[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

How to get and install certificates?

(utilize X.509 certificates in brief)

Content:

Accept Domino CA Authority in a browser or ...

1.) Browse to the "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)
2.) Select "Accept This Authority In Your Browser:" from left frame
3.) ...

Netscape:

Click on link "Accept This Authority in Your Browser".
The server displays a dialog box asking you if you want to accept the site certificate. If you want accept it.

Netscape 4.x
Manage CA certificates from menu "Comunicator"->"Tools"->"Security Info" and select "Signers"
Note: missing features are "Import From File" and "Certificate Revocation List" support.
Netscape 6.x/7.x, Mozilla 0.9x/1.x, SeaMonkey
Select from menu "Edit"->"Preferences", expand "Privacy & Security", select "Certificates", press "Manage Certificates", select "Authorities"
Note: missing feature is "Import From File" for versions based on source before Mozilla 1.3 (Gecko/20030313)
Firefox
Select from menu "Edit"->"Preferences", click on "Advanced" icon, click on "Encription" tab, press "View Certificates", select "Authorities"

Internet Explorer (MS-IS):

Click on link "Accept This Authority in Your Browser"
MS-IE show a dialog box asking to open or save file CAOut.cer from "YOUSITE".
1.1.) Select open and ...
1.2.) Select save. Find saved file and ...
1.2.1.) ... double click ...
... new dialog box appear, press [Install Certificate] ...
1.2.2.) ... press right mouse button and select "Install Certificate" ...
2.) ... Follow instruction from "Certificate Import Wizard".

Opera:

- Opera 5.x - upgrade to next major version
- Opera 6.x/7.x/8.x/9.x/10.x/11.x/12.x
Click on link "Accept This Authority in Your Browser". The server displays a dialog box asking you if you want to accept the site certificate. If you want accept it.
Manage CA certificates from menu ...
  • Opera 6.x
    "File"->"Preferences"->"Security" and click on "Authorities" ...
  • Opera 7.x
    "Tools"->"Preferences", select "Security", click on "Manage Certificates" and select tab "Authorities" ...
  • Opera 8.x/9.x/10.x
    "Tools"->"Preferences", select tab "Advanced", select "Security", click on "Manage Certificates" and select tab "Authorities" ...
  • Opera 11.x/12.x
    Menu item is "Settings" instead "Tools"

OpenSSL:

Download "CA certificate" file from link "Accept This Authority in Your Browser". Find "OPENSSLDIR" in your OpenSSL installation. Usually is /etc/ssl, /usr/ssl or /usr/local/ssl. This directory contain file openssl.cnf and subdirectories "certs", "private" and other.
Default OpenSSL directory of trusted certificates is "OPENSSLDIR"/certs. The certificates should have names of the form: <HASH>.<NUM>, where <HASH> is certificate hash (see -hash option of openssl x509 utility) and <NUM> is an integer starting from zero. Goto directory "OPENSSLDIR"/certs".
Let "CA certificate" is skalasoft-CAOut.crt. Get cert hash value and remember:

# openssl x509 \
  -in /path_to_file/skalasoft-CAOut.crt \
  -inform DER \
  -noout -hash
NNNNNNNNNN

Convert CA cert form DER to PEM format and store with name <HASH>.<NUM>. If the file name already exists then we need to up the value of <NUM>. Use command:

# openssl x509 \
  -in /path_to_file/skalasoft-CAOut.crt \
  -inform DER \
  -out <HASH>.<NUM>

Sample directory content:

root@demo:/etc/ssl/certs# ls -l
total ...
... 09478a96.0

Tip: Most users want to use human readable file names. In this case link your human_readable_CA_cert_PEM_format_file_name to <HASH>.<NUM>.
Sample directory content:

root@demo:/etc/ssl/certs# ls -l
total ...
... 09478a96.0 -> skalasoft-CAOut.pem
... skalasoft-CAOut.pem

Note: OpenSSL contain perl script c_rehash, but script isn`t part of some binary installation packages!

Default OpenSSL file of trusted certificates is "OPENSSLDIR"/cert.pem (see next ca-bundle.crt).

ca-bundle.crt:

This file should contain multiple certificates in PEM format concatenated together. You can get a copy from openssl, apache, KDE, curl, mutt, etc. packages. In the past file was on mod_ssl site. The file is removed from site but you could use some scripts to convert original source file from Mozilla project (check this post to find some usefull scripts).

The following script "der2ca-bundle-item.sh" (get it) could help you:

#!/bin/sh
#
# Author: Roumen Petrov, Sofia, Bulgaria
# Version: 1.3, 2004-11-09
#
# Placed in the Public Domain.
#


CANAME="$1"
DERCRT="$2"
 
(
echo
echo ${CANAME}
echo ${CANAME} | sed -e 's/./=/g'
openssl x509 -inform DER -in "${DERCRT}" \
  -fingerprint -noout
) && (
echo PEM data:
openssl x509 -inform DER -in "${DERCRT}"
) && (
echo Certificate Ingredients: 
openssl x509 -inform DER -in "${DERCRT}" \
  -text -noout
)

Let CA certificate is in DER file format and it is stored in file skalasoft-CAOut.crt. Run script to convert one DER certificate to format of items in ca-bundle.crt file.

.../der2ca-bundle-item.sh \
  'Skala Soft EOOD CA' \
  skalasoft-CAOut.crt > skalasoft-CAOut.pem

Output is like this file. Note: Opera 5.x and Konqueror 3.x/4.x users might check this file.

KDE(Konqueror):

Note: KDE is my favourite desktop.
Plan to use certificates in KDE should be postponed. Now is time to switch to other browsers and/or email clients. KMail don't support certificates. SSL and certificate support in Konqueror is not better than buggy "Microsoft IE 4.x". See comments (1) (2) (3) at end of page.

Hold down [SHIFT] key and click on link "Accept This Authority in Your Browser".
Konqueror show a dialog box asking to "Save As" file CAOut.
Select directory, enter skalasoft-CAOut.crt in "Location" and press [OK] to save.
Find directory with saved file and run "der2ca-bundle-item.sh" script. Append output/result to:

KDE 2.2.x
$KDEDIR/share/apps/kssl/caroot/ca-bundle.crt (global)
no user file!
KDE 3.x
$KDEDIR/share/apps/kssl/ca-bundle.crt (global)
$HOME/.kde/share/apps/kssl/ca-bundle.crt (user)
See comment (1).
WARNING:
Do not click over "Accept This Authority in Your Browser" link:
  • KDE 3.0.x
    import into user ca-bundle.crt is broken :-(
  • KDE 3.1.x
    When your CA certificate is without CA flag kssl reject import with message "This is not a signer certificate." - OOOPS :-/
    KDE settings are too paranoid. You can use that and issued certificates in other non-KDE applications without problems. I suggest you to import it manualy.
See comment (2) too.
KDE 4.x
In memoriam

Apache:

Check httpd.conf file for options SSLCACertificatePath or SSLCACertificateFile

Tip: check your linux for ca-bundle.crt files, select latest, put in /etc and replace other with links to /etc/ca-bundle.crt.

OpenSSH:

Visit this page to get source for X.509 certificate support in OpenSSH !

Server: Check sshd_config file for options CACertificatePath or CACertificateFile

Both options are used to validate client certificate.

Client: Check $HOME/.ssh/config or global ssh_config file for options CACertificatePath or CACertificateFile and UserCACertificatePath or UserCACertificateFile

All options are used to validate server certificate.


Client Certificates:

Export your certificate from Lotus Notes:

1.) Select from menu "File"->"Tools"->"User ID" and enter password.
2.) Press [More Options], [Export Internet Certificate], select a certificate from list "Certificate issued to" and press [Export].
3.) Enter "Password" and "Confirm". Press [OK]
4.) Select folder, enter filename with p12 extension, press [OK].
Output file is in DER format and contain your_key&your_certs&CA_certs. From this file you can export "CA cert". This is second way to get a "CA cert". Let file is filename.p12. Enter in an unix/linux terminal command:

$ openssl pkcs12 \
  -in filename.p12 \
  -cacerts -nokeys \
  -out skalasoft-CAOut.pem

You can use this file as in previous steps for OpenSSL, Konqueror, Apache, OpenSSH, etc...

Konqueror(KDE):

Note: KDE is my favourite desktop.
If you look for strong SSL and certificate support you should use other browsers.

Start kcontrol (KDE Control Center).
Select "Personalizaton" or "Security & Privacy"->"Crypto".
Select tab "Your Certificates" and press [Import...].
Find your p12 file and press [OK].
Enter Certificate password and press [OK].
Select imported certificate and press [Verify...]
Enter Certificate password and press [OK].
You should see a dialog with text like "This certificate passed the verification tests successfully".

Notes:

  • CA certificates must exist in KDE keystore before import, otherwise verification will fail (see installation of "CA certificate" in KDE(Konqueror)).
    Fail message is like this "This certificate has failed the tests and should be considered invalid" and details section show "Certificate is self-signed and thus may not be trustworthy".

On KDE 3.x we can select "Crypto" configuration from Konqueror menu "Settings"->"Configure Konqueror" but GUI Interface (KDE 3.0/1.x) looks ugly. See comments (4) (5) (6) at end of page.

On KDE 4.x ... You must use other browsers.

Opera:

Next is tested with Opera 10.x, 11.x and 12.x.

The browser support import/export of issuer certificates in DER and PEM format with RSA/DSA public keys. Opera succeed to import/export RSA client certificates(PKCS #12 format) but fail to import certificates with DSA private keys. Actually .usr file suffix is for certificates in DER format.

OpenSSL:

Let "PKCS #12" file is "filename.p12". Command to convert your private key and corresponding certificates from p12/pfx (keys+certs file) to PEM format is:

$ openssl pkcs12 \
  -in filename.p12 \
  -clcerts \
  -out filename.pem

Verify certificate with one of commands:

  • openssl verify filename.pem (after installation of "CA certificate" in OpenSSL)
  • openssl verify -CAfile $KDEDIR/share/apps/kssl/ca-bundle.crt filename.pem
  • openssl verify -CAfile skalasoft-CAOut.pem filename.pem

Netscape 4.x, Gecko(SeaMonkey, Firefox, Mozilla 0.9.x/1.x, Netscape 6.x/7.x, etc.):

We can get certificate with Netscape from "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)->"Pick Up Client Certificate" or import exported from Lotus Notes "PKCS #12" file. This client certificate we can export/backup and use in other applications.

Notes:

  • CA certificates must exists in Netscape keystore before import.
  • For Gecko browsers we must use at least Netscape 6.2 or Mozilla 0.9.5.

Microsoft Windows:

We can get certificate with MS-IE from "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)->"Pick Up Client Certificate" or to import into "Microsoft Windows keystore" exported from Lotus Notes or Netscape "PKCS #12" file.
1.) Find "PKCS #12" file (usualy extension is p12 but can be pfx) and ...
1.1.) ... double click ...
1.2.) ... or press right mouse button ->"Install PFX" (in bold, i.e. default action) ...
2.) ... Follow instruction from "Certificate Import Wizard".
Note: on "Password screen" enter password and if you wish to export later check "Mark the private key as exportable".

Notes:

  • CA certificates must exist in keystore before import.
  • Check your certs with "Start Menu"->"Settings"->"Control Panel"->"Internet Options"->"Content"->"Certificates".
  • Secure CRT (secsh client), MS-IE, MS-Outlook, etc can use imported there.
  • MS-Windows OS by default hide file extensions! Use "Explorer" menu "Tools"->"Folder Options"->tab "View"->checkbox "Hide file extensions for known file types" or "Start Menu"->"Settings"->"Control Panel"->"Folder Options"->.... to change this behaviour.

X.509 media (mime) types:

application/x-x509-ca-cert
Experimental, but supported in all browsers.
application/pkix-cert [RFC2585]
IANA standard. Supported by MS-IE and Konqueror(see note !).
Extensions:
.cer (standard), .crt, .der, cert
MS-Windows:
File type:
"Security Certificate"
Command:
rundll32.exe cryptext.dll,CryptExtAddCER file_name
rundll32.exe cryptext.dll,CryptExtOpenCER file_name
application/x-x509-crl
Experimental, used in Mozilla/Netscape(6.x/7.x).
application/pkix-crl [RFC2585]
IANA standard. Supported by Mozilla 1.x, MS-IE.
Extensions:
.crl (standard)
MS-Windows:
File type:
"Certificate Revocation List"
Command:
rundll32.exe cryptext.dll,CryptExtAddCRL file_name
rundll32.exe cryptext.dll,CryptExtOpenCRL file_name
application/x-pkcs12
Extensions:
.p12 (common), .pfx (ms-windows specific)
MS-Windows:
File type:
"Personal Information Exchange"
Command:
rundll32.exe cryptext.dll,CryptExtAddPFX file_name
obsolete
application/x-x509-ca-cert
Experimental and obsolete, used in Netscape/Mozilla and Opera.
application/x-x509-server-cert
Experimental and obsolete, used in Netscape/Mozilla and Opera.
application/x-x509-user-cert
Experimental and obsolete, used in Netscape/Mozilla and Opera.
application/x-x509-email-cert
Experimental and obsolete, used in Netscape/Mozilla and Opera.
application/x-pkcs7-crl
Experimental and obsolete, used in Netscape/Mozilla.

FAQ.

How to convert a certificate from DER to PEM format?
From OpenSSL manual page: "The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines added".
File in DER format is binary and PEM is plain text(ascii). Use command "openssl x509 ..." with options -inform/-outform to convert between formats.
$ openssl x509 \
  -in  file.der -inform  DER \
  -out file.pem -outform PEM
How to convert DER to cer/crt?
We must distinguish between file extension and file format/content.
We suppose that file with der extension contain a X.509 certificate in DER format. File with cer or crt extension can contain either one certificate in DER format or one or more certificates in PEM format. A file with pem extension can contain text, private keys, certificates and other data. Use text editor to see its content.
How to convert pfx/p12/pkcs12 to der/cer/crt/pem?
You can extract private key, user certificates and/or CA certificates from a PKCS #12 file.
  • private key:
    $ openssl pkcs12 -in file.p12 -nocerts ...
    
  • user certificates:
    $ openssl pkcs12 -in file.p12 -nokeys -clcerts ...
    
  • user private key and certificates:
    $ openssl pkcs12 -in file.p12 -clcerts ...
    
  • CA certificates:
    $ openssl pkcs12 -in file.p12 -nokeys -cacerts ...
    
  • all certificates:
    $ openssl pkcs12 -in file.p12 -nokeys ...
    
  • all:
    $ openssl pkcs12 -in file.p12 ...
    
  • all with input from stdin:
    $ cat file.p12 | openssl pkcs12 ...
    
Output from command by default is to stdout and format is PEM only(!).
You can use other openssl commands to convert private key or a certificate to DER format.
Note on "Microsoft Windows" OS-es input from stdin might fail, due LF to CR/LF conversion. This is well know bug - these OS-es open pipes in text mode instead of binary.
How to convert cer/crt to p12/pfx?
You do not needed. File with cer/crt extension contain one or more certificates. PKCS #12 file should contain private key, certificate that match private key and other certificates. PKCS #12 file without private key and certificate that match private key is useless.
Let file.crt contain certificate that match private key in file.key and both files are in PEM format. To create p12 file run command:
$ openssl pkcs12 -export
  -in file.crt -inkey file.key ...
or get all from stdin:
$ (
  cat file.key
  cat file.crt
  cat file2.crt
  ....
  ) | openssl pkcs12 -export ...

Comments

  1. ca-bundle.crt (KDE 3.x)
    Although KDE has global and user file CA certificates must exist in user file!
    Global file is used as template to create user file. Design is "excellent" :-( - when a CA certificate should be removed sysadmin must remove it from global file on all workstations and from all user files on every workstation.
    As well when a workstation is used from many X terminals sysadmin should propagate certificate to all user files ("nice"). Note that KDE crypto config overwrite user file.
  2. User certificates (KDE 3.x)
    I have following problem in Konqueror 3.1.x: When I import user certificate and key from a "PKCS #12" I might leave it without password. When data is password protected I get message "Unable to open the certificate. Try a new password?". When I press [No] browser hang while on [Yes] I get the message again and again and ...
    Only solution that I found is to leave data without password which is strongly prohibited.
    That is reason to suggest other browsers. Might problem is result from stored format of user certificates commented in (4) too. Please see comment (6) too.
  3. tab "SSL Signers" (KDE/Konqueror 3.x crypto configuration)
    ("KDE Control Center"->"Personalizaton" or "Security & Privacy"->"Crypto"->tab "SSL Signers")
    I cannot find any reason a CA certificate to exist in this view!
    "kssl" module read these files:
    $KDEDIR/share/config/ksslcalist (global)
    $HOME/.kde/share/config/ksslcalist (user)

    Might currently KDE only read these files without to use anything?

    Append result from next command to global and/or user file

    $ der2ksslcalist-item.sh \
      skalasoft-CAOut.crt > ksslcalist-item.txt
    

    See der2ksslcalist-item.sh script and output ksslcalist-item.txt.

  4. tab "Your certificates" (KDE/Konqueror 3.x crypto configuration)
    • Column "Email Address" in grid is always empty.
    • Labels "valid from/until":
      When pkcs12 file is password protected labels "valid from/until" bellow grid show wrong data.
      Your certificates are stored in file "$HOME/.kde/share/config/ksslcertificates". This file contain base64 encoded "PKCS #12" data. As example when "PKCS #12" is created with password we cannot extract client certificates without to specify that password (press [ENTER] on prompt):
      $ openssl pkcs12 -in file.p12 -clcerts -nokeys
      Enter Import Password:
      Mac verify error: invalid password?
      
      Here we have very good sample for poor design - we cannot extract certificate data from "PKCS #12" file without to supply password!
    • Frame/window is too wide:
      When you have at lest one certificate frame/window is too wide and you should move at right/left to access buttons or to see certificate "Common Name". This frame is used in many places. All windows where frame is included are affected. Width might depend of string length of certificate "Distinguished Name"/"Subject" [cool ;-)].
    • Selection is cell based:
      Certicate selection is on grid cell in column "Common Name" only(!) instead on whole row.
      Entire grid row is related to one certificate. We expect when click somewhere on a row that certificate to be selected. Same problem exist in grid from "SSL Signers" tab.
  5. tab "SSL" (KDE/Konqueror 3.x crypto configuration)
    • TLS support:
      Option "Enable TLS support if supported by the server" is without effect in Konquerror. Although web server support TLS its log show that Konqueror use SSLv3 protocol. When web server support only TLS, i.e. SSLv2/3 are disabled on server side, Konqueror cannot connect.
      Work around is to play "selection game": manualy to found chiphers supported by servers and to enable/disable chiphers from tab depending on connection. I do not like to play "selection game". This is user unfriendly.
    • Cipher effective key size:
      When web server require cipher greater than XXX bits for some URLs Konqueror don't select one of supported that best fit web server requirement and result is access forbidden or browser hang. You must disable manually all ciphers that don't fit requirement. Keep in mind that for other web server you must enable them back. Again "selection game" ;-).
      Let web server support AES256-SHA and DES-CBC3-SHA but on some pages require cipher greater that 168 bits. In this case DES-CBC3-SHA cannot be used. On these pages Konqueror hang.
      To avoid this problem Konqueror should use the best cipher, i.e. with greater length.
  6. tab "Authentication" (KDE/Konqueror 3.x crypto configuration)
    • Valid certificates with same "Subject":
      When I have more that one certificate with same Subject I cannot distinguish them in any control on the tab. My problem was that I have two valid certificates with same "Subject", but server can accept only one of them. Work around is to remove oldest, but this is not solution in the period with two valid certificates. Since KMail don't support certificates I solve this problem.
      In general before to remove oldest but valid certificate we should ensure that we receive emails encrypted only with newes. That takes time.
    • "Send" as "Default Action":
      When "Default Action" is "Send" and default certificate is "None" browser can hang on https request. It happens always when an URL require certificate. Server log show that used cipher is "none" for protocol SSLv3 and certificate is missing although cipher "none" is disabled (:-D no comments).
    • "Don't send" as "Default Action":
      Same as above.
    • "Prompt" as "Default Action":
      When I select "Prompt" and a page require a certificate situation is terribly.
      • Selection dialog with certificates is ugly:
        I can select only first item in list.
        Certificate "Subject" can be very long and as result dialog is too wide.
        I cannot see any information about selected certificate.
        I cannot break request - dialog contain only one button "continue". When I press close button on dialog window or hit [escape] key Konqueror hang.
      • Konqueror can ask to select a certificate for every element that should load (as example images) from page although they are accessible without certificate.
      Work around: We can configure which certificate to send on host basis.
[empty image]
[empty image] [empty image] Last modified : Friday August 08, 2014 [empty image]