Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Key Points

  1. Java supports full security management - stores, certificates, keys in different key stores ( see  m Java Security Certificate Mgt )
  2. Openssl provides CLI interface to fully manage certificates, stores, signing requests, key management etc


References

Reference_description_with_linked_URLs_______________________Notes______________________________________________________________


https://www.openssl.org/

https://www.openssl.org/docs/

https://www.openssl.org/docs/man1.1.1/


https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html

Openssl Cookbook - 2016 - gdrive

openssl-cookbook.pdf

Openssl Cookbook - reasonably thorough

https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/

openssl-common-rsa-commands-zmq_bi_2014_Magic Quadrant for Business Intelligence and Analytics Platforms.pdf

Common Openssl commands from freecodecamp

https://slproweb.com/products/Win32OpenSSL.htmlOpenssl Windows binaries

Linux includes openssl  ...   openssl version -a   ( shows details )
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrsTutorial creating ssl certificates with openssl


https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----OverviewJava Keystore types
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549Java keytool for CA administration


https://www.geotrust.com/resources/csr/apache_mod_ssl.htm

openssl-create-server-cert-process-geotrust.com-Generate a Certificate Signing Request CSR.pdf

common openssl process to create a server certificate for ssl - geotrust


https://www.thewindowsclub.com/manage-trusted-root-certificates-windows

windows10-certificate-trust-mgt-mmc-thewindowsclub.com-How to manage Trusted Root Certificates in Windows 10.pdf

Using Windows 10 Trust store with MMC

Mozilla keeps the trust store in the source code repository:

This file contains the object definitions for the certs and other
# information "built into" NSS.

https://support.google.com/a/answer/6342198?hl=en


Generate Keys and Certificates for SSO for a GSuite account

how to create keys, certificates and link them to a GSuite account



https://letsencrypt.org/

https://letsencrypt.org/docs/

https://letsencrypt.org/how-it-works/

Let's encrypt or other root CAs - provides certs, CAAS - certificate admin as a service using a client agent on your server

Let's Encrypt has short key rotation ( 90 days or less to expiration )

https://upcloud.com/community/tutorials/use-ssh-keys-authentication/Using ssh with Openssl or Puttygen **


https://security.stackexchange.com/questions/146360/ssh-keypair-works-in-putty-but-not-in-openssh-inside-the-puttys-session

Puttygen keys are not compatible with OpenSSH or OpenSSL

Puttygen's private key format (PPK) can by converted OpenSSL format



https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-fileCommon certificate and key file formats
https://www.https.in/ssl-security/renew-ssl-certificate-steps/
ssl-How to Renew SSL Certificate for my Website.pdf
Renew SSL certificates **
https://docs.aws.amazon.com/acm/index.htmlAWS ACM certificate management **



Simple ssh - Using ssh with Openssl or Puttygen on Linux or Windows

https://upcloud.com/community/tutorials/use-ssh-keys-authentication/

_ssh-keys-How to use SSH keys for authentication.pdf


Login to server w private key

after public key stored on server, 

then

run ssh with the private key for the user at the server address

ssh -i id_rsa jimmason@jim-macbook.local


https://docs.rackspace.com/support/how-to/logging-in-with-an-ssh-private-key-on-linuxmac






Key Concepts




Certificate Use Cases


Manage Client and Server SSL certificates for SSL encryption of messages

  1. Client and server each have their own private key and matching public key pairs
  2. Client and server can self-sign their private keys or create a CSR ( certificate signing request ) to have a root CA sign them for higher trust level
  3. Client and server exchange public keys as certificates
  4. For each message sent, the source system encrypts the message with the private key
  5. For each message received, the receiver uses the public key to decrypt the message

Can use a variety of tools to generate an RSA 2048 key pair for SSL:  Openssl, Java keytool, Puttygen

After generating the key pair file, copy the pair to the secure local key store ( PKCS12 format or ? )

Send the public key to the other end of the SSL connection to use to decrypt messages


Gopher blog on Key management for SSL setup

SSL notes from Gopher blog
You do not need to share secrets. You just need to exchange public keys securely between two parties.You stated that we can make an assumption: "secrets can be pre-shared". Given this problem, generate a certificate for each node and securely exchange their public keys.Now every node has a way to authenticate every other node with mutual TLS.To clarify, you do not need a certificate authority. This is out of scope for the problem. The certificate authority solves the problem of key distribution by delegating trust. You don't need to do that, because of your assumption that secrets (in this case, non-secrets) can be exchanged securely.To summarize, as long as each node has every other nodes public key, you have trust between them. Certificate authority, lets encrypt, etc are solutions for a problem that you don't actually need to solve.

Maria Gonzales  4 days ago
Thanks for your inputs. I started reading about TLS, but I was getting lost on the CAs part. So, if I understand correctly (and to get it right in my head), do I just need to generate 2 pairs of keys, exchange the public keys (out of band, preferentially) and there is no need to sign the certificates at all? (edited) 

Maria Gonzales  4 days ago
The part of signing the certificates (whether self-signed or not), was confusing me



Full CA keystore setup, generate of RSA certificates and management for SSL server

  1. Typically a server is setup by a Certificate Authority administrator in a very secure environment.
  2. The CA is often an intermediate CA with a trust chain back to a root CA ( Verisign, Thawte or other root CA )
  3. Certificate files will often use a user, domain name or server name depending on planned usage
  4. Private keys are generated and usually well protected in a secure key store.
  5. A CSR ( Certificate Signing Request ) is generated for root CA authentication ( vs self signed certs )
  6. the server CA reviews and approves the CSR providing a complete trust chain to a root CA
  7. The public key is generated from the private key as a certificate PEM file normally. ( validate )
  8. If needed, a PKCS12 file can be generated from the private key as a format to send the certificate to the client


Client setup for PKI certificates


Key management and distribution concepts

private keys can have a pass phrase to protect access

better use an encrypted wrapper with a password for key distribution via sftp or secure email

store in a secure location documented for trusted users only

send keys as encrypted messages ( PGP, zip or ? )



Document signing with the Private key


Create personal certificate for shared SSL

use a personal name or identity or a proxy name

Setup a Web Server with SSL


to configure and run a web server that supports SSL. That process consists of three steps:
(1)  generate a strong private key,
(2) create a Certificate Signing Request (CSR) and send it to a CA, and
(3) install the CA-provided certificate in your web server.



Common certificate and key file formats

https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

SSL has been around for long enough you'd think that there would be agreed upon container formats. And you're right, there are. Too many standards as it happens. So this is what I know, and I'm sure others will chime in.

    .csr - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
    .pem - Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
    .key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
    .pkcs12 .pfx .p12 - Originally defined by RSA in the Public-Key Cryptography Standards (abbreviated PKCS), the "12" variant was originally enhanced by Microsoft, and later submitted as RFC 7292. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes

A few other formats that show up from time to time:

    .der - A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
    .cert .cer .crt - A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
    .p7b .keystore - Defined in RFC 2315 as PKCS number 7, this is a format used by Windows for certificate interchange. Java understands these natively, and often uses .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
    .crl - A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.

In summary, there are four different ways to present certificates and their components:

    PEM - Governed by RFCs, its used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
    PKCS7 - An open standard used by Java and supported by Windows. Does not contain private key material.
    PKCS12 - A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
    DER - The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows.



Java Certificate Administration


Java Keystore Types

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore depending on the types of keystores.

The three types of entries are:

PrivateKey : This is a type of keys which are used in asymmetric cryptography. It is usually protected with password because of its sensitivity. It can also be used to sign a digital signature.

Certificate : A certificate contains a public key which can identify the subject claimed in the certificate. It is usually used to verify the identity of a server. Sometimes it is also used to identify a client when requested.

SecretKey : A key entry which is sued in symmetric cryptography.

Depending on what entries the keystore can store and how the keystore can store the entries, there are a few different types of keystores in Java: JKS, JCEKS, PKCS12, PKCS11 and DKS. You can find the introduction of these keystore on Oracle's Java Cryptography Architecture description.

Next, we will have an overview of these keystore types.

JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.

JCEKS, JCE key store(Java Cryptography Extension KeyStore). It is a super set of JKS with more algorithms supported. It is an enhanced standard added later by Sun. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has an extension of jceks. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.

The provider of JCEKS is SunJCE, it was introduced in Java 1.4. Hence prior to Java 1.4, only JKS can be used.

PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.

The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.

Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if you don't specify the -storetype while creating keystore with keytool. However, the default keystore type will be changed to PKCS12 in Java 9 because its enhanced compatibility compared to JKS. You can check the default keystore type at $JRE/lib/security/java.security file:

PKCS11, this is a hardware keystore type. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards. You can find this implementation at sun.security.pkcs11.P11KeyStore. When you load the keystore, you no need to create a specific provider with specific configuration. This keystore can store private keys, secret keys and certificates. When loading the keystore, the entries will be retrieved from the keystore and then converted into software entries.

DKS, Domain KeyStore is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.

This keystore is located at sun.security.provider.DomainKeyStore.java.

Windows-MY, this is a type of keystore on Windows which is managed by the Windows operating system. It stores the user private keys and certificates which can be used to perform cryptographic operations such as signature verification, data encryption etc. Since it's a kind of native keystore, Java doesn't have a general API to access it. Oracle provides a separate API to access the Windows-MY keystore -- SunMSCAPI. The provider class for this API is sun.security.mscapi.SunMSCAPI.

BKS, BoucyCastle keystore, is a keystore format provided the popular third party Java cryptographic library provider -- BouncyCastle. It is a keystore similar to the JKS provided by Oracle JDK. But it supports storing secret key, private key and certificate. It is frequently used in mobile application developments.

In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.

keytool is a command line tool. It can be used to create keystore, generate keys, import and export certificates etc. For a full list of commands keytool supports, you can refer to Oracle keytool guideline.

If you are using IBM JDK, there is one more tool which can be used, it is ikeyman. ikeyman is a GUI tool which can provide a straightforward view of the keystore. The entries in the keystore. Keys and certificates can be created using ikeyman as well. It is a tool used frequently by system administrators.

Below are the details of each keystore supported in Java.



Certificate administration options


Java keytool

https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

Openssl command line on any platform


Free CA admin tools including Fabric


Openssl certficate adminisration

Use Linux default openssl if possible

includes default trust store for certificates


To create CA, keystore and manage certificates see these detail use cases then read the references below


Use case - Manage Client and Server SSL certificates for SSL encryption of messages



Use case - Full CA keystore setup, generate of RSA certificates and management for SSL server



see References :

openssl-cookbook.pdf

openssl-common-rsa-commands


Sample Openssl CA certificate management commands


use openssl to create pub key and PEM cert from private key

-----------
check the private rsa key 
>openssl rsa -check -inform PEM -in jmason-prv.key -noout -text

<
    ed:cd:05:4d:f9:25:f2:5a
RSA key ok



-----------
view the public key for a private key

openssl rsa -in jmason-prv.key -pubout



-----------
write out the public key from the private key 

openssl rsa -in jmason-prv.key -pubout  -outform PEM -out jmason-pub.PEM -RSAPublicKey_out





Openssl on Windows


install a valid Openssl binary from


Compile Openssl for Windows or get a binary package

only if needed ( usually on Windows if a binary not available )

add a trust store

Use or Create a Trust Store

either use system trust store or get Mozilla trust store

Windows Certificates Trust Store via mmc

Mozilla Root Certificate trust store text file

https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Unfortunately, their certificate collection is in a proprietary format, which is not of much
use to others as is. If you don’t mind getting the collection via a third party, the Curl project
provides a regularly-updated conversion in Privacy-Enhanced Mail (PEM) format, which you
can use directly:
But you don’t have to write a conversion script if you’d rather download directly from Mozilla.
Conversion scripts are available in Perl or Go. I describe both in the following sections.

Download & Install Windows Openssl binary

https://slproweb.com/products/Win32OpenSSL.html

For Windows, create openssl_start.bat

sets up openssl environment in Windows

openssl_start.bat.txt



WARNING: can't open config file: /usr/local/ssl/openssl.cnf

This can be solved as following:

  1. Close OpenSSL.
  2. Open a Command Prompt (CMD) as Administrator
  3. Run the following command: SET OPENSSL_CONF=<<my openssl bin path>>\openssl.cnf


Create Keystore, Admin key, User key & cert

use pkcs12 keystore

all key types and portable to any language


Generate a private key for the admin


if using a protected passfile, store in protected zip w option name + dddd


D:\dsfw\files\keyhome>

openssl genrsa -aes256 -passout file:passfile.txt -out jemason1.key 2048

Generating RSA private key, 2048 bit long modulus

..............+++++

.........................................................................................................+++++

e is 65537 (0x010001)

The password file ideally is in UTF-8 encoding for openssl


type or cat the key file to see the encrypted text for the private key generated


type jemason1-pub.pem | more

-----BEGIN PUBLIC KEY-----
.... << more >> ...
-----END PUBLIC KEY-----


create the public key from the private key file

openssl rsa -in jemason1.key -out jemason1-pub.key -pubout


key files output:

jemason1-pub.key jemason1.key passfile.txt


OpenSSL on Linux


error - unknown option on openssl command - can't copy dashes

Search Results
Web results

openssl keeps giving me "unknown option" errors - Server Fault
https://serverfault.com › questions › openssl-keeps-giving-me-unknown-o...
2 answers
Aug 13, 2011 - Delete all of your dashes and re-type them on the command line. when you wish to copy and paste! the - in the out so use arrows to get there and remove - and then type - and press enter, the - near the out is the only - you need to delete and type then it works :D.



CSR - Certificate Signing Request

http://pdfviewer.softgateon.net/?state=%7B%22ids%22:%5B%2211xXUkWZp59faRNh_jjCvXjM1XvQ7R4e9%22%5D,%22action%22:%22open%22,%22userId%22:%22106992337469837643773%22%7D


Once you have a private key, you can proceed to create a Certificate Signing Request
(CSR).
This is a formal request asking a CA to sign a certificate, and it contains the public key of the
entity requesting the certificate and some information about the entity. This data will all be
part of the certificate. A CSR is always signed with the private key corresponding to the public
key it carries.
CSR creation is usually an interactive process during which you’ll be providing the elements
of the certificate distinguished name. Read the instructions given by the openssl tool careful-
ly; if you want a field to be empty, you must enter a single dot (.)

Get details from the site admin for OU, Cname, email, challenge password  etc first

 openssl req -new -key fd.key -out fd.cs


Create a pkcs12 file store for certificates

PKCS 12. In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. ... The filename extension for PKCS #12 files is .p12 or .pfx .

The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys


https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html

For PKCS#12 file parsing only -in and -out need to be used for PKCS#12 file creation -export and -name are also used.

Controlling order of keys in pkcs12 file

If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates.


creates a pkcs12 file from a public key

 openssl pkcs12 -export -in jemason1-pub.key -out jemason1.p12 -name "jmason Certificate"

jemfebapr


Tutorial - Create SSL certificates with OpenSSL

https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs

On Ubuntu

ssl folder  /usr/lib/ssl is a link to

/etc/ssl 

which contains   /certs openssl.cnf  /private

openssl.cnf has default values for a CSR otherwise they must be entered on CLI



openssl req –out certificatesigningrequest.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key


create the new key  and csr request

openssl req –out jmason1.csr -new -newkey rsa:2048 -nodes -keyout jmason1.key



read the key

openssl req -in jmason1.csr -noout -text



Create a public key as a PEM file from private key


openssl rsa -in jmason1.key -outform PEM -pubout -out jmason1-pub.PEM


Create a PKCS12 format file that can be imported into a Windows keystore



Create self-signed certificate with openssl req

openssl-req, req - PKCS#10 certificate request and certificate generating utility

The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

openssl-x509, x509 - Certificate display and signing utility

https://www.openssl.org/docs/man1.1.1/

example 1 - create new self-signed root CA certificate, private and public key files and a password file


openssl req -x509 -sha256 -outform PEM -days 1000 -out jmason2-crt.pem -new -newkey rsa:2048 -nodes 
-keyout jmason2-key.pem -passin file:passfile.txt

Generating a RSA private key
...........................................................+++++
.....................................................................................+++++
writing new private key to 'jmason2-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MA]:MA
Locality Name (eg, city) []:North Attleboro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paramount Software Solutions
Organizational Unit Name (eg, section) []:software
Common Name (e.g. server FQDN or YOUR name) []:Jim Mason
Email Address []:.



openssl req options

-outform DER|PEM

This specifies the output format, the options have the same meaning and default as the -inform option.

-in filename

This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey) are not specified.

-x509

This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.

If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.





Openssl simple CA app to sign requests

https://www.openssl.org/docs/man1.1.0/man1/ca.html

openssl.org-ca.pdf




Potential Value Opportunities



Potential Challenges



Puttygen key formats not compatible with OpenSSH and OpenSSL

https://security.stackexchange.com/questions/146360/ssh-keypair-works-in-putty-but-not-in-openssh-inside-the-puttys-session

Puttygen uses a new proprietary key format that OpenSSH and OpenSSL do not.

Puttygen has a conversion tool that can convert the Puttygen key format back to the older OpenSSL format

testing a converted Puttygen to OpenSSL format worked:


openssl rsa -in jmason-prv-ssh3b.key -noout -text

Enter pass phrase for jmason-prv-ssh3b.key:
Private-Key: (2048 bit)
modulus:
00:92:db:ff:65:08:32:42:c8:04:3d:43:65:52:23:
65:2a:a5:d8:18:55:20:47:ef:61:a2:e9:c4:77:84:


Tip to convert OpenSSL key format to new Puttygen format

https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23

It looks like as of this writing, the PuTTY Gen conversion code only accepts keys that use the AES-128-CBC or DES-EDE3-CBC ciphers. Otherwise, it will complain with a "unsupported cipher" error. (The latest release version at the moment is beta 0.67.)

For example, one of my private keys was using AES-256-CBC:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,xxxxxxx

Note that if your key is encrypted with a passphrase or has a MAC(?), you might only see a header like:

-----BEGIN RSA PRIVATE KEY-----
xx252xljbl.....

The "openssl" tool can be used to convert an existing private key to one of the acceptable formats above. Which of the two is another discussion, but hey, here is some insight.

openssl.exe rsa -in /path/to/your/private_key -out /path/to/your/new_private_key -outform PEM -des-ede3-cbc

openssl supported cipher formats include:

Cipher commands (see the `enc' command for more details)

openssl help

aes-128-cbcaes-128-ecbaes-192-cbcaes-192-ecb
aes-256-cbcaes-256-ecbbase64bf
bf-cbcbf-cfbbf-ecbbf-ofb
camellia-128-cbccamellia-128-ecbcamellia-192-cbccamellia-192-ecb
camellia-256-cbccamellia-256-ecbcastcast-cbc
cast5-cbccast5-cfbcast5-ecbcast5-ofb
desdes-cbcdes-cfbdes-ecb
des-ededes-ede-cbcdes-ede-cfbdes-ede-ofb
des-ede3des-ede3-cbcdes-ede3-cfbdes-ede3-ofb
des-ofbdes3desxidea
idea-cbcidea-cfbidea-ecbidea-ofb
rc2rc2-40-cbcrc2-64-cbcrc2-cbc
rc2-cfbrc2-ecbrc2-ofbrc4
rc4-40seedseed-cbcseed-cfb
seed-ecbseed-ofb


des-ede3-cbc is the Puttygen format for keys




Candidate Solutions



Step-by-step guide for Example



sample code block

sample code block
 



Recommended Next Steps



  • No labels