -connect localhost:443 -showcerts | openssl x509 -noout -dates

19.Check SSL status without any CA issuer error

openssl s_client -connect localhost:443 -CApath /etc/ssl/certs/

20.Generate a Self-Signed Certificate from an Existing Private Key and CSR

openssl x509 -signkey private.key -in csrfilename.csr -req -days 365 -out certificate.crt

21.Generate a Self-Signed Certificate for 365 days

openssl req -newkey rsa:2048 -nodes -keyout newprivate.key-x509 -days 365 -out selfsigncertificate.crt

22.Generate a CSR for an Existing Certificate and Private Key

openssl x509 -x509toreq -in certificatename.crt -out csrfilename.csr -signkey privatekeyname.key

23.Encrypt an Unencrypted Private Key

openssl rsa -des3 -in unencryptedfilename.key -out encryptedfilename.key

24.Decrypt an Encrypted Private Key

openssl rsa -in encryptedfilename.key -out decryptedfilename.key

25.Generate ECC/ECDSA CSR

First Generate private key

openssl ecparam -out server.key -name prime256v1 -genkey

Next command to generate CSR using the private key

openssl req -new -key server.key -out server.csr -sha256

26.View PKCS12/pfx/p12 information

openssl pkcs12 -info -in filename.pfx

27.Check Private key status

openssl rsa -in privatekeyname.key -check

28.Check certificate public key fingerprint (Public key SHA256 in Base64 format)for pinning for RSA certificate

openssl x509 -in pki404rsa.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

For ECC/ECDSA

openssl x509 -in pki404ecc.crt -pubkey | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

29.Check certificate hash

openssl x509 -noout -hash -in server.crt

30.Check certificate issuer hash

openssl x509 -noout -issuer -issuer_hash -in server.crt

31.Check openssl version

openssl version -a

32.Openssl encryption and decryption test with plain.txt cipher.txt

echo 'my message' > plain.txt

Encrypt plain text to cipher text

openssl enc -k yourpassword -aes256 -base64 -e -in plain.txt -out cipher.txt

cat cipher.txt

Decrypt cipher text to plain text

openssl enc -k yourpassword -aes256 -base64 -d -in cipher.txt -out plain.txt

cat plain.txt

That's all for this blog see you in next one, do leave your comments if any more command needs to be added. :)

CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS

2021-08-18T14:59:00.043-07:00

Hi Everyone, Welcome to another exciting article by PKI404. Please follow the below steps thoroughly to Create CSR in IIS and complete the request response from CA.

CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS

1. Open Internet Information Services (IIS) Manager

Click Start, Control Panel, System and Security, Administrative Tools, and then select Internet Information Services (IIS) Manager.

Open Run - type - inetmgr

2. Select the server where you want to generate the certificate

In the left Connections menu, select the server name (host) where you want to generate the request.

3. Navigate to Server Certificates

In the center menu, click the Server Certificates icon under the Security section near the bottom.

4. Select Create a New Certificate

In the right Actions menu, click Create Certificate Request.

5. Enter your CSR details

In the Distinguished Name Properties window, enter in the required CSR details and then click Next.

Note: To avoid common mistakes when filling out your CSR details, for wildcard use *.domain.com

6. Select a cryptographic service provider and bit length

In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider and Bit Length of 2048, then click Next.

Note: Bit Length: 2048 is the current industry standard. You may choose a larger key size, but only if you have a requirement to do so, as longer key lengths increase latency and may reduce compatibility.

7. Save the CSR

Click Browse to specify the location where you want to save the CSR as a “.txt” file and click Finish.

8. Generate the Order

Locate and open the newly created CSR from the specified location you choose in a text editor such as Notepad and copy all the text including:

-----BEGIN CERTIFICATE REQUEST-----

And

-----END CERTIFICATE REQUEST-----

Submit the CSR to Certificate Authority once you receive the SSL certificate follow the below steps.

Install Your SSL Certificate

1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from your CA.

2. Open Internet Information Services (IIS) Manager (click Start > Administrative Tools > Internet Information Services (IIS) Manager).

3. In the Connections pane, locate and click the server.

4. In the server Home page (center pane) under the IIS section, double-click Server Certificates.

5. In the Actions menu (right pane), click Complete Certificate Request.

6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:

CA's response file:

Click the … button to locate the .cer file you received from CA

(e.g., your_domain_com.cer).

Friendly name:

Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.

Note: We recommend that you add the issuing CA (e.g., Globalsign) and the expiration date to the end of your friendly name; for example, yoursite-globalsign-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.

7. Click OK to install the certificate.

IMPORT INTERMEDIATE AND ROOT CERTIFICATE IN MMC

2021-08-18T14:48:00.054-07:00

Hello Everyone, Welcome to another article by PKI404 for importing Intermediate and root certificate in MMC. Follow the steps below

IMPORT THE INTERMEDIATE AND ROOT CERTIFICATE IN MMC

Import Intermediate Certificate using MMC

1. Open MMC

To open MMC (Microsoft Management Console), go to Run (Win+R), type mmc & click OK

2. Access Add or Remove Snap-Ins

In MMC, click on File & select the option ‘Add/Remove Snap-in’

3. Select Add

In the window ‘Add/Remove Snap-ins,’ select the ‘Certificates’ option and click on the ‘Add’ button

4. Select ‘Computer Account’

5. Select ‘Local Computer’

This will indicate what the snap-in will manage

6. ‘Certificates (Local Computer)’

This will have been selected automatically. Click ‘OK’ to add in console

7. Import Intermediate

For importing the Intermediate Certificate, right click on the ‘Intermediate Certification Authorities’ and then go to All Tasks > Import

8. Locate your Intermediate in the Certificate Import Wizard

Browse for your Intermediate Certificate on your Machine. Click on Next

9. Automatically select the certificate store based on the type of certificate.

You will be prompted to the window where you can place the certificate in Certificate Store. Leave without making any changes. If you have PKCS7 file with several certificates in it, you can go with ‘Automatically select the certificate store based on the type of certificate.’ Lastly, click on Next.

10. Finish

Click Finish, as certificate has been imported

Import Root Certificate using MMC

To import Root Certificates through MMC (Windows Microsoft Management Console), you must go through same process. Instead of right-clicking on ‘Intermediate Certification Authorities,’ right-click on the ‘Trusted Root Certification Authorities’ and go to All Tasks > Import. The rest of the steps (steps 8 – 10) are the same for Root certificate.

Thank you for your time, Stay connected for upcoming articles. :)

INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS

2021-08-18T14:24:00.027-07:00

Hi Everyone, Welcome to another exciting article by PKI404. Please follow the below steps thoroughly to install ssl on Exchange server via IIS.

INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS

1. Open Internet Information Services (IIS) Manager

Click Start, Control Panel, System and Security, Administrative Tools, and then select Internet Information Services (IIS) Manager.

Open Run - type - inetmgr

2. Select the server where you want to generate the certificate

In the left Connections menu, select the server name (host) where you want to generate the request.

3. Navigate to Server Certificates

In the center menu, click the Server Certificates icon under the Security section near the bottom.

4. Select Create a New Certificate

In the right Actions menu, click Create Certificate Request.

5. Enter your CSR details

In the Distinguished Name Properties window, enter in the required CSR details and then click Next.

Note: To avoid common mistakes when filling out your CSR details, for wildcard use *.domain.com

6. Select a cryptographic service provider and bit length

In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider and Bit Length of 2048, then click Next.

7. Save the CSR

Click Browse to specify the location where you want to save the CSR as a “.txt” file and click Finish.

8. Generate the Order

Locate and open the newly created CSR from the specified location you choose in a text editor such as Notepad and copy all the text including:

-----BEGIN CERTIFICATE REQUEST-----

And

-----END CERTIFICATE REQUEST-----

Submit the CSR to Certificate Authority once you receive the SSL certificate follow the below steps.

Install Your SSL Certificate

1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from your CA.

2. Open Internet Information Services (IIS) Manager (click Start > Administrative Tools > Internet Information Services (IIS) Manager).

3. In the Connections pane, locate and click the server.

4. In the server Home page (center pane) under the IIS section, double-click Server Certificates.

5. In the Actions menu (right pane), click Complete Certificate Request.

6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:

CA's response file:

Click the … button to locate the .cer file you received from CA

(e.g., your_domain_com.cer).

Friendly name:

Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.

7. Click OK to install the certificate.

INSTALL THE INTERMEDIATE AND ROOT CERTIFICATE IN MMC

Import Intermediate Certificate using MMC

1. Open MMC

To open MMC (Microsoft Management Console), go to Run (Win+R), type mmc & click OK

2. Access Add or Remove Snap-Ins

In MMC, click on File & select the option ‘Add/Remove Snap-in’

3. Select Add

In the window ‘Add/Remove Snap-ins,’ select the ‘Certificates’ option and click on the ‘Add’ button

4. Select ‘Computer Account’

5. Select ‘Local Computer’

This will indicate what the snap-in will manage

6. ‘Certificates (Local Computer)’

This will have been selected automatically. Click ‘OK’ to add in console

7. Import Intermediate

For importing the Intermediate Certificate, right click on the ‘Intermediate Certification Authorities’ and then go to All Tasks > Import

8. Locate your Intermediate in the Certificate Import Wizard

Browse for your Intermediate Certificate on your Machine. Click on Next

9. Automatically select the certificate store based on the type of certificate.

You will be prompted to the window where you can place the certificate in Certificate Store. Leave without making any changes. If you have PKCS7 file with several certificates in it, you can go with ‘Automatically select the certificate store based on the type of certificate.’ Lastly, click on Next.

10. Finish

Click Finish, as certificate has been imported

Import Root Certificate using MMC

To import Root Certificates through MMC (Windows Microsoft Management Console), you must go through same process. Instead of right-clicking on ‘Intermediate Certification Authorities,’ right-click on the ‘Trusted Root Certification Authorities’ and go to All Tasks > Import. The rest of the steps (steps 8 – 10) are the same for Root certificate.

Now Login to your Exchamge Web Console and follow the below steps

Enable the certificate by going back to the certificate section of the Exchange Admin, click on the edit button for highlighted installed certificate from IIS.

You will have a screen where you have to click on Services tab on the left side, it will give you options of different services that you wish to enable. Click on save button.

§ Your SSL certificate is finally installed and ready to use.

Thats All for now stay tuned for more such articles :)

HOW TO CONVERT JKS TO WALLET USING ORAPKI

2021-08-18T11:35:00.003-07:00

Hello Everyone!! Welcome to another blog by PKI404 where i will walk you through how to create JKS file then JKS (Java keystore) to wallet for oracle wallet manager. So let's start without any further due.

1. First step is to create a pfx and then p12 file or directly create p12 file.

See steps here : How to create pfx file

openssl pkcs12 -in ewallet.pfx -out ewallet.pem

then pem to p12

openssl pkcs12 -export -in ewallet.pem -out ewallet.p12 -name "server"

Keep the password : Password@123

2. Now Convert pfx to JKS

See here : How to create JKS file

Use the below command to create pfx to JKS file.

In windows open /Program files/ JAVA/ JDK/JRE /bin in Admin command prompt and run below command

keytool -importkeystore -srckeystore "C:\Users\pki404\Desktop\ewallet.p12" -srcstoretype pkcs12 -destkeystore C:\Users\pki404\Desktop\certificate.jks" -deststoretype JKS

In Linux run the command anywhere to convert P12/pfx to JKS

3. Now open ORAPKI bin folder it should have orapki tool.

Open command prompt with orapki tool path and run below command to create a empty wallet.

orapki wallet create -wallet ewallet -auto_login -pwd Password@123

Now Import JKS into created empty wallet

orapki wallet jks_to_pkcs12 -wallet ewallet -pwd Password@123 -keystore D:\servertest.jks -jkspwd Password@123

See the example in below screenshot for creating wallet and importing JKS in wallet

Now that wallet has created Open Oracle wallet manager (OWM) and open the ewallet.p12 and save the wallet.

It should be in ready status.

Stay tuned for more blogs like this :)

ECC CSR GENERATION WITH OPENSSL

2021-07-28T13:20:00.004-07:00

Hello Everyone, Welcome to another blog on PKI404 about ECC CSR Generation with openssl. So let's start without any further due.

ECC CSR GENERATION WITH OPENSSL

First Step is to check curves and select as per your usage

openssl ecparam -list_curves

prime256v1 is fine

Now Follow the below steps.

if you have apache server installed then you may go to Apache/bin and use openssl tool else download from below Link

Download openssl - https://www.openssl.org/source/

Once download open in command prompt in administrator and go to openssl/bin and run below command

1. At the prompt, type the following command to generate an ECC private key using the OpenSSL ecparam tool to generate your .key file:

openssl ecparam -out server.key -name prime256v1 -genkey

Where server is the name of your server.

Note: Recommended ECC key size is 256-bit. If greater encryption strength is required, your other private key option is secp384r1.

2. Save (backup) the generated .key file, making sure to note its location. This private key is required later for ECC SSL Certificate installation.

3. Next, type the following command to generate a ECC certificate signing request (CSR):

For Linux

openssl req -new -key server.key -out server.csr -sha256

for winodows run in openssl bin folder with below command

openssl req -new -key server.key -out server.csr -sha256 -config openssl.cnf

Make Sure you copy openssl.cnf file from openssl directory to its bin folder in windows only.

Where server is the name of your server.

4. As you are prompted, enter the following information:

For fields that are not required, you can enter '.' and those fields will be left blank.

Country Name (2 letter code) [AU]: IN

Type the two letter code for the country where your company is legally located.

State or Province Name (full name) [Some-State]: Delhi

Type the name of the state or providence where your company is legally located.

Locality Name (eg, city) [ ]: New Delhi

Type the name of the city where your company is legally located.

Organization Name (eg, company) [PKI404 Pvt Ltd]: PKI404

Type your company's legally registered name.

Organizational Unit Name (eg, section) [ ]: IT

Type the name of the department within your organization that you want to appear on the ECC SSL Certificate.
Common Name (e.g. server FQDN) [ ]: www.pki404.com or *.pki404.com

Type the fully qualified domain name (i.e. www.example.com) for the site that you are securing.
Note: If you are generating CSR for a Wildcard SSL Certificate, your common name should start with an asterisk (e.g., *.example.com).

6. Now, open the .csr file with a text editor and copy the text of your CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into order form. This is how your csr file looks.

-----BEGIN CERTIFICATE REQUEST-----MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCSU4xDjAMBgNVBAgMBURlbGhpMRIwEAYD
VQQHDAlOZXcgRGVsaGkxEDAOBgNVBAoMB1BLSSA0MDQxCzAJBgNVBAsMAkNBMRYw
FAYDVQQDDA1QS0kgNDA0IFN1YkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA+JiR6HoSazhUkeAye2TvVkQ/xOt+SmKvDizf47RI9oW3aeYNQKP4UGm3
FCa9JRuLoNyY72DSlXm0L3u7VUbvUQGF+sKkLV+dG80/r5M5UjZ2odQCQLi18Nt9
ilSwgVIFQjEZCMa+d4ts8vvUFfmbkBaM+Ce5Cu8mtQqcc8VcFnvPOTu8KCrJMrzh
U5cOIS05BpJnMae7lYxSK3zdDoecDH1VYV9vsKzyfqicOXVzm1tkw9WpDHLTvxQu
GgE9Gm7AIZitRmbTPh9cUZKbKqVNrh+8gmjx3LSk3p6JiHzJicqALRirowN9x6ot
iUxN+rkUsMc0LJ+a5bFHjBQ9PegbxwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
AFw+Dtg/o8QGVusabLHAQ+3BK6SLWOXNN2od0LIyR3r4GgRwGnMzm1U7cyivKhp+
zyZi4kHO7d1V5Jhf3ICrtbKm41ci3f2UpIfoa3mPMw1h9SUc425m2oODNMCNbtpw
XkLp0VPpo12q6EkkYTwsxbUpX7yopmXx+GS5RQorw8O6YtjX0Hsuv1q210PHoTt+
0srpkeb51nHUhHMTOFgtsre9b+iG2jW0T6MX+W8ebTZPFERIkKqENayaCl7Xl98C
kxIWljG99gwjm+UqJrnFZfXlgO2BZbeov1yIZUE9UC1ntGwodxTXLwKjXLLgNFUk
a0GiMRo+C+Vm/uj12Grw894=
-----END CERTIFICATE REQUEST-----

Check csr content

For linux

openssl req -in serverecc.csr -noout -text

for windows

openssl req -in serverecc.csr -noout -text -config openssl.cnf

output in windows

Also read :- How to generate Rsa CSR with openssl

Stay tuned for more such blogs. See you in next one :)

Most common commands for openssl keytool sapgenpse orapki

2021-07-20T13:19:00.002-07:00

Hello Everyone!! Welcome to another exciting article by PKI404, In this article we will see most common command used in openssl for pfx and key files on apache and iis web servers , keytool for java based servers like jboss, tomcat etc , sapgenpse for sap servers , orapki for oracle wallet manager. So lets start without any further due.

Most common commands for openssl keytool sapgenpse orapki

Most Common Openssl Commands

To Generate CSR and Private key

openssl req -new -newkey rsa:2048 -sha256 -nodes -out domainname.csr -keyout privatekey.key

Convert PEM to DER:

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert DER to PEM:

openssl x509 -inform der -in certificate.der -out certificate.pem

Convert PEM/CRT to P7B:

openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt

Convert P7B to PEM/CRT:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Convert PEM/CRT & Private Key to PFX/P12:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM/CRT and Private Key

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

OpenSSL command to remove private key password

To convert simple private to RSA private.key

openssl rsa -in file.key -out newfile.key

Create RSA Private Key from PFX (private key without any password)

openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key

To View CSR contents

openssl req -in mycsr.csr -noout -text

To view Certificate X509 contents (.cer/,crt/.pem files)

openssl x509 -in certificate.crt -text -noout

To Match private key, CSR and certificate (output of all three commands should be the same)

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum

openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum

openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

openssl command print out md5 checksums of the certificate and key

openssl x509 -noout -modulus -in server.cer| openssl md5

openssl rsa -noout -modulus -in server.key| openssl md5

Most Common Java Keytool Commands

Generate a Java keystore and key pair:

keytool -genkey -alias mydomainname -keyalg RSA -keystore keystorefilename.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore:

keytool -certreq -alias mydomainname -keystore keystorefilename.jks -file mydomainname.csr

Generate a keystore and self-signed certificate:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystorefilename.jks -storepass password -validity 360 -keysize 2048

Certificate import commands in keystore: (.crt and .cer is same even .pem can be used)

Import a root CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias root -file root.cer -keystore keystorefilename.jks

Import a intermediate CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystorefilename.jks

Import a signed SSL primary certificate to an existing Java keystore:

keytool -import -trustcacerts -alias mydomainname -file mydomainname.crt -keystore keystorefilename.jks

Java Keytool Commands for Conversion:

If you need to change the type of keystore.

PFX keystore to JKS keystore:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JKS

JKS keystore to PFX keystore:

keytool -importkeystore -srckeystore myjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore newpfxkeystore.pfx

To View JKS java keystore contents

Keytool -v -list -keystore keystorefilename.jks

For only Alias name and entries

Keytool -list -keystore keystorefilename.jks

Other Java Keytool Commands:

Delete a certificate from a Java Keytool keystore:

keytool -delete -alias mydomainname -keystore keystorefilename.jks

Change a Java keystore password:

keytool -storepasswd -new newstorepass -keystore keystorefilename.jks

Export a certificate from a keystore:

keytool -export -alias mydomainname -file mydomain.crt -keystore keystorefilename.jks

List Trusted CA Certs:

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs:

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias mydomain -keystore $JAVA_HOME/jre/lib/security/cacerts

Most Common Sapgenpse commands

Create server PSE and certificate request using the following commands

sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>

For Example

sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req " CN=Fully Qualified Domain Name, OU=dept. name, O=Organizational Name, SP=State and Province value, L=Locality value,C=ISO country code value".

Import Certificate Using SAPGENPSE

sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>

sapgenpse Commands for Conversion:

SAPGENPSE commands to import pfx file into pse .

sapgenpse import_p12 -r intermediate.crt -r root.crt -p SAPSSLS.pse certificate.pfx

SAPGENPSE commands to export pfx file through pse .

sapgenpse export_p12 -p D:\usr\sap\ABC\PKI404\sec\filename.pse D:\usr\sap\ABC\PKI404\sec\newfilename.p12

Import Certificate Using SAPGENPSE

sapgenpse import_own_cert <Additional_options> -p <PSE_file> -c <Cert_file> [-r <RootCA_cert_file>] -x <PIN>

Most Common commands for ORAPKI-OHS

ORACLE EWALLET(OHS)

Create an auto-login wallet and use the wallet:

orapki wallet create -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -auto_login -pwd Oracle123

Create selfsigned certificate command :-

orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN= www.pki404.com, OU=IT, O=PKI404 PVT LTD, L=New Delhi, ST=Delhi, C=IN" -keysize 2048 -pwd Oracle123 -validity 365

Export the CSR from the wallet:

Command: orapki wallet export -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN= www.pki404.com, OU=IT, O=PKI404 PVT LTD, L=New Delhi, ST=Delhi, C=IN" -request C:\Oracle\Middleware\ssl\ohs\filename.csr

Import CA Inter, CA Root, brownbag (ohs) certificates into the wallet

Command:

orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert C:\Oracle\Middleware\ssl\CAInter.pem

Command:

orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert C:\Oracle\Middleware\ssl\CARoot.pem

Command:

orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -user_cert -cert C:\Oracle\Middleware\ssl\ohs\pki404.pem

Using the jks file let us create a wallet:

Create an empty wallet with auto login:

C:\Oracle\Middleware\oracle_common\bin\orapki wallet create -wallet C:\Oracle\Middleware\ssl -auto_login -pwd Oracle123

Convert the jks to a wallet:

C:\Oracle\Middleware\oracle_common\bin\orapki wallet jks_to_pkcs12 -wallet C:\Oracle\Middleware\ssl\eWallet -pwd Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -jkspwd Oracle123

Stay tuned for more blogs:) Any suggestions are welcome on our social handles and comment section.

Create pfx PKCS12 using certificate and private key file in openssl for third party CA

2021-07-20T12:17:00.000-07:00

Hello Everyone, Welcome to another article where we will share step by step process to generate pfx PKCS12 using private key and certificate along with chain certificate for third party CA also for self sign certificates. So lets begin without any further due.

Create pfx PKCS12 using certificate and private key file for third party CA

First download openssl for windows here

https://www.openssl.org/source/

On Ubuntu

sudo apt update

sudo apt install build-essential checkinstall zlib1g-dev -y

On Centos first download Development tools and binaries

yum group install 'Development Tools'

yum install perl-core zlib-devel -y

Use below command to install openssl

wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz

After that extract using below command

tar -xf openssl-1.0.2o.tar.gz

cd openssl-1.0.2o

In order to create pfx using private key and certificate you need below files handy.

For self signed certificates

1. Domain/Server certificate

2. Private key file

For Third party CA certificate

1. Domain/Server certificate

2. private key

3. Intermediate certificate

4. Root Certificate

To create pfx for self sign certificate use below command in openssl.

if it is linux use anywhere if windows then go to openssl/bin in command prompt and run below command after modifying the file names.

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in domain.cer

keep atleast 6 digit strong password

.cer or .crt both are same so use any of these even .pem also can be used as extension.

For Third party CA certificate.

First create chain bundle file by merging Intermediate and root certificate

On linux run command

cat intermediate.cer root.cer > chain.crt

it will export chain.crt

On Windows merge it by copy root certificate content under intermediate certificate in below order and save it as chain-bundle.cer

DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEYDCCA0igAwIBAgILBAAAAAABL07hRQwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv

After chain bundle file is created use below command after modifying file names to create pfx, same command can be used on windows and linux.

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in domain.cer -certfile chain.cer

And keep any strong password atleast of 6 digit and it will export pfx file.

JBOSS WILDFLY SSL CONFIGURATION FOR FIRST TIME INSTALLATION

2021-07-09T09:50:00.012-07:00

Hello Everyone Welcome to another exciting blog where i walk you through step by step ssl configuration on jboss wildfly, so let's start without any further due.

JBOSS WILDFLY CONFIGURATION FOR FIRST TIME INSTALLATION

Install ssl on jboss wildfly.

Note: Take backup of original standalone.xml before moving towards configuration modification.

Create a complete JKS/Keystore file and then proceed with below changes.

Visit here to create JKS keystore file : How to create JKS keystore file.

1. Configure WildFly for HTTPS Connector

Navigate to $JBOSS_HOME/standalone/configuration directory and open the standalone.xml file.

Go to <management> element configuration

And Add below connector under <security-realm name="ApplicationRealm"> just before the <authentication> tag

<server-identities>

<ssl>

</ssl>

</server-identities>

After adding the entry it looks like below entry

Note: The <authentication> and <authorization> elements are mandatory.

Bonus Tip 😎: Make sure you place jks/keystore file in configuration folder and define keystore file without any path, similar to above screenshot. e.g path="yourjksfile.keystore"

Now that 1^st step is completed, Let’s move towards our next step.

1. Locate the "http-remoting-connector" and make sure it is there

<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>

It should be under

It will look like below highlighted area

If it is there that’s great then let’s move to the next step.

1. Locate the "https-listener" if unable to find then follow below steps to add one.

Add below line connector

<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

Above connector needs to be placed under

<subsystem xmlns="urn:jboss:domain:undertow:3.1"> (values can be different as 3.0 or 3.1 etc here we have 3.1)

<buffer-cache name="default"/>

<server name="default-server">

<http-listener name="default" max-parameters="400000" max-post-size="1717986920" socket-binding="http" redirect-socket="https"/>

After placing the code it will look like below screenshot.

Lets move ahead with our 4^th option which is port configuration

1. Port Configuration

Navigate to $JBOSS_HOME/standalone/configuration directory and open the standalone.xml file.
Change the default WilfFly HTTPS port from 8443 to 443 under <socket-binding-group>:

c. <socket-binding-group name="standard-sockets" default-interface="public" ...>

d. <socket-binding name="http" port="80" />

e. <socket-binding name="https" port="443" />

f. ...

</socket-binding-group>

In my case I am using 8443, see the below screenshot.

Save the updated standalone.xml file.
Restart jboss-wildfly services to test the configuration.

Verify SSL Configuration

Type the following url into your browser:

https://IPaddress:443/eml/Login

If the your page Login screen is displayed, an SSL is successfully configured.

Stay tune for more such blogs :)

Create a JKS file java keystore for tomcat and jboss

2021-07-07T14:55:00.004-07:00

Hello Everyone, Welcome to another important blog post where i will walk you through step by step to generate jks (java keystore) file. Follow the below steps.

Create a JKS file java keystore for tomcat and jboss

We will be requiring below files to create JKS java keystore file in terms of third party CA.

1.Root certificate

2.Intermediate certificate

3.Domain certificate

4.Private key

merge intermediate and root to create chain file.

cat intermediate.cer root.cer > chain.crt

it will export chain.crt

In windows just copy the root certificate content and paste under intermediate one and make sure there is no space after -----End Certificate----- and save it as chain.crt

See the below example.

DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEYDCCA0igAwIBAgILBAAAAAABL07hRQwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv

Now run below command to generate pfx in openssl. for windows run in openssl/bin make sure openssl.cnf is available in bin, if using apache/bin then copy openssl.cnf from conf directory and paste in bin directory.

For Windows

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in domain.crt -certfile chain.crt -config openssl.cnf

keep atleast 6 digit password.

For Linux

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in domain.crt -certfile chain.crt

keep atleast 6 digit password.

it will export pfx file.

now run below command to covert pfx to jks, if you have windows run in java/jdk or jre bin, if linux run anywhere.(Java must be installed to run the below command)

keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore certificate.jks -deststoretype JKS

give the same password as pfx else keystore won't work.

now import root and intermediate certificate also

run command

keytool -import -trustcacerts -alias intermediate –file intermediateCertFileName.crt -keystore certificate.jks

it will import intermediate cert

now for root cert

keytool -import -trustcacerts -alias root –file RootCertFileName.crt -keystore certificate.jks

after doing above steps verify the jks by running below command

keytool -v -list -keystore certificate.jks

Note the alias name for private key from output And also make sure private key entry chain length is 3 to avoid intermediate certificate error on browsers.

Generate csr on linux server using openssl

2021-07-04T08:34:00.009-07:00

Hello Everyone, Welcome to another blog where i'll walk you through step by step CSR generation process on Apache web server. So lets start without any further due.

Generate a CSR on a Linux server

At the command prompt, type the following and hit Return. Change the bit length (2048) to the appropriate bit length for the SSL issuer. Typically 2048 is sufficient.

General OpenSSL Commands

Step 1: Generate a Key Pair

The utility “openssl” is used to generate the key and CSR. This utility comes with theOpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.

Type the following command at the prompt:

• Generate a new private key and Certificate Signing Request

openssl req -out domain.csr -new -newkey rsa:2048 -nodes -keyout domainprivate.key

Fill out the requested information below. For the State, use the full name not an abbreviation. The Organization Name should be a publicly verifiable name (such as is listed on bank statements, bills, taxes, etc). The common name is the domain for which the SSL is being issued. For example, if you're ordering an SSL for domain.com, then the name would be domain.com. If you're ordering an SSL for www.domain.com, then the name would be www.domain.com, for wildcard certificate use *.domain.com

You may chose to leave the email address and challenge password blank by simply hitting return when prompted.

Generating a 2048 bit RSA private key

...........+++

.............................+++

writing new private key to 'private.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) :IN

State or Province Name (full name):Delhi

Locality Name (eg, city:New Delhi

Organization Name (eg, company) [My Company Ltd]:My Company Name (e.g. PKI404)

Organizational Unit Name (eg, section) []:Security

Common Name (eg, your name or your server's hostname) []:www.domain.com (e.g www.pki404.com)

Email Address []: Not Required(do not enter anything)

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: Not Required(do not enter anything)

An optional company name []: Not Required(do not enter anything)

Once the form is filled out, two files will be created in the directory in which the command was run one will be domain.csr and other domainprivate.key. The file domain.csr has the CSR for the SSL which will need to provide to the SSL issuer.

Stay tuned for more such blogs. :)

Apache Tomcat ssl installation steps

2021-07-04T08:03:00.003-07:00

Hello Everyone, Welcome to another blog where i'll walk you through step by step ssl certificate installation on Apache Tomcat server. So lets start without any further due.

Apache Tomcat ssl installation steps

Tomcat SSL Installation Instructions

Download your certificate files from your certificate authority and save them to the same directory as the keystore that you created during the CSR creation process. The certificate will only work with the same keystore that you initially created the CSR with. The certificates must be installed to your keystore in the correct order.

Install the Root Certificate file in java keystore: Every time you install a certificate to the keystore you must enter the keystore password that you chose when you generated it. Enter the following command to install the Root certificate file:

keytool -import -trustcacerts -alias root –file RootCertFileName.crt

-keystore yourdomain.jks

Install the Intermediate Certificate file in java keystore: If your certificate authority provided an intermediate certificate file, you will need to install it here by typing the following command:

keytool -import -trustcacerts -alias intermediate -file

IntermediateCertFileName.crt -keystore yourdomain.jks

If successful, you will see "Certificate was added to keystore".

Install the Primary Certificate file in java keystore: Type the following command to install the Primary certificate file (for your domain name):

keytool -import -trustcacerts -alias tomcat -file

PrimaryCertFileName.crt -keystore yourdomain.jks

If successful, you will see "Certificate reply was installed in keystore". You now have all the certificates installed to the keystore file. You just need to configure your server to use the keystore file.

Configuring your SSL Connector

Tomcat will first need an SSL Connector configured before it can accept secure connections.

1. Open the Tomcat server.xml file in a text editor (this is usually located in the conf folder of your Tomcat's home directory).

2. Find the connector that will be secured with the new keystore and uncomment it if necessary (it is usually a connector with port 443 or 8443 like the example below).

3. Specify the correct keystore filename and password in your connector configuration. When you are

Note: If you are using version 7 of Tomcat you will need to change "keypass" to "keystorePass".

4. Save your changes to the server.xml file.

5. Restart Tomcat.

That's it for now, Hope this has helped you. Stay tuned for more.

Don't forget to bookmark this page for your future references. :)

Apache Tomcat CSR generation steps

2021-07-04T07:57:00.003-07:00

Hello Everyone, Welcome to another blog where i'll walk you through step by step CSR generation on Apache Tomcat server. So lets start without any further due.

Apache Tomcat CSR generation steps

CSR GENERATION STEPS:-

Step A -- Create a new Keystore

1. You will be using the keytool command to create your new key-CSR pairing. Enter the following:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore yourdomain.jks

'Yourdomain' is the name of the domain you are securing. However, if you are ordering a Wildcard Certificate, do not include * in the beginning of the filename as this is not a valid filename character.

2. You will be prompted for the DN information. Please note: when it asks for first and last name, this is not YOUR first and last name, but rather your domain name and extension(i.e., www.yourdomain.com). If you are ordering a Wildcard Certificate this must begin with *. (example: *.domain.com)

3. Confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm. Make sure to remember the password you choose.

Step B -- Generate your CSR with your new keystore

1. Next, use keytool to actually create the Certificate Signing Request. Enter the following:

keytool -certreq -alias server -keyalg RSA -file yourdomain.csr -keystore yourdomain.jks

Again, 'yourdomain' is the name of the domain you are securing. (without the * character if you are ordering a Wildcard Certificate).

2. Enter the keystore password.

3. Then the SSL Certificate CSR file is created. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certificate Authority web order form.

Hope you have generated CSR without any issue, Now follow the next step for ssl installation

Also read : Apache Tomcat ssl installation steps

File base authentication in Tomcat with .well-known directory on windows

2021-07-02T07:26:00.003-07:00

Hi Everyone, today i'll walk you through step by step to create http file base authentication on tomcat windows for Certificate Authority domain Validation. So let's begin without wasting anymore time.

File base authentication on Tomcat with .well-known directory on windows

When uploading/creating the folder/file to Tomcat, please keep in mind that the file should be accessible via the standard ports - 80 (for a non-secure connection) or 443 (for a secure one).

Domain url needs be accessed publicly same as below

http://domain.com/.well-known/pki-validation/filename.txt

By default, Tomcat uses the 8080 and 8443 ports, respectively.

If the file will be accessible via the default Tomcat ports 8080 and 8443 only, the validation will not be completed.

The document root folder for the website on Tomcat can be found in the ‘server.xml’ file in the following line:

<Context path="/" docBase="/some/full/path/to/document/root/folder" />

Usually, the server root folder is located in the folder set under the variable $CATALINA_HOME or webapps and the document root folder for the website is set to the particular folder under the server root folder.

You can create the ‘.well-known’ and ‘pki-validation’ folders for placing the validation file using the command line with command like mkdir from command prompt in same folder as .well-known folder can not be created by clicking on create folder

open command prompt in root folder and type

mkdir .well-known as dot(.) file can not be created with GUI.

rest folders like pki-validation can be created from GUI and so as empty txt file and then paste the random value inside txt file.

so the url becomes http://domain.com/.well-known/pki-validation/filename.txt followed by random value/meta tag in txt file. url should be publicly accessible on default 80 or 443 port displaying the value on browser.

Incase url is not acessible from outside check ports open status from firewall.

Should you have any queries then please write them in comments and will be happy to answer.

Stay tuned for more blogs. :

PKI404

How to fix "One or More of the Object's Properties Are Missing or Invalid"

One or More of the Object's Properties Are Missing or Invalid

How to import CRL into MMC

OPENSSL MOST USEFUL COMMANDS IN PKI

OPENSSL MOST USEFUL COMMANDS

1. To Generate CSR and Private key

Generate CSR and Private key from one commandopenssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key -subj "/C=IN/ST=Delhi/L=New Delhi/O=PKI404/OU=PKI/CN=www.pki404.com"

2. To Generate CSR and Encrypted Private key

3.Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

4.Convert DER to PEM

openssl x509 -inform der -in certificate.der -out certificate.pem

5.Convert PEM/CRT to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt

6.Convert P7B to PEM/CRT

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

7.Convert PEM/CRT & Private Key to PFX/P12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

8.Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

9.Convert PFX to PEM/CRT and Private Key

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes10.OpenSSL command to remove private key password

openssl rsa -in file.key -out newfile.key11.convert simple private to RSA private key

openssl rsa -in normal.key -out newrsa.key12.Create RSA Private Key from PFX (private key without any password)

openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key13.View CSR contentsopenssl req -in mycsr.csr -noout -text

14.View Certificate X509 contents (.cer/,crt/.pem files)openssl x509 -in certificate.crt -text -noout15.To Match private key, CSR and certificate (output of all three commands should be the same)

openssl pkey -in privateKey.key -pubout -outform pem | sha256sumopenssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sumopenssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

16.openssl command print out md5 checksums of the certificate and key

openssl x509 -noout -modulus -in server.cer| openssl md5openssl rsa -noout -modulus -in server.key| openssl md517.Check which certificate is installed on 443 or 8443 port on serveropenssl s_client -connect localhost:443For TLS 1.1, 1.2,1.3 check (tls1_1, tls1_2, tls1_3)

openssl s_client -connect localhost or www.pki404.com:443 -tls1_2

18. Check installed SSL certificate on server with validityopenssl s_client -connect localhost:443 -showcerts | openssl x509 -noout -dates19.Check SSL status without any CA issuer error

openssl s_client -connect localhost:443 -CApath /etc/ssl/certs/

22.Generate a CSR for an Existing Certificate and Private Keyopenssl x509 -x509toreq -in certificatename.crt -out csrfilename.csr -signkey privatekeyname.key

23.Encrypt an Unencrypted Private Keyopenssl rsa -des3 -in unencryptedfilename.key -out encryptedfilename.key

24.Decrypt an Encrypted Private Keyopenssl rsa -in encryptedfilename.key -out decryptedfilename.key

25.Generate ECC/ECDSA CSRFirst Generate private keyopenssl ecparam -out server.key -name prime256v1 -genkey

For ECC/ECDSA

openssl x509 -in pki404ecc.crt -pubkey | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

29.Check certificate hashopenssl x509 -noout -hash -in server.crt30.Check certificate issuer hashopenssl x509 -noout -issuer -issuer_hash -in server.crt31.Check openssl versionopenssl version -a32.Openssl encryption and decryption test with plain.txt cipher.txt

echo 'my message' > plain.txtEncrypt plain text to cipher textopenssl enc -k yourpassword -aes256 -base64 -e -in plain.txt -out cipher.txtcat cipher.txtDecrypt cipher text to plain textopenssl enc -k yourpassword -aes256 -base64 -d -in cipher.txt -out plain.txtcat plain.txt

CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS

CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS

Install Your SSL Certificate

IMPORT INTERMEDIATE AND ROOT CERTIFICATE IN MMC

IMPORT THE INTERMEDIATE AND ROOT CERTIFICATE IN MMC

Import Intermediate Certificate using MMC

1. Open MMC

2. Access Add or Remove Snap-Ins

3. Select Add

4. Select ‘Computer Account’

5. Select ‘Local Computer’

6. ‘Certificates (Local Computer)’

7. Import Intermediate

8. Locate your Intermediate in the Certificate Import Wizard

9. Automatically select the certificate store based on the type of certificate.

10. Finish

Import Root Certificate using MMC

INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS

INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS

Install Your SSL Certificate

Import Intermediate Certificate using MMC

1. Open MMC

To open MMC (Microsoft Management Console), go to Run (Win+R), type mmc & click OK

2. Access Add or Remove Snap-Ins

In MMC, click on File & select the option ‘Add/Remove Snap-in’

3. Select Add

In the window ‘Add/Remove Snap-ins,’ select the ‘Certificates’ option and click on the ‘Add’ button

4. Select ‘Computer Account’

5. Select ‘Local Computer’

This will indicate what the snap-in will manage

6. ‘Certificates (Local Computer)’

This will have been selected automatically. Click ‘OK’ to add in console

7. Import Intermediate

For importing the Intermediate Certificate, right click on the ‘Intermediate Certification Authorities’ and then go to All Tasks > Import

8. Locate your Intermediate in the Certificate Import Wizard

Browse for your Intermediate Certificate on your Machine. Click on Next

9. Automatically select the certificate store based on the type of certificate.

10. Finish

Click Finish, as certificate has been imported

Generate CSR and Private key from one command

openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key -subj "/C=IN/ST=Delhi/L=New Delhi/O=PKI404/OU=PKI/CN=www.pki404.com"

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

10.OpenSSL command to remove private key password

openssl rsa -in file.key -out newfile.key
11.convert simple private to RSA private key

openssl rsa -in normal.key -out newrsa.key

12.Create RSA Private Key from PFX (private key without any password)

openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key

13.View CSR contents
openssl req -in mycsr.csr -noout -text

14.View Certificate X509 contents (.cer/,crt/.pem files)

openssl x509 -in certificate.crt -text -noout

15.To Match private key, CSR and certificate (output of all three commands should be the same)

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

openssl x509 -noout -modulus -in server.cer| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
17.Check which certificate is installed on 443 or 8443 port on server

openssl s_client -connect localhost:443

For TLS 1.1, 1.2,1.3 check (tls1_1, tls1_2, tls1_3)

18. Check installed SSL certificate on server with validity

openssl s_client -connect localhost:443 -showcerts | openssl x509 -noout -dates

19.Check SSL status without any CA issuer error

22.Generate a CSR for an Existing Certificate and Private Key

openssl x509 -x509toreq -in certificatename.crt -out csrfilename.csr -signkey privatekeyname.key

23.Encrypt an Unencrypted Private Key

openssl rsa -des3 -in unencryptedfilename.key -out encryptedfilename.key

24.Decrypt an Encrypted Private Key

openssl rsa -in encryptedfilename.key -out decryptedfilename.key

25.Generate ECC/ECDSA CSR

First Generate private key

openssl ecparam -out server.key -name prime256v1 -genkey

29.Check certificate hash

openssl x509 -noout -hash -in server.crt

30.Check certificate issuer hash

openssl x509 -noout -issuer -issuer_hash -in server.crt

31.Check openssl version

openssl version -a

32.Openssl encryption and decryption test with plain.txt cipher.txt

echo 'my message' > plain.txt

Encrypt plain text to cipher text

openssl enc -k yourpassword -aes256 -base64 -e -in plain.txt -out cipher.txt

cat cipher.txt

Decrypt cipher text to plain text

openssl enc -k yourpassword -aes256 -base64 -d -in cipher.txt -out plain.txt

cat plain.txt