Monday, June 10, 2024
How to fix "One or More of the Object's Properties Are Missing or Invalid"
One or More of the Object's Properties Are Missing or Invalid
Monday, May 27, 2024
How to import CRL into MMC
Please Open the MMC (Start > Run > MMC).
- Go to File > Add / Remove Snap In
- Double Click Certificates
- Select Computer Account.
- Select Local Computer > Finish
- Click OK to exit the Snap-In window.
- Click [+] next to Certificates > Trusted root certification authorities
- Right click on folder and select All Tasks > Import
- Click Next
- Click Browse
- Select the .crl you would like to import. Click Open.
- Click Next
- Select Automatically select the certificate store based on the type of certificate.
- Click Finish & OK
Kindly perform same once for Intermediate certification authorities folder instead of trusted root certification authorities.
If you have closed the MMC, then please follow the above steps from 1-5 then continue the below steps.
- Now Click [+] next to Certificates > Intermediate certification authorities
- Right click on folder and select All Tasks > Import
- Click Next
- Click Browse
- Select the .crl you would like to import. Click Open.
- Click Next
- Select Automatically select the certificate store based on the type of certificate.
- Click Finish & OK
Saturday, December 11, 2021
OPENSSL MOST USEFUL COMMANDS IN PKI
Hello Everyone!! Welcome to another exciting article by PKI404, In this article we will see most common command used in openssl for pfx and key files on apache and other web servers So lets start without any further due.
OPENSSL MOST USEFUL COMMANDS
1. To Generate CSR and Private key
Generate CSR and Private key from one command
openssl req -new -newkey rsa:2048 -nodes -out domainname.csr -keyout privatekey.key -subj "/C=IN/ST=Delhi/L=New Delhi/O=PKI404/OU=PKI/CN=www.pki404.com"
2. To Generate CSR and Encrypted Private key
3.Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
4.Convert DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem
5.Convert PEM/CRT to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b -certfile CACert.crt
6.Convert P7B to PEM/CRT
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
7.Convert PEM/CRT & Private Key to PFX/P12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
8.Convert P7B to PFX: (first convert p7b to pem/crt from above commands then use below)
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
9.Convert PFX to PEM/CRT and Private Key
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
10.OpenSSL command to remove private key password
openssl rsa -in file.key -out newfile.key
11.convert simple private to RSA private keyopenssl rsa -in normal.key -out newrsa.key
12.Create RSA Private Key from PFX (private key without any password)
openssl pkcs12 -in certificate.pfx -nocerts -nodes | openssl rsa -out newrsaprivatekey.key
13.View CSR contents
openssl req -in mycsr.csr -noout -text
14.View Certificate X509 contents (.cer/,crt/.pem files)
openssl x509 -in certificate.crt -text -noout
15.To Match private key, CSR and certificate (output of all three commands should be the same)
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in domaincertificate.cer -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
16.openssl command print out md5 checksums of the certificate and key
openssl x509 -noout -modulus -in server.cer| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
17.Check which certificate is installed on 443 or 8443 port on serveropenssl s_client -connect localhost:443
For TLS 1.1, 1.2,1.3 check (tls1_1, tls1_2, tls1_3)
openssl s_client -connect localhost or www.pki404.com:443 -tls1_2
18. Check installed SSL certificate on server with validity
openssl s_client -connect localhost:443 -showcerts | openssl x509 -noout -dates
19.Check SSL status without any CA issuer error
openssl s_client -connect localhost:443 -CApath /etc/ssl/certs/
20.Generate a Self-Signed Certificate from an Existing Private Key and CSR
openssl x509 -signkey private.key -in csrfilename.csr -req -days 365 -out certificate.crt
21.Generate a Self-Signed Certificate for 365 days
openssl req -newkey rsa:2048 -nodes -keyout newprivate.key-x509 -days 365 -out selfsigncertificate.crt
22.Generate a CSR for an Existing Certificate and Private Key
openssl x509 -x509toreq -in certificatename.crt -out csrfilename.csr -signkey privatekeyname.key
23.Encrypt an Unencrypted Private Key
openssl rsa -des3 -in unencryptedfilename.key -out encryptedfilename.key
24.Decrypt an Encrypted Private Key
openssl rsa -in encryptedfilename.key -out decryptedfilename.key
25.Generate ECC/ECDSA CSR
First Generate private key
openssl ecparam -out server.key -name prime256v1 -genkey
Next command to generate CSR using the private key
openssl req -new -key server.key -out server.csr -sha256
26.View PKCS12/pfx/p12 information
openssl pkcs12 -info -in filename.pfx
27.Check Private key status
openssl rsa -in privatekeyname.key -check
28.Check certificate public key fingerprint (Public key SHA256 in Base64 format)for pinning for RSA certificate
openssl x509 -in pki404rsa.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
For ECC/ECDSA
openssl x509 -in pki404ecc.crt -pubkey | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
29.Check certificate hash
openssl x509 -noout -hash -in server.crt
30.Check certificate issuer hash
openssl x509 -noout -issuer -issuer_hash -in server.crt
31.Check openssl version
openssl version -a
32.Openssl encryption and decryption test with plain.txt cipher.txt
echo 'my message' > plain.txt
Encrypt plain text to cipher text
openssl enc -k yourpassword -aes256 -base64 -e -in plain.txt -out cipher.txt
cat cipher.txt
Decrypt cipher text to plain text
openssl enc -k yourpassword -aes256 -base64 -d -in cipher.txt -out plain.txt
cat plain.txt
Wednesday, August 18, 2021
CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS
Hi Everyone, Welcome to another exciting article by PKI404. Please follow the below steps thoroughly to Create CSR in IIS and complete the request response from CA.
CREATE CSR AND COMPLETE SSL TLS CERTIFICATE REQUEST RESPONSE IN IIS
1. Open Internet Information Services (IIS) Manager
Click Start, Control Panel, System and Security, Administrative Tools, and then select Internet Information Services (IIS) Manager.
OR
Open Run - type - inetmgr
2. Select the server where you want to generate the certificate
In the left Connections menu, select the server name (host) where you want to generate the request.
3. Navigate to Server Certificates
In the center menu, click the Server Certificates icon under the Security section near the bottom.
4. Select Create a New Certificate
In the right Actions menu, click Create Certificate Request.
5. Enter your CSR details
In the Distinguished Name Properties window, enter in the required CSR details and then click Next.
Note: To avoid common mistakes when filling out your CSR details, for wildcard use *.domain.com
6. Select a cryptographic service provider and bit length
In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider and Bit Length of 2048, then click Next.
Note: Bit Length: 2048 is the current industry standard. You may choose a larger key size, but only if you have a requirement to do so, as longer key lengths increase latency and may reduce compatibility.
7. Save the CSR
Click Browse to specify the location where you want to save the CSR as a “.txt” file and click Finish.
8. Generate the Order
Locate and open the newly created CSR from the specified location you choose in a text editor such as Notepad and copy all the text including:
-----BEGIN CERTIFICATE REQUEST-----
And
-----END CERTIFICATE REQUEST-----
Submit the CSR to Certificate Authority once you receive the SSL certificate follow the below steps.
Install Your SSL Certificate
1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from your CA.
2. Open Internet Information Services (IIS) Manager (click Start > Administrative Tools > Internet Information Services (IIS) Manager).
3. In the Connections pane, locate and click the server.
4. In the server Home page (center pane) under the IIS section, double-click Server Certificates.
5. In the Actions menu (right pane), click Complete Certificate Request.
6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
CA's response file:
Click the … button to locate the .cer file you received from CA
(e.g., your_domain_com.cer).
Friendly name:
Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.
Note: We recommend that you add the issuing CA (e.g., Globalsign) and the expiration date to the end of your friendly name; for example, yoursite-globalsign-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.
7. Click OK to install the certificate.
IMPORT INTERMEDIATE AND ROOT CERTIFICATE IN MMC
Hello Everyone, Welcome to another article by PKI404 for importing Intermediate and root certificate in MMC. Follow the steps below
IMPORT THE INTERMEDIATE AND ROOT CERTIFICATE IN MMC
Import Intermediate Certificate using MMC
1. Open MMC
To open MMC (Microsoft Management Console), go to Run (Win+R), type mmc & click OK
2. Access Add or Remove Snap-Ins
In MMC, click on File & select the option ‘Add/Remove Snap-in’
3. Select Add
In the window ‘Add/Remove Snap-ins,’ select the ‘Certificates’ option and click on the ‘Add’ button
4. Select ‘Computer Account’
7. Import Intermediate
For importing the Intermediate Certificate, right click on the ‘Intermediate Certification Authorities’ and then go to All Tasks > Import
8. Locate your Intermediate in the Certificate Import Wizard
Browse for your Intermediate Certificate on your Machine. Click on Next
9. Automatically select the certificate store based on the type of certificate.
10. Finish
Click Finish, as certificate has been imported
Import Root Certificate using MMC
To import Root Certificates through MMC (Windows Microsoft Management Console), you must go through same process. Instead of right-clicking on ‘Intermediate Certification Authorities,’ right-click on the ‘Trusted Root Certification Authorities’ and go to All Tasks > Import. The rest of the steps (steps 8 – 10) are the same for Root certificate.
INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS
Hi Everyone, Welcome to another exciting article by PKI404. Please follow the below steps thoroughly to install ssl on Exchange server via IIS.
INSTALL SSL ON EXHANGE SERVER 2013 - 2016 VIA IIS
1. Open Internet Information Services (IIS) Manager
Click Start, Control Panel, System and Security, Administrative Tools, and then select Internet Information Services (IIS) Manager.
OR
Open Run - type - inetmgr
2. Select the server where you want to generate the certificate
In the left Connections menu, select the server name (host) where you want to generate the request.
3. Navigate to Server Certificates
In the center menu, click the Server Certificates icon under the Security section near the bottom.
4. Select Create a New Certificate
In the right Actions menu, click Create Certificate Request.
5. Enter your CSR details
In the Distinguished Name Properties window, enter in the required CSR details and then click Next.
Note: To avoid common mistakes when filling out your CSR details, for wildcard use *.domain.com
6. Select a cryptographic service provider and bit length
In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider and Bit Length of 2048, then click Next.
Note: Bit Length: 2048 is the current industry standard. You may choose a larger key size, but only if you have a requirement to do so, as longer key lengths increase latency and may reduce compatibility.
7. Save the CSR
Click Browse to specify the location where you want to save the CSR as a “.txt” file and click Finish.
8. Generate the Order
Locate and open the newly created CSR from the specified location you choose in a text editor such as Notepad and copy all the text including:
-----BEGIN CERTIFICATE REQUEST-----
And
-----END CERTIFICATE REQUEST-----
Submit the CSR to Certificate Authority once you receive the SSL certificate follow the below steps.
Install Your SSL Certificate
1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from your CA.
2. Open Internet Information Services (IIS) Manager (click Start > Administrative Tools > Internet Information Services (IIS) Manager).
3. In the Connections pane, locate and click the server.
4. In the server Home page (center pane) under the IIS section, double-click Server Certificates.
5. In the Actions menu (right pane), click Complete Certificate Request.
6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
CA's response file:
Click the … button to locate the .cer file you received from CA
(e.g., your_domain_com.cer).
Friendly name:
Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.
Note: We recommend that you add the issuing CA (e.g., Globalsign) and the expiration date to the end of your friendly name; for example, yoursite-globalsign-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.
7. Click OK to install the certificate.
Import Intermediate Certificate using MMC
1. Open MMC
2. Access Add or Remove Snap-Ins
3. Select Add
4. Select ‘Computer Account’
5. Select ‘Local Computer’
6. ‘Certificates (Local Computer)’
7. Import Intermediate
8. Locate your Intermediate in the Certificate Import Wizard
9. Automatically select the certificate store based on the type of certificate.
You will be prompted to the window where you can place the certificate in Certificate Store. Leave without making any changes. If you have PKCS7 file with several certificates in it, you can go with ‘Automatically select the certificate store based on the type of certificate.’ Lastly, click on Next.
10. Finish
Import Root Certificate using MMC
To import Root Certificates through MMC (Windows Microsoft Management Console), you must go through same process. Instead of right-clicking on ‘Intermediate Certification Authorities,’ right-click on the ‘Trusted Root Certification Authorities’ and go to All Tasks > Import. The rest of the steps (steps 8 – 10) are the same for Root certificate.
To import Root Certificates through MMC (Windows Microsoft Management Console), you must go through same process. Instead of right-clicking on ‘Intermediate Certification Authorities,’ right-click on the ‘Trusted Root Certification Authorities’ and go to All Tasks > Import. The rest of the steps (steps 8 – 10) are the same for Root certificate.
Enable the certificate by going back to the certificate section of the Exchange Admin, click on the edit button for highlighted installed certificate from IIS.
§ Your SSL certificate is finally installed and
ready to use.
Thats All for now stay tuned for more such articles :)
HOW TO CONVERT JKS TO WALLET USING ORAPKI
Hello Everyone!! Welcome to another blog by PKI404 where i will walk you through how to create JKS file then JKS (Java keystore) to wallet for oracle wallet manager. So let's start without any further due.
1. First step is to create a pfx and then p12 file or directly create p12 file.
See steps here : How to create pfx file
openssl pkcs12 -in ewallet.pfx -out ewallet.pem
then pem to p12
openssl pkcs12 -export -in ewallet.pem -out ewallet.p12
-name "server"
Keep the password : Password@123
2. Now Convert pfx to JKS
See here : How to create JKS file
Use the below command to create pfx to JKS file.
In windows open /Program files/ JAVA/ JDK/JRE /bin in Admin command prompt and run below command
keytool -importkeystore -srckeystore "C:\Users\pki404\Desktop\ewallet.p12" -srcstoretype pkcs12 -destkeystore C:\Users\pki404\Desktop\certificate.jks" -deststoretype JKS
In Linux run the command anywhere to convert P12/pfx to JKS
3. Now open ORAPKI bin folder it should have orapki tool.
Open command prompt with orapki tool path and run below command to create a empty wallet.
orapki wallet create -wallet ewallet -auto_login -pwd
Password@123
Now Import JKS into created empty wallet
orapki wallet jks_to_pkcs12 -wallet ewallet -pwd Password@123 -keystore D:\servertest.jks -jkspwd Password@123
See the example in below screenshot for creating wallet and importing JKS in wallet
Now that wallet has created Open Oracle wallet manager (OWM) and open the ewallet.p12 and save the wallet.
It should be in ready status.
Stay tuned for more blogs like this :)