I'm noob with SSL.
I have implemented SSL with cerbot/letscrypt [nginx/Ubuntu 14.04]. I had also done public key SSL pinning on the android app. Everything is in production and working fine.
But once the certificate expires i want to renew certificate with the same key to prevent any forceful app update.
Please let me know is there any way i can work around.
Thank You in advance.
I am looking for the same type of solution for Traefik, and as I mention in my question I think it's possible for Certbot, at least from reading their --help.
So if you run:
docker run --rm -it certbot/certbot --help all
You will find:
--reuse-key When renewing, use the same private key as the existing certificate. (default: False)
Related
I am performing Passive Authentication of passport chip using jmrtd.
I am able to verify signature using DSC(Digital Singing Certificate).
But I am not able to verify DSC using CSC (Country Signing Certificate).
Please provide some approach, thanks in advance.
Probably way too late for you, but in case anyone else runs in to this :)
To do that you basically need to create a trust store with the CSCs. Basically they are just certificate authorities and needs to be treated as such.
First step is to create a PKCS12 containing all the CSCs you want/need, this for some reason can't be done using OpenSSL, but fortunately keytool is your friend: keytool importing multiple certificates in single file
Next up is creating a trust store, e.g., by following this example: https://stackoverflow.com/a/6379434/1441857
The keystore needed for the step above is created as follows:
private KeyStore createStore(InputStream pkcs12Stream) {
final KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(pkcs12Stream, "password".toCharArray());
return keyStore;
}
finally you can simply validate by using your trustmanager(s) (there's actually just one, as expected), following the first answer I linked. The authType parameter seems to be "RSA_EXPORT", haven't figured why yet.
I think that should do the trick :)
I was wondering if is possible to make a self signed certificate
on my server, so that my app can communicate via ssl (I am aware
of methods how to make my app trust the self signed cert, so that
the certificate would not expire in 1 year but maybe in 5 as I don't
want to manually update many apps that would use ssl.
IS there any way to make a self signed certificate that doesn't
expire within 1 year? If not, would there be any point in making
my app download the new cert if a certain date has passed?
Thanks.
You're completely free to set whatever you want for expiry time when you create/sign a certificate.
Here's how to generate a self signed SSL certificate using Ruby. I personally prefer to use a language binding when talking to OpenSSL since the CLI is a bit complicated to use :)
require "openssl"
keypair = OpenSSL::PKey::RSA.new(2048)
File.open("/tmp/key.pem", "w+") do |f|
f.write ca_keypair.to_pem(OpenSSL::Cipher.new("AES-128-CBC"), "my passphrase")
end
cert = OpenSSL::X509::Certificate.new
cert.not_before = Time.now
cert.subject = OpenSSL::X509::Name.new([
["C", "NO"],
["ST", "Oslo"],
["L", "Oslo"],
["CN", "August Lilleaas"]
])
cert.issuer = cert.subject
cert.not_after = Time.now + 1000000000 # 40 or so years
cert.public_key = keypair.public_key
File.open("/tmp/cert.pem", "w+") do |f|
f.write cert.to_pem
end
I am a little new to this whole WebSocket and SSL certificate.
So I have created my own WebSocket server on Android side and the website is the client. I was able to make it work with regular WebSocket (ws://) but not secure WebSocket (wss://) due to the fact that it requires SSL certificate.
My question is how can I get a SSL certificate? From what I've read, SSL certificate is based on a domain. I need it for localhost. I need it for something like this address:
wss://localhost:8080/ws/main
How can I go about getting a SSL certificate that will work with localhost.
Thank you for your time!
====================== EDIT =====================
Reason why I am doing this:
I have a Bluetooth service in my Android application that will be getting data from connected health bluetooth devices like Weight Scale and Blood Pressure machine. I have this part implemented already and I want to take this data and pass it to a website. WebSocket seemed easier because the user will have my application open and when they do their weight, it would automatically fill the field on the website with the weight from the Weight Scale. I hope I am making this clear.
To do this, I need to have a way to pass the weight or blood pressure values from Java (Android) to the website that loads within a WebView. So I thought WebSocket would the easiest way.
Please tell me if you think there is an easier way.
Also, I've already tried self-signed certificate and I get the following error:
I/X509Util: Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
OR
Exception=javax.net.ssl.SSLException: Error occured in delegated task:javax.net.ssl.SSLException: Not trusted server certificate
Thank you!!!
We faced a similar problem, our solution was to register a subdomain to one of our domains with an A record to 127.0.0.1 and get a certificate for that domain.
local.example.com -> A record to 127.0.0.1
SSL certificate requested for local.example.com
I'm afraid this answer is too late for you however, it can be helpful for others finding this article.
When I'm using the fetch function in my react native apps, things work as expected on iOS, but gives an error in android. The error is 'TypeError: Network request failed'. Doing a bit of debugging, I found that the cause of the error seems to be the following: 'java.security.cert.CertPathValidatorException: Trust anchor for certification path not found'.
How come this works in iOS and not on android, and how do I best fix it? Is the fault in react-native, or somewhere deeper?
There is a few workarounds for this issue mentioned here: Trust Anchor not found for Android SSL Connection
However, if you are the server owner. I would suggest to review your server ssl certificate. I think that was because of missing CA certificate in your pem file.
What I have done for my site is I created fullchain.pem by concating content of file.crt and file.ca-bundle as that order.
Then I configure nginx (my server behind nginx) with:
ssl_certificate /etc/nginx/ssl/fullchain.pem;
The original document: https://www.digicert.com/ssl-certificate-installation-nginx.htm
Hope that helps
I am after a solution which would enable me to use the in-build keystore and StrictHostnameVerifier but would allow me to obtain the X590CertificateChain (either once connected or post handshake) so I can perform some additional checks (specifically I want to verify the root public key is the one I expected).
The examples I have investigated are mainly around overriding the behaviour (i.e. by replacing the socket factory or hostname checker with ones which don't do anything) and I am struggling with the differences between the android and other java implementations.
The reason I don't want to bundle a keystore (aside from having to use bouncycastle instead of jks) is that I don't want to package the intermediate CA cert with the app as this will create a certificate management problem sooner.
Many thanks in advance for any comments.
Ideally, this should be done at runtime. Bundling the certificate might be redundant as well, when some devices might already have that certificate installed.
Normally, your approach should be this.
Try connecting to the server.
If certificate is not installed, you will get a certificate exception. Catch it, extract the public certificate, save it, by creating a keystore on the fly.
While making new connections, use this keystore to initialize your SSL context.