Computing/SSL: Difference between revisions
From OpenWetWare
Jump to navigationJump to search
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
*Download [http://ca.mit.edu/mitca.crt MIT CA] | *Download [http://ca.mit.edu/mitca.crt MIT CA] | ||
*Convert the extracted MIT CA from DER to PEM format: | *Convert the extracted MIT CA from DER to PEM format: | ||
openssl x509 -out | openssl x509 -out mitca.pem -outform pem -in mitca.crt -inform der | ||
*Install [http://ca.mit.edu/ personal MIT certificate] into web browser | *Install [http://ca.mit.edu/ personal MIT certificate] into web browser | ||
*Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key: | *Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key: | ||
openssl pkcs12 -nocerts -in usercert.p12 -out ~user | openssl pkcs12 -nocerts -in usercert.p12 -out ~user/userkey.pem | ||
chmod 400 ~user | chmod 400 ~user/userkey.pem | ||
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user | openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/usercert.pem | ||
*Use the certificates | *Use the certificates to download files: | ||
wget --private-key=/home/ | wget --private-key=/home/user/mitkey.pem \ | ||
--certificate=/home/ | --certificate=/home/user/mitcert.pem \ | ||
--ca-certificate=/home/ | --ca-certificate=/home/user/mitca.pem \ | ||
https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso | https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso | ||
==Notes== | |||
You won't need the --ca-certificate flag if the server SSL cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this: | |||
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert | OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert | ||
==References== | |||
From the openssl man page: | *[http://goc.eu-eela.org/operations/certification-authority-and-virtual-organisation-operations/certificate-manipulation/ Certificate manipulation] | ||
*https://biowiki.mit.edu/wiki/index.php/Setting_Up_SSL_on_Web_Servers | |||
*http://web.mit.edu/apache-ssl/ | |||
*http://mark.foster.cc/kb/openssl-keytool.html | |||
*http://mark.foster.cc/kb/cacert-keystore-extraction.html | |||
*http://www.ender.com/2005/11/installing_your_own_ca_authori.html | |||
*From the openssl man page: | |||
--certificate=file | --certificate=file | ||
Use the client certificate stored in file. This is needed for | Use the client certificate stored in file. This is needed for | ||
| Line 27: | Line 32: | ||
clients that connect to them. Normally a certificate is not | clients that connect to them. Normally a certificate is not | ||
required and this switch is optional. | required and this switch is optional. | ||
--private-key=file | --private-key=file | ||
Read the private key from file. This allows you to provide the | Read the private key from file. This allows you to provide the | ||
private key in a file separate from the certificate. | private key in a file separate from the certificate. | ||
--ca-certificate=file | --ca-certificate=file | ||
Use file as the file with the bundle of certificate authorities | Use file as the file with the bundle of certificate authorities | ||
(‘‘CA’’) to verify the peers. The certificates must be in PEM format. | (‘‘CA’’) to verify the peers. The certificates must be in PEM format. | ||
--no-check-certificate | --no-check-certificate | ||
Don’t check the server certificate against the available certificate authorities. | Don’t check the server certificate against the available certificate authorities. | ||
Latest revision as of 12:50, 10 August 2007
Using wget to download files from certificate-protected sites at MIT:
- Download MIT CA
- Convert the extracted MIT CA from DER to PEM format:
openssl x509 -out mitca.pem -outform pem -in mitca.crt -inform der
- Install personal MIT certificate into web browser
- Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key:
openssl pkcs12 -nocerts -in usercert.p12 -out ~user/userkey.pem chmod 400 ~user/userkey.pem openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/usercert.pem
- Use the certificates to download files:
wget --private-key=/home/user/mitkey.pem \ --certificate=/home/user/mitcert.pem \ --ca-certificate=/home/user/mitca.pem \ https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso
Notes
You won't need the --ca-certificate flag if the server SSL cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this: OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
References
- Certificate manipulation
- https://biowiki.mit.edu/wiki/index.php/Setting_Up_SSL_on_Web_Servers
- http://web.mit.edu/apache-ssl/
- http://mark.foster.cc/kb/openssl-keytool.html
- http://mark.foster.cc/kb/cacert-keystore-extraction.html
- http://www.ender.com/2005/11/installing_your_own_ca_authori.html
- From the openssl man page:
--certificate=file
Use the client certificate stored in file. This is needed for
servers that are configured to require certificates from the
clients that connect to them. Normally a certificate is not
required and this switch is optional.
--private-key=file
Read the private key from file. This allows you to provide the
private key in a file separate from the certificate.
--ca-certificate=file
Use file as the file with the bundle of certificate authorities
(‘‘CA’’) to verify the peers. The certificates must be in PEM format.
--no-check-certificate
Don’t check the server certificate against the available certificate authorities.
