How to get and install certificates?
(utilize X.509 certificates in brief)
Content:
Accept Domino CA Authority in a browser or ...
1.) Browse to the "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)
2.) Select "Accept This Authority In Your Browser:" from left frame
3.) ...
Netscape:
Click on link "Accept This Authority in Your Browser".
The server displays a dialog box asking you if you want to accept the site certificate. If you want accept it.
- Netscape 4.x
- Manage CA certificates from menu "Comunicator"->"Tools"->"Security Info" and select "Signers"
Note: missing features are "Import From File" and "Certificate Revocation List" support.
- Netscape 6.x/7.x, Mozilla 0.9x/1.x, SeaMonkey
- Select from menu "Edit"->"Preferences", expand "Privacy & Security", select "Certificates", press "Manage Certificates", select "Authorities"
Note: missing feature is "Import From File" for versions based on source before Mozilla 1.3 (Gecko/20030313)
- Firefox
- Select from menu "Edit"->"Preferences", click on "Advanced" icon, click on "Encription" tab, press "View Certificates", select "Authorities"
Internet Explorer (MS-IS):
Click on link "Accept This Authority in Your Browser"
MS-IE show a dialog box asking to open or save file CAOut.cer from "YOUSITE".
1.1.) Select open and ...
1.2.) Select save. Find saved file and ...
1.2.1.) ... double click ...
... new dialog box appear, press [Install Certificate] ...
1.2.2.) ... press right mouse button and select "Install Certificate" ...
2.) ... Follow instruction from "Certificate Import Wizard".
Opera:
- - Opera 5.x - upgrade to next major version
- - Opera 6.x/7.x/8.x/9.x/10.x/11.x/12.x
-
Click on link "Accept This Authority in Your Browser".
The server displays a dialog box asking you if you want to accept the site certificate. If you want accept it.
- Manage CA certificates from menu ...
- Opera 6.x
"File"->"Preferences"->"Security" and click on "Authorities" ...
- Opera 7.x
"Tools"->"Preferences", select "Security", click on "Manage Certificates" and select tab "Authorities" ...
- Opera 8.x/9.x/10.x
"Tools"->"Preferences", select tab "Advanced", select "Security", click on "Manage Certificates" and select tab "Authorities" ...
- Opera 11.x/12.x
Menu item is "Settings" instead "Tools"
OpenSSL:
Download "CA certificate" file from link "Accept This Authority in Your Browser".
Find "OPENSSLDIR" in your OpenSSL installation.
Usually is /etc/ssl , /usr/ssl or /usr/local/ssl .
This directory contain file openssl.cnf and
subdirectories "certs ", "private " and other.
Default OpenSSL directory of trusted certificates is "OPENSSLDIR"/certs .
The certificates should have names of the form: <HASH>.<NUM>,
where <HASH> is certificate hash
(see -hash option of openssl x509 utility)
and <NUM> is an integer starting from zero.
Goto directory "OPENSSLDIR"/certs".
Let "CA certificate" is skalasoft-CAOut.crt.
Get cert hash value and remember:
# openssl x509 \
-in /path_to_file/skalasoft-CAOut.crt \
-inform DER \
-noout -hash
NNNNNNNNNN
Convert CA cert form DER to PEM format and store with name <HASH>.<NUM>.
If the file name already exists then we need to up the value of <NUM>.
Use command:
# openssl x509 \
-in /path_to_file/skalasoft-CAOut.crt \
-inform DER \
-out <HASH>.<NUM>
Sample directory content:
root@demo:/etc/ssl/certs# ls -l
total ...
... 09478a96.0
Tip: Most users want to use human readable file names. In this case link your human_readable_CA_cert_PEM_format_file_name to <HASH>.<NUM>.
Sample directory content:
root@demo:/etc/ssl/certs# ls -l
total ...
... 09478a96.0 -> skalasoft-CAOut.pem
... skalasoft-CAOut.pem
Note: OpenSSL contain perl script c_rehash , but script isn`t part of some binary installation packages!
Default OpenSSL file of trusted certificates is "OPENSSLDIR"/cert.pem
(see next ca-bundle.crt).
ca-bundle.crt:
This file should contain multiple certificates in PEM format concatenated together.
You can get a copy from openssl, apache, KDE, curl, mutt, etc. packages.
In the past file was on mod_ssl site.
The file is removed from site but you could use some scripts to convert
original source file from Mozilla project
(check this post to find some usefull scripts).
The following script "der2ca-bundle-item.sh" (get it) could help you:
#!/bin/sh
#
# Author: Roumen Petrov, Sofia, Bulgaria
# Version: 1.3, 2004-11-09
#
# Placed in the Public Domain.
#
CANAME="$1"
DERCRT="$2"
(
echo
echo ${CANAME}
echo ${CANAME} | sed -e 's/./=/g'
openssl x509 -inform DER -in "${DERCRT}" \
-fingerprint -noout
) && (
echo PEM data:
openssl x509 -inform DER -in "${DERCRT}"
) && (
echo Certificate Ingredients:
openssl x509 -inform DER -in "${DERCRT}" \
-text -noout
)
Let CA certificate is in DER file format and it is stored in file skalasoft-CAOut.crt.
Run script to convert one DER certificate to format of items in ca-bundle.crt file.
.../der2ca-bundle-item.sh \
'Skala Soft EOOD CA' \
skalasoft-CAOut.crt > skalasoft-CAOut.pem
Output is like this file.
Opera 5.x and Konqueror 3.x/4.x users might check this file.
KDE(Konqueror):
Note: KDE is my favourite desktop.
Plan to use certificates in KDE should be postponed.
Now is time to switch to other browsers and/or email clients.
KMail don't support certificates.
SSL and certificate support in Konqueror is not better than buggy "Microsoft IE 4.x".
See comments
(1)
(2)
(3)
at end of page.
Hold down [SHIFT] key and click on link "Accept This Authority in Your Browser".
Konqueror show a dialog box asking to "Save As" file CAOut.
Select directory, enter skalasoft-CAOut.crt in "Location" and press [OK] to save.
Find directory with saved file and run "der2ca-bundle-item.sh " script. Append output/result to:
- KDE 2.2.x
$KDEDIR/share/apps/kssl/caroot/ca-bundle.crt (global)
no user file!
- KDE 3.x
$KDEDIR/share/apps/kssl/ca-bundle.crt (global)
$HOME/.kde/share/apps/kssl/ca-bundle.crt (user)
- See comment (1).
- WARNING:
- Do not click over "Accept This Authority in Your Browser" link:
- KDE 3.0.x
import into user ca-bundle.crt is broken :-(
- KDE 3.1.x
When your CA certificate is without CA flag kssl reject import with message
"This is not a signer certificate." - OOOPS :-/
KDE settings are too paranoid.
You can use that and issued certificates in other non-KDE applications without problems.
I suggest you to import it manualy.
See comment (2) too.
- KDE 4.x
- In memoriam
Apache:
Check httpd.conf file for options SSLCACertificatePath or SSLCACertificateFile
Tip: check your linux for ca-bundle.crt files, select latest, put in /etc and replace other with links to /etc/ca-bundle.crt.
OpenSSH:
Visit this page to get source for X.509 certificate support in secire shell!
Server: Check sshd_config file for options CACertificatePath or CACertificateFile
Both options are used to validate client certificate.
Client: Check $HOME/.ssh/config or global ssh_config file for options CACertificatePath or CACertificateFile and UserCACertificatePath or UserCACertificateFile
All options are used to validate server certificate.
Client Certificates:
Export your certificate from Lotus Notes:
1.) Select from menu "File"->"Tools"->"User ID" and enter password.
2.) Press [More Options], [Export Internet Certificate], select a certificate from list "Certificate issued to" and press [Export].
3.) Enter "Password" and "Confirm". Press [OK]
4.) Select folder, enter filename with p12 extension, press [OK].
Output file is in DER format and contain your_key&your_certs&CA_certs.
From this file you can export "CA cert". This is second way to get a "CA cert".
Let file is filename.p12. Enter in an unix/linux terminal command:
$ openssl pkcs12 \
-in filename.p12 \
-cacerts -nokeys \
-out skalasoft-CAOut.pem
You can use this file as in previous steps for OpenSSL, Konqueror, Apache, OpenSSH, etc...
Konqueror(KDE):
Note: KDE is my favourite desktop.
If you look for strong SSL and certificate support you should use other browsers.
Start kcontrol (KDE Control Center).
Select "Personalizaton" or "Security & Privacy"->"Crypto".
Select tab "Your Certificates" and press [Import...].
Find your p12 file and press [OK].
Enter Certificate password and press [OK].
Select imported certificate and press [Verify...]
Enter Certificate password and press [OK].
You should see a dialog with text like "This certificate passed the verification tests successfully".
Notes:
- CA certificates must exist in KDE keystore before import, otherwise verification will fail
(see installation of "CA certificate" in KDE(Konqueror)).
Fail message is like this "This certificate has failed the tests and should be considered invalid" and
details section show "Certificate is self-signed and thus may not be trustworthy".
On KDE 3.x we can select "Crypto" configuration from
Konqueror menu "Settings"->"Configure Konqueror"
but GUI Interface (KDE 3.0/1.x) looks ugly.
See comments
(4)
(5)
(6)
at end of page.
On KDE 4.x ... You must use other browsers.
Opera:
Next is tested with Opera 10.x, 11.x and 12.x.
The browser support import/export of issuer certificates in DER and PEM format with RSA/DSA public keys.
Opera succeed to import/export RSA client certificates(PKCS #12 format) but fail to import certificates with DSA private keys.
Actually .usr file suffix is for certificates in DER format.
OpenSSL:
Let "PKCS #12" file is "filename.p12".
Command to convert your private key and corresponding certificates
from p12/pfx (keys+certs file) to PEM format is:
$ openssl pkcs12 \
-in filename.p12 \
-clcerts \
-out filename.pem
Verify certificate with one of commands:
- openssl verify filename.pem (after installation of "CA certificate" in OpenSSL)
- openssl verify -CAfile $KDEDIR/share/apps/kssl/ca-bundle.crt filename.pem
- openssl verify -CAfile skalasoft-CAOut.pem filename.pem
Netscape 4.x, Gecko(SeaMonkey, Firefox, Mozilla 0.9.x/1.x, Netscape 6.x/7.x, etc.):
We can get certificate with Netscape from "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)->"Pick Up Client Certificate" or
import exported from Lotus Notes "PKCS #12" file.
This client certificate we can export/backup and use in other applications.
Notes:
- CA certificates must exists in Netscape keystore before import.
- For Gecko browsers we must use at least Netscape 6.2 or Mozilla 0.9.5.
Microsoft Windows:
We can get certificate with MS-IE from "Domino Certificate Authority application" (URL/address http://YOUSITE/dca.nsf)->"Pick Up Client Certificate" or to
import into "Microsoft Windows keystore" exported from Lotus Notes or Netscape "PKCS #12" file.
1.) Find "PKCS #12" file (usualy extension is p12 but can be pfx) and ...
1.1.) ... double click ...
1.2.) ... or press right mouse button ->"Install PFX" (in bold, i.e. default action) ...
2.) ... Follow instruction from "Certificate Import Wizard".
Note: on "Password screen" enter password and
if you wish to export later check "Mark the private key as exportable".
Notes:
- CA certificates must exist in keystore before import.
- Check your certs with "Start Menu"->"Settings"->"Control Panel"->"Internet Options"->"Content"->"Certificates".
- Secure CRT (secsh client), MS-IE, MS-Outlook, etc can use imported there.
- MS-Windows OS by default hide file extensions!
Use "Explorer" menu "Tools"->"Folder Options"->tab "View"->checkbox "Hide file extensions for known file types"
or "Start Menu"->"Settings"->"Control Panel"->"Folder Options"->....
to change this behaviour.
X.509 media (mime) types:
- application/x-x509-ca-cert
- Experimental, but supported in all browsers.
- application/pkix-cert [RFC2585]
- IANA standard. Supported by MS-IE and Konqueror(see note !).
-
- Extensions:
- .cer (standard), .crt, .der, cert
- MS-Windows:
-
- File type:
- "Security Certificate"
- Command:
- rundll32.exe cryptext.dll,CryptExtAddCER file_name
- rundll32.exe cryptext.dll,CryptExtOpenCER file_name
- application/x-x509-crl
- Experimental, used in Mozilla/Netscape(6.x/7.x).
- application/pkix-crl [RFC2585]
- IANA standard. Supported by Mozilla 1.x, MS-IE.
-
- Extensions:
- .crl (standard)
- MS-Windows:
-
- File type:
- "Certificate Revocation List"
- Command:
- rundll32.exe cryptext.dll,CryptExtAddCRL file_name
- rundll32.exe cryptext.dll,CryptExtOpenCRL file_name
- application/x-pkcs12
-
- Extensions:
- .p12 (common), .pfx (ms-windows specific)
- MS-Windows:
-
- File type:
- "Personal Information Exchange"
- Command:
- rundll32.exe cryptext.dll,CryptExtAddPFX file_name
- obsolete
-
- application/x-x509-ca-cert
- Experimental and obsolete, used in Netscape/Mozilla and Opera.
- application/x-x509-server-cert
- Experimental and obsolete, used in Netscape/Mozilla and Opera.
- application/x-x509-user-cert
- Experimental and obsolete, used in Netscape/Mozilla and Opera.
- application/x-x509-email-cert
- Experimental and obsolete, used in Netscape/Mozilla and Opera.
- application/x-pkcs7-crl
- Experimental and obsolete, used in Netscape/Mozilla.
FAQ.
- How to convert a certificate from DER to PEM format?
- From OpenSSL manual page: "The DER format is the DER encoding of the certificate and
PEM is the base64 encoding of the DER encoding with header and footer lines added".
File in DER format is binary and PEM is plain text(ascii).
Use command "openssl x509 ..." with options -inform/-outform to convert between formats.
$ openssl x509 \
-in file.der -inform DER \
-out file.pem -outform PEM
- How to convert DER to cer/crt?
- We must distinguish between file extension and file format/content.
We suppose that file with der extension contain a X.509 certificate in DER format.
File with cer or crt extension can contain either one certificate in DER format
or one or more certificates in PEM format.
A file with pem extension can contain text, private keys, certificates and other
data. Use text editor to see its content.
- How to convert pfx/p12/pkcs12 to der/cer/crt/pem?
- You can extract private key, user certificates and/or
CA certificates from a PKCS #12 file.
- private key:
$ openssl pkcs12 -in file.p12 -nocerts ...
- user certificates:
$ openssl pkcs12 -in file.p12 -nokeys -clcerts ...
- user private key and certificates:
$ openssl pkcs12 -in file.p12 -clcerts ...
- CA certificates:
$ openssl pkcs12 -in file.p12 -nokeys -cacerts ...
- all certificates:
$ openssl pkcs12 -in file.p12 -nokeys ...
- all:
$ openssl pkcs12 -in file.p12 ...
- all with input from stdin:
$ cat file.p12 | openssl pkcs12 ...
Output from command by default is to stdout and format is PEM only(!).
You can use other openssl commands to convert private key or a certificate to DER format.
Note on "Microsoft Windows" OS-es input from stdin might fail, due LF to CR/LF conversion.
This is well know bug - these OS-es open pipes in text mode instead of binary.
- How to convert cer/crt to p12/pfx?
- You do not needed.
File with cer/crt extension contain one or more certificates.
PKCS #12 file should contain private key, certificate that match private key and other certificates.
PKCS #12 file without private key and certificate that match private key is useless.
Let file.crt contain certificate that match private key in file.key
and both files are in PEM format. To create p12 file run command:
$ openssl pkcs12 -export
-in file.crt -inkey file.key ...
or get all from stdin:
$ (
cat file.key
cat file.crt
cat file2.crt
....
) | openssl pkcs12 -export ...
Comments
- ca-bundle.crt (KDE 3.x)
Although KDE has global and user file CA certificates must exist in user file!
Global file is used as template to create user file.
Design is "excellent" :-( - when a CA certificate should be removed
sysadmin must remove it from global file on all workstations
and from all user files on every workstation.
As well when a workstation is used from many X terminals
sysadmin should propagate certificate to all user files ("nice").
Note that KDE crypto config overwrite user file.
- User certificates (KDE 3.x)
I have following problem in Konqueror 3.1.x:
When I import user certificate and key from a "PKCS #12" I might leave it without password.
When data is password protected I get message "Unable to open the certificate. Try a new password?".
When I press [No] browser hang while on [Yes] I get the message again and again and ...
Only solution that I found is to leave data without password which is strongly prohibited.
That is reason to suggest other browsers.
Might problem is result from stored format of user certificates commented in (4) too.
Please see comment (6) too.
- tab "SSL Signers" (KDE/Konqueror 3.x crypto configuration)
("KDE Control Center"->"Personalizaton" or "Security & Privacy"->"Crypto"->tab "SSL Signers")
I cannot find any reason a CA certificate to exist in this view!
- "kssl" module read these files:
$KDEDIR/share/config/ksslcalist (global)
$HOME/.kde/share/config/ksslcalist (user)
Might currently KDE only read these files without to use anything?
Append result from next command to global and/or user file
$ der2ksslcalist-item.sh \
skalasoft-CAOut.crt > ksslcalist-item.txt
See der2ksslcalist-item.sh script and output ksslcalist-item.txt .
- tab "Your certificates" (KDE/Konqueror 3.x crypto configuration)
- tab "SSL" (KDE/Konqueror 3.x crypto configuration)
- TLS support:
Option "Enable TLS support if supported by the server" is without effect in Konquerror.
Although web server support TLS its log show that Konqueror use SSLv3 protocol.
When web server support only TLS, i.e. SSLv2/3 are disabled on server side, Konqueror cannot connect.
Work around is to play "selection game": manualy to found chiphers supported by servers and
to enable/disable chiphers from tab depending on connection.
I do not like to play "selection game". This is user unfriendly.
- Cipher effective key size:
When web server require cipher greater than XXX bits for some URLs
Konqueror don't select one of supported that best fit web server
requirement and result is access forbidden or browser hang.
You must disable manually all ciphers that don't fit requirement.
Keep in mind that for other web server you must enable them back.
Again "selection game" ;-).
Let web server support AES256-SHA and DES-CBC3-SHA but on some pages require cipher greater that 168 bits.
In this case DES-CBC3-SHA cannot be used.
On these pages Konqueror hang.
To avoid this problem Konqueror should use the best cipher, i.e. with greater length.
- tab "Authentication" (KDE/Konqueror 3.x crypto configuration)
- Valid certificates with same "Subject":
When I have more that one certificate with same Subject
I cannot distinguish them in any control on the tab.
My problem was that I have two valid certificates with same "Subject",
but server can accept only one of them.
Work around is to remove oldest, but this is not solution in the period with two valid certificates.
Since KMail don't support certificates I solve this problem.
In general before to remove oldest but valid certificate
we should ensure that we receive emails encrypted only with newes.
That takes time.
- "Send" as "Default Action":
When "Default Action" is "Send" and default certificate is "None" browser can hang on https request.
It happens always when an URL require certificate.
Server log show that used cipher is "none" for protocol SSLv3 and
certificate is missing although cipher "none" is disabled (:-D no comments).
- "Don't send" as "Default Action":
Same as above.
- "Prompt" as "Default Action":
When I select "Prompt" and a page require a certificate situation is terribly.
- Selection dialog with certificates is ugly:
I can select only first item in list.
Certificate "Subject" can be very long and as result dialog is too wide.
I cannot see any information about selected certificate.
I cannot break request - dialog contain only one button "continue".
When I press close button on dialog window or hit [escape] key Konqueror hang.
- Konqueror can ask to select a certificate for every element that should load
(as example images) from page although they are accessible without certificate.
Work around: We can configure which certificate to send on host basis.
|