I want to get SSL certificate for my webpage that chat with each other. I also using AES 265 hashing algorithm for dealing more secure with my webpage data and using sha512 for password hashing. But i don't know how to get SSL certificate in industrial level. I tried with many of giving free SSL websites but i still haven't got that. What is Server signature? and how i get that? thanks
This is really a server admin question, not a programming issue.
You can either do a self signed certificate, or get one from a certificate authority.
Self signed certificates are secure, BUT many times programming languages don't like them OR when you connect to something using them you need to tell the function that self-signed is OK.
That said, if you want a "real" certificate you may want to look at Let's Encrypt - https://en.wikipedia.org/wiki/Let%27s_Encrypt
You need to create your own keystore for setting up SSL enabled one.
After you create your own Keystore it has to be signed by the Certificate Authority for example, Go Daddy or GlobalSign.
But for testing purpose, you need to create self-signed certificate using Keytool which comes with your JDK or JRE (C:\Program Files\Java\jdk1.8.0_60\bin\keystool.exe).
You can create self-signed certificate using below command:
keytool - genkey -dname "CN=SERVER_NAME, OU=ABC, O=company.com, L=Morrisville, S=NC, C=US" -alias myalias -keyalg RSA -validity 365 -keysize 2048 -keystore keystore.jks -storepass password -keypass password
Here, storepass and keypass should be same for avoiding some confusions.
Now, after creating your own keystore.jks, its time for server configuration.
I am considering that you are using Apache tomcat or if you are using some other server, you can find server configurations very easily over other tutorials.
You need to edit two files: server.xml and setenv.sh/bat
1) Go to $CATALINA_HOME/conf --> Here you will find server.xml and now you have to edit the port information so that communication will go through SSL enabled port. You need to create one more connector other than default 8080 port like below:
<Connector
port="33380" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="500"
compressableMimeType="application/json,application/atom+xml,application/xml"
compression="on"
maxKeepAliveRequests="-1"
connectionTimeout="20000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore/keystore.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
Here, specify the path of the generated keystore file for keystoreFile attribute and keystorepass equals to the password that you have chosen while creating the keystore file.
2) Go to $CATALINA_HOME/bin --> Here you will find setenv.sh/bat files.
Here, you need to specify the keystore password and path of the keystore file.
Add these server environment variables inside JAVA_OPTS
-Djavax.net.ssl.keyStore=../../../keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=password
I hope this will give some direction to you for configuration purpose.
Related
I have a PHP application on Apache 2.4 server with installed mySql server and PHPmyAdmin.
To do some tests for educational purposes I need to enable SSL / TLS both on the PHP WEB application and on PHPmyAdmin.
all tests are performed on a local network between two computers, so there is the problem of generating certificates, but I followed this guide:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
I generated the certificate of the certification authority that I installed on both machines of the local network (the server and the client), and the 3 files needed by Apache:
server.crt (server signed certificate)
server.csr (certificate signing request)
server.key (private key)
following the guide I then enabled TLS 1.3 on the PHP application successfully.
Now I should repeat the thing on phpMyAdmin and enable SSL. I've read that I need to add these directives to the config.inc.php file:
$cfg['Servers'][$i]['ssl'] = true
$cfg['Servers'][$i]['ssl_cert']
$cfg['Servers'][$i]['ssl_key']
$cfg['Servers'][$i]['ssl_ca']
The first must be set TRUE, while the others require the path of the certificates. Can I use the same certificates I use for the app?
I tried to do it: for the certificate of the CA, I exported it, converted it to .pem, put it in a folder in c: and entered the path in ssl_ca, for the signed certificate of the server, I simply converted it to .pem and entered the path, while the keys I left it like this and entered the path.
However, phpmyAdmin gives me an error:
mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificat e verify failed
Happens because I don't use the csr file?
Thanks!
I need to establish a TLS connection between my backend and a web service API. I'm using the HttpClientInterface class within the Symfony framework. I would really like to understand what I'm doing here.
This is the situation:
I recieved a .p12 file containing my certificate and its private key, these have been extracted with openssl to .pem files. In the PHP: SSL context options, I have set local_cert = /mypath/mycert.pem, local_pk = /mypath/mykey.pem and passphrase = 'pwtoextractfiles'. Are all these options neccessary? Whats happening here really?
I also got a server certificate. I set cafile = /mypath/servercert.pem. However the issuer of the server cert tells me I'm supposed to add the issuer of the server cert as trusted root and add the issuer in my trust store. How is this done in PHP? Have I done this correctly by setting the cafile option?
Trying to sort out an LDAPs connection over windows / PHP:
I have .pfx certificate available to me and an LDAP(s) configuration requirement running on Windows 2012R2 / IIS 8.5. I currently have a folder structure: C:\OpenLDAP\sysconf and within here is my LDAP.Conf file with an entry:
TLS_CACERT c:\openldap\sysconf\XXX.pfx
The pfx file is encrypted so I am assuming I need to 'install' the certificate on the IIS server.
I have the required password for the chain but I'm a little fuzzy on exactly where / process for installing the certificate on the IIS Server for this particular requirement.
Can anyone explain / guide me as to how to complete this side of it ?
Very Very appreciated in advance for your help
You can import/install the pfx (private key & certificate archive) for the ActiveDirectory services using Microsoft management console.
You need to launch MMC then import the certificate by selecting
File->Add or remove snap-in->select Certificates->click add(to add it
to the selected snap-ins)->click ok->select service account , then
selecting local computer then selecting active directory
service->finish.
This site will guide you through your configuration:
A complete and step by step info is given
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm
You can verify your Ldap configuration by importing the public certificate to your personal certificate store through MMC or by just double clicking it and following the wizard then use ldp tool to verify the SSL connectivity.
I have spent 8 hours on this, and still can't get it right.
My situation:
My server is running on Linux xrm 2.6.32-5-amd64;
In console: openssl s_client -connect ns1.example.com:995 works flawlessly, successful connection.
But when i execute this script:
a)
$res = imap_open("{ns1.example.com:993}",
"user#example.lv", "password");
Response is: Array ( [0] => [CLOSED] IMAP connection broken (server response) )
b)
$res = imap_open("{ns1.example.com:993/ssl}",
"user#example.lv", "password");
Response: Array ( [0] => Certificate failure for ns1.example.com: self signed certificate: /CN=ns1.example.com/emailAddress=ssl#ns1.example.com )
Is it connected with the fact that, this script is under drupal directory?
And it uses different php.ini than server does?
Even though when i execute php_info(), it says that imap and imap/ssl is enbaled.
i have tried all the imap_open() flags, but still no luck.
I even can't connect to a standart gmail mailbox.
Please get me out of here.
How the server must be configured to be able to connect to mailbox
It depends. The server can use a certificate signed by a public CA if the CA is a trust anchor on the client. The server can use a certifcate signed by a non-public CA used in a private PKI as long as the client uses it as a trust anchor.
The server can also use a self signed certificate if the client trusts the certificate. See Marc B's comments.
In the case of the mail protocols, opportunistic encryption is the next big push. As such, your script should be using DNSSEC and DANE to fetch the certificate from DNS's CERT resource record. See, for example, RFC 6944 and RFC 7218.
As a fallback, the script should be using security diversification techniques like Trust on First Use (TOFU), certificate pinning or public key pinning. Peter Gutmann talks about it in his book Engineering Security. (The other choice - disable validation - is really bad).
... via php script
This is likely your problem. Its not robust and it does not do the right thing.
In console: openssl s_client -connect ns1.example.com:995 works flawlessly
Probably not. Are you certain about that? I would have expected s_client to return non-0. At minimum, you would have needed the -CAfile option to tell OpenSSL what certificate to use as a trust anchor.
Also, OpenSSL prior to OpenSSL 1.1.0 does not perform hostname matching. So the name in the certifcate could be anything and s_client would accept it as long as its signed by a CA (modulo the -CAfile option). That mistake does not show up anywhere. You have to manually inspect the end entity certificate to discover the problem (if its present).
I am successfully connecting, using Microsoft C#, to a Microsoft web service. I have to supply a username, password (in the C# code); and install a certificate (in .cer format) into the "Root Certificate Authorities" section of the system's certificates.
How can I connect to such a web service in PHP? The reason I ask is that all methods I have seen (such as wsdl2php, which creates a SoapClient subclass), seem to assume various things, such as SSL certificate, SSL key file and SSL key passphrase.
So it all confuses me. I'm not sure what should go where. I'm not sure where my "root certificate authority" (the .cer file) should go, and where the username and password should go. Any ideas?
all can be done whith soapclient and stream_context_create using ssl options
<?php
$context = stream_context_create(array(
'https' => array(
'cafile' => '/path to file',
'verify_peer' => true
)));
new soapclient("https://localhost/index.php?wsdl",array(
'login'=>'admin',
'password'=>'passss',
'stream_context'=> $context
));
it is not uncommon in soap to not use http auth but just an soap-call, the documnetation is essential
it can be rewarding to use soapclient whith classes using classmap to map soaptypes to php clases
Typically if you're calling a webservice using regular SSL your URL will look like:
https://username:password#myserver.com/mywebservice.php
Then there is the issue of the SSL certificate. I'm using something similar to read from an SSL protected SVN web front. I don't know of any other solution other than to log into the server as the user that is running your webserver (apache/IIS) and accepting the certificate manually. In the case of SVN you could make a checkout and it will ask you to accept the certificate. I'm not entirely sure how this would work for a plain HTTPS request but perhaps you can get the certificate by loading the webservice in a browser? (or using wget or something fancy if you're lucky enough to be running Linux)
Also, is your code the PHP code or the C# code? If it's C# you may need to do something else entirely.