Computing/SSL

From OpenWetWare
Revision as of 12:31, 10 August 2007 by Ilya (talk | contribs)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Using wget to download files from certificate-protected sites at MIT:

  • Download MIT CA
  • Convert the extracted MIT CA from DER to PEM format:
openssl x509 -out exported-pem.crt -outform pem -in exported.crt -inform der
  • Install personal MIT certificate into web browser
  • Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key:
openssl pkcs12 -nocerts -in usercert.p12 -out ~user/.globus/userkey.pem
chmod 400 ~user/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pem
  • Use the certificates
wget --private-key=/home/ilyas/computing/certs/mitkey.pem \
--certificate=/home/ilyas/computing/certs/mitcert.pem \
--ca-certificate=/home/ilyas/computing/certs/mitca.pem \
https://web.mit.edu/rhlinux/rhel-5.0/5.0-client-i386/rhel-5-client-i386-disc4.iso

you won't need the --ca-certificate flag if goliath's server ssl cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this: OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert http://www.ender.com/2005/11/installing_your_own_ca_authori.html


From the openssl man page:

  • public key
      --certificate=file
          Use the client certificate stored in file.  This is needed for
          servers that are configured to require certificates from the
          clients that connect to them.  Normally a certificate is not
          required and this switch is optional.

private key 

      --private-key=file
          Read the private key from file.  This allows you to provide the
          private key in a file separate from the certificate.

CA 

      --ca-certificate=file
          Use file as the file with the bundle of certificate authorities
          (‘‘CA’’) to verify the peers.  The certificates must be in PEM format.

      --no-check-certificate
          Don’t check the server certificate against the available certificate authorities.

References

Certificate manipulation

https://biowiki.mit.edu/wiki/index.php/Setting_Up_SSL_on_Web_Servers http://web.mit.edu/apache-ssl/

http://mark.foster.cc/kb/openssl-keytool.html http://mark.foster.cc/kb/cacert-keystore-extraction.html

Retrieved from "https://openwetware.org/mediawiki/index.php?title=Computing/SSL&oldid=139715"