Computing/SSL

From OpenWetWare

< Computing(Difference between revisions)
Jump to: navigation, search
Current revision (15:50, 10 August 2007) (view source)
 
Line 3: Line 3:
*Download [http://ca.mit.edu/mitca.crt MIT CA]
*Download [http://ca.mit.edu/mitca.crt MIT CA]
*Convert the extracted MIT CA from DER to PEM format:
*Convert the extracted MIT CA from DER to PEM format:
-
  openssl x509 -out exported-pem.crt -outform pem -in exported.crt -inform der  
+
  openssl x509 -out mitca.pem -outform pem -in mitca.crt -inform der  
*Install [http://ca.mit.edu/ personal MIT certificate] into web browser
*Install [http://ca.mit.edu/ personal MIT certificate] into web browser
*Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM).  The first step extracts the private key and the second one extracts the public key:
*Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM).  The first step extracts the private key and the second one extracts the public key:
-
  openssl pkcs12 -nocerts -in usercert.p12 -out ~user/.globus/userkey.pem
+
  openssl pkcs12 -nocerts -in usercert.p12 -out ~user/userkey.pem
-
  chmod 400 ~user/.globus/userkey.pem
+
  chmod 400 ~user/userkey.pem
-
  openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pem
+
  openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/usercert.pem
-
*Use the certificates
+
*Use the certificates to download files:
-
  wget --private-key=/home/ilyas/computing/certs/mitkey.pem \
+
  wget --private-key=/home/user/mitkey.pem \
-
  --certificate=/home/ilyas/computing/certs/mitcert.pem \
+
  --certificate=/home/user/mitcert.pem \
-
  --ca-certificate=/home/ilyas/computing/certs/mitca.pem \
+
  --ca-certificate=/home/user/mitca.pem \
  https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso
  https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso
-
you won't need the --ca-certificate flag if goliath's server ssl cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this:
+
==Notes==
 +
You won't need the --ca-certificate flag if the server SSL cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
-
http://www.ender.com/2005/11/installing_your_own_ca_authori.html
 
-
 
+
==References==
-
From the openssl man page:
+
*[http://goc.eu-eela.org/operations/certification-authority-and-virtual-organisation-operations/certificate-manipulation/ Certificate manipulation]
-
*public key
+
*https://biowiki.mit.edu/wiki/index.php/Setting_Up_SSL_on_Web_Servers
 +
*http://web.mit.edu/apache-ssl/
 +
*http://mark.foster.cc/kb/openssl-keytool.html
 +
*http://mark.foster.cc/kb/cacert-keystore-extraction.html
 +
*http://www.ender.com/2005/11/installing_your_own_ca_authori.html
 +
*From the openssl man page:
       --certificate=file
       --certificate=file
           Use the client certificate stored in file.  This is needed for
           Use the client certificate stored in file.  This is needed for
Line 27: Line 32:
           clients that connect to them.  Normally a certificate is not
           clients that connect to them.  Normally a certificate is not
           required and this switch is optional.
           required and this switch is optional.
-
private key
 
       --private-key=file
       --private-key=file
           Read the private key from file.  This allows you to provide the
           Read the private key from file.  This allows you to provide the
           private key in a file separate from the certificate.
           private key in a file separate from the certificate.
-
CA
 
       --ca-certificate=file
       --ca-certificate=file
           Use file as the file with the bundle of certificate authorities
           Use file as the file with the bundle of certificate authorities
           (‘‘CA’’) to verify the peers.  The certificates must be in PEM format.
           (‘‘CA’’) to verify the peers.  The certificates must be in PEM format.
-
 
       --no-check-certificate
       --no-check-certificate
           Don’t check the server certificate against the available certificate authorities.
           Don’t check the server certificate against the available certificate authorities.
-
 
-
==References==
 
-
[http://goc.eu-eela.org/operations/certification-authority-and-virtual-organisation-operations/certificate-manipulation/ Certificate manipulation]
 
-
 
-
https://biowiki.mit.edu/wiki/index.php/Setting_Up_SSL_on_Web_Servers
 
-
http://web.mit.edu/apache-ssl/
 
-
 
-
http://mark.foster.cc/kb/openssl-keytool.html
 
-
http://mark.foster.cc/kb/cacert-keystore-extraction.html
 

Current revision

Using wget to download files from certificate-protected sites at MIT:

  • Download MIT CA
  • Convert the extracted MIT CA from DER to PEM format:
openssl x509 -out mitca.pem -outform pem -in mitca.crt -inform der 
  • Install personal MIT certificate into web browser
  • Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key:
openssl pkcs12 -nocerts -in usercert.p12 -out ~user/userkey.pem
chmod 400 ~user/userkey.pem
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/usercert.pem
  • Use the certificates to download files:
wget --private-key=/home/user/mitkey.pem \
--certificate=/home/user/mitcert.pem \
--ca-certificate=/home/user/mitca.pem \
https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso

Notes

You won't need the --ca-certificate flag if the server SSL cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this: OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert

References

      --certificate=file
          Use the client certificate stored in file.  This is needed for
          servers that are configured to require certificates from the
          clients that connect to them.  Normally a certificate is not
          required and this switch is optional.
      --private-key=file
          Read the private key from file.  This allows you to provide the
          private key in a file separate from the certificate.
      --ca-certificate=file
          Use file as the file with the bundle of certificate authorities
          (‘‘CA’’) to verify the peers.  The certificates must be in PEM format.
      --no-check-certificate
          Don’t check the server certificate against the available certificate authorities.
Personal tools