Convert Certificates CER/CRT/PEM

Convert Certificates KB ID 0001847

Problem

This post was written because of a follow up question in this article. How do you go about convert certificates? Sometimes you get a certificate issued or sent toy you that is in a format you cannot import, so you need to convert it. Regardless of whether you are a mac/Linux user or a Windows user, the tool that I find best to use is OpenSSL.

OpenSSL is built into macOS to use OpenSSL on Windows you need to download, install, then run the openssl.exe (usually form command line, but you can also run from PowerShell (Note: See comment below if you intend to use PowerShell).

 

Linux Note: To install OpenSSL, different flavours of Linux differ e.g. sudo apt-get install openssl should work in most cases.

Windows Note: Remember to change to the directory in which OpenSSL.exe resides before executing the following command(s). See the Windows Examples for clarification.

Solution : Convert Certificates

The most common form of issued x509 certificates have a .crt or a .cer extension, CRT is based on DER Distinguished Encoding Rules, and the other (CER) is based on PEM Privacy Enhanced Mail. OpenSSL can convert form one to the other. Note: Below I’ve shown the process on my mac and a Windows PC to illustrate the process is the same.

Convert Certificates CRT to CER

Use the following Syntax to convert from CRT to CER format. (Change the values in Red to match your source and destination certificate locations).

[box]

openssl x509 -inform PEM -outform DER -in /Users/petelong/CERTS/Source-Certificate.crt -out /Users/petelong/CERTS/Output-Certificate.cer

[/box]

Convert Certificates CER to CRT

Use the following Syntax to convert from CER to CRT format. (Change the values in Red to match your source and destination certificate locations).

[box]

openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/Source-Certificate.cer -out /Users/petelong/CERTS/Output-Certificate.crt

[/box]

Convert Certificates CRT to PEM

Disclaimer: This is a bit of a misnomer, because .crt certificates are already in PEM format. You can simply open a .crt file and view it as a PEM file. Use the following Syntax to view a CRT in PEM format. (Change the values in Red to match your source and destination certificate locations).

[box]

Linux / macOS

cat /Users/petelong/CERTS/My-Certificate.crt

Windows 

type C:/Certs/My-Certificate.crt

[/box]

Then copy the ‘text’ as shown in the examples above. DO NOT include any additional spaces (as shown above). And you have a PEM file you can paste this into a text editor and save it with a .pem extension if you need to ‘send’ it somewhere.

Can I simply rename .crt to .pem (YES YOU CAN)

Convert Certificates CER to PEM

This is slightly more complicated as .cer files are in DER format, if you try and open one with a text editor you will simply see gobbledegook. So you need to convert it into PEM format with he following syntax.

[box]

openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/My-Certificate.cer -out /Users/petelong/CERTS/PEM-Certificate.pem

[/box]

Once that’s done (as above) you can simply open the .pem file in a text editor or cat (mac/Linux) or type (Windows) the content.

Converting Certificates (PowerShell)

Be Aware: When calling OpenSSL form a PowerShell command, you need to prefix the command with a ‘dot slash’ see the examples below for clarification.

Related Articles, References, Credits, or External Links

Digital Certificates Explained

Exchange: Create a PFX Certificate and Import a Private Key

KB ID 0001528

Problem

On my test network I have an Exchange server (Exchange 2016). As it’s publicly available and connected to Office 365 it needs a digital certificate. Because its my test network, I don’t want to spend a fortune on a certificates, so I buy the cheapest one I can find. I replaced it last week with a 2 year certificate for about $5.00.

When the certificate came I had certificate-name.crt, and a CA bundle, but I could NOT import it into Exchange, (because the private key was missing). I had the private key, I downloaded it when I made the certificate request.

So I had the certificate and the private key, I needed to import the private key into my Exchange server, or create a PFX file that had the certificate and the private key in it, that I could import into Exchange.

Create a PFX File with OpenSSL

The simplest way to create a PFX, (if you are feeling lazy,) is to go here and let them do it for you. But I know I could do this with OpenSSL, being a mac user I already have OpenSSL, if you are a Windows user you can install OpenSSL for Windows and do the same thing.

Firstly place your private key file and certificate in a folder you can get at like so;

Then execute the following command;

[box]

openssl pkcs12 -export -out output-cert-name.pfx -inkey key-file-name.key -in input-cert-name.crt

[/box]

When prompted to do so, enter a password, (you will need to enter this on your Exchange server, so make a note of it!) You will then have your .PFX file.

Import PFX File into Exchange

I prefer to use PowerShell, (if you want to use the Exchange Admin Centre scroll down.) 

[box]

Import-ExchangeCertificate -Server Server-Name -FileName "\\Server-Name\Share-Name\Certificate-Name.pfx" -Password (ConvertTo-SecureString -String 'Your-Password' -AsPlainText -Force)

[/box]

Copy the certificate thumbprint (as shown) to the clipboard.

Then you need to associate the Exchange ‘Services’ with this new certificate;

[box]

Get-ExchangeCertificate -Thumbprint YOUR-CERT-THUMBPRINT | Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP

[/box]

When prompted to do so enter ‘A’, (for replace all.)

You should see the correct certificate used now, like so;

Note: If you only see a blank page for OWA and Exchange Admin Center (ECP) after changing certificates, then see the following post;

Exchange – OWA and ECP Websites Blank After Logon

Import a PFX From Exchange Admin Center

Servers > Certificates > Select the appropriate Server > Ellipses > Import Exchange Certificate > Add the path to the PFX file, and its password > Next.

Add the server > Finish.

Now to enable the certificate for the appropriate Exchanges Services, select the cert > Edit > Services > Tick SMTP, IMAP, POP, and IIS > Save > OK.

 

Related Articles, References, Credits, or External Links

Exchange Certificate Import Error (reason: PrivateKeyMissing).

Exchange – Certificate Invalid ‘Revocation Check Failed’

Exchange: Blank Certificate Name

Exchange – OWA and ECP Websites Blank After Logon

Linux (CentOS 7) Generating CSR (Certificate Signing Requests)

KB ID 0001206 

Problem

If you want to use digital certificates on your CentOS server, then you will need to generate a CSR. It does not matter if you want to purchase a publicly signed certificate, or even if you are going to sign your own. Below is how to generate a CSR for a single web host.

Note: Most cert vendors now require a minimum key length of 2048 so thats what I’m going to use. And I’m assuming you have openSSL installed (type ‘openssl version‘ to find out). 

Solution

Execute the following command

[box]

[root@WebHost ~]# openssl req -newkey rsa:2048 -nodes -keyout www.YourSite.com.key -out www.YourSite.com.csr

[/box]

The CSR Generation process will begin and you will have to answer some questions;

[box]

Generating a 2048 bit RSA private key
.........................................+++
........................+++
writing new private key to 'www.YourSite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Teesside
Locality Name (eg, city) [Default City]:Middlesbrough
Organization Name (eg, company) [Default Company Ltd]:YourSite
Organizational Unit Name (eg, section) []:YourSite
Common Name (eg, your name or your server's hostname) []:www.YourSite.com
Email Address []:administrator@YourSite.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:YourSite

[/box]

This will actually create the CSR, now you need to get the text from the CSR, and sent it to your certificate vendor ,or sign it with your own CA.

[box]

[root@WebHost ~]# cat www.YourSite.com.csr
-----BEGIN CERTIFICATE REQUEST-----
NIIDKTCCAhECAQAwga4xCzAJBgNVBAYTAkdCMREwDwYDVQQIDAhUZWVzc2lkZTEW
MBQGA1UEBwwNTWlkZGxlc2Jyb3VnaDEUMBIGA1UECgwLUGV0ZU5ldExpdmUxFDAS
BgNVBAsMC1BldGVOZXRMaXZlMRwwGgYDVQQDDBN3d3cucGV0ZW5ldGxpdmUuY29t
MSowKAYJKoZIhvcNAQkBFhtpbmZvcm1hdGlvbkBwZXRlbmV0bGl2ZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCudW2OhXUnEIpiN2oQnREoZVAn
Cvvb07+7gZb5NgxSSc8pYab3ic6mmEabM3c/m9mLtO3m4ZSTJrU9QC91Vn6PF90K
iqApOfizUnNFEOSJptpcoLxlUWUJF8PZUn9fYZyNhp30QQ3B5ajxc4ML0BB+4Wp2
1sjJzfAvtSsFmUSCEXlJTrWnYkGpZz4dYYRlQgTniY4++M/AG9gL99XuSKcSD5K0
4qr07J9a6AYA0tXJq+yN3EzcLSBkIVDuNv84e+CyXc8RV+BkaRTr/gYGwQU4C+IG
87Lw8GC6P1adUi2mR4GMMbZLPYa14Psao4ZA/Ihk9EFS2xqXQH2AZ2nUGPM7AgMB
AAGgNTAXBgkqhkiG9w0BCQcxCgwIcGFzc3dvcmQwGgYJKoZIhvcNAQkCMQ0MC1Bl
dGVOZXRMaXZlMA0GCSqGSIb3DQEBCwUAA4IBAQAPUo4AVBajrflZQRI8MrRyndpD
s6MqZQwYlrceZVZrut+htS14ZC/GbaPC7gOvxYyS52RSW4UiG3egi6H7NnhqHjR+
Dz859bLKIut3YeCo3sK5+aCxvcGEjA1uduqKg5WFwPj5BvnsIYezq3O5Q4FvfQAy
FElb9snk0sJ6GFYifjeza8+w6CIabUpyl0kyDoAbnjnnyhR0s5/h4L7X3zqaQ0J+
OZVRyj54nLXoFDw1n8pGRb31khlEwDzXvVe9+wreCZ6lLqhDki94Uq5LenqofUlw
MPucqVIA9lgvQ8vjyTWVQYYffMRlAx7g/SdVTIhFBqq7rsh9/XHn7qfXlc4c
-----END CERTIFICATE REQUEST-----
[root@WebHost ~]#

[/box]

Related Articles, References, Credits, or External Links

NA

VMware – Replace the ESXi Certificate

KB ID 0000974 

Problem

ESXi comes with a self signed certificate, and for most people thats fine, but some clients want to have a ‘Trusted’ certificate on theirs, and have their own PKI infrastructure for issuing them.

Below I will generate a new certificate for my ESXi server using the Active Directory Certificate Services role on Windows Server 2012. Then replace the self signed certificate with my new one.

Solution

Generating a Certificate Request From the ESXi Server

1. Before we start there are a couple of hoops to jump through, and a Windows machine (it does not mater which one), install the following tow pieces of software;

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PNL-ESX1, IP:10.254.254.12, DNS:PNL-ESX1.petenetlive.net

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = PNL-ESX1.petenetlive.net

[/box]

3. Open a command window and execute the following three commands;

[box]

cd C:OpenSSL-Win32Bin
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
openssl rsa -in rui-orig.key -out rui.key

[/box]

You will notice rui.csr has been created in the bin directory this is the file you need to request your certificate, if you open the file with Notepad you can copy the text.

Submit the Certificate Request and Get an ESX Certificate From a Windows CA

4. Open the web console of your certificate services server (it needs to be running the Certification Authority Web Enrollment role). The URL is usually http://{servers IP or Name}/Certsrv. Select ‘Request a certificate’.

5. Advanced certificate request.

6. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

7. Paste in the text from your csr file (with no extra spaces!). Set the Certificate Template to ‘Web Server’ (the default lifetime for the Web Server template is 2 years. If you require longer, I suggest you clone the Web Server Template, change the lifetime and republish it in Active Directory Certificate Services).

8. Base 64 encoded> Download certificate.

9. Save the file as rui.cer and put it in the bin directory.

10. ESX needs the certificate to be in x509 format, so open a command window and execute the following commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in rui.cer -out rui.crt

[/box]

11. Enable SSH on your ESX Host.

12. Connect to the ESX host via SSH, and make a backup of the current keys (just in case).

[box]

cd /etc/vmware/ssl
mv rui.crt backup.rui.crt

mv rui.key backup.rui.key

[/box]

13. Using WinSCP copy the rui.crt and the rui.key files from the bin directory, to the /etc/vmware/ssl directory on your ESX host. WARNING: Set the copy type to ‘Text’ or ASCII or you may get some strange results.

14. Then either restart the management agents, or from your SSH session execute the following command;

[box]/sbin/services.sh restart[/box]

15. The simplest way to check is browse to the FQDN or your ESX host (the same name you used as the common name in step 2), and take a look at the certificate.

Related Articles, References, Credits, or External Links

NA

Cisco PRSM – Replace the Certificate Using Microsoft Certificate Services

KB ID 0001023 

Problem

Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than growing a ginger ponytail, donning sandals and firing up Linux.

Solution

The following procedure was carried out on Windows Server 2012 R2. I want my certificate to have a common name of prsm.petenetlive.com (change your configs and commands accordingly).

1. Download and install the following.

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

2. Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = prsm.petenetlive.com.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PRSM, IP:123.123.123.110, DNS:prsm.petenetlive.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = prsm.petenetlive.com

[/box]

3. Open an administrative command window, issue the following three commands;

[box]

cd C:OpenSSL-Win32Bin

openssl req -new -nodes -out prsm.petenetlive.com.csr -keyout prsm.petenetlive.com-orig.key -config openssl.cfg

openssl rsa -in prsm.petenetlive.com-orig.key -out prsm.petenetlive.com.key

[/box]

Don’t worry if it says it cant read the openssl.cnf file

4. If you look in C:OpenSSL-Win32bin directory you will see the CSR (certificate request) has been generated.

5. Open the .csr file with notepad and copy all the text, (this is a request in PEM format). This is what you will give to your CA to request the certificate, copy that to the clipboard.

6. Connect to your Certificate Authority web enrollment portal > Request a certificate.

7. Advanced certificate request.

8. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

9. Paste in the PEM text you copied to the clipboard > Set the certificate template to ‘Web Server’ > Submit.

Note: Your CA may have a different template for web server certificates, if so use that one. If you don’t see web server either it’s not been published, or your user does not have rights to the certificate template.

10. Choose ‘Base 64 encoded’ > Download > Save the cert in the directory you were using earlier (you will see why in a minute) > I give it the same name as the common name on the certificate so I saved it as prsm.petenetlive.com.cer

11. Here it is, but there is still a problem with it, PRSM needs the certificate in x509 format, (it isn’t). But OpenSSL-Win32 can convert it for us.

How to Convert a Windows .cer file to an x509 .crt file

12. Open and administrative command window and issue the following two commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in prsm.petenetlive.com.cer -out prsm.petenetlive.com.crt

[/box]

13. Now it looks better, for PRSM we need this file AND we need the .key file, (not the one that ends in xxx-orig.key!) In the example below I’ve kept everything neat so the other file i need is prsm.petenetlive.com.key, (third one down).

14. Connect to PRSM > Administration > Server Certificates > Browse and select both files.

15. Install and Restart Server.

16. Restart.

17. Refresh your web session and you should now be using the correct certificate.

Related Articles, References, Credits, or External Links

NA

Cisco – Cracking and Decrypting Passwords (Type 7 and Type 5)

KB ID 0000940 

Problem

Decrypt Type 7 Cisco Passwords

The Internet is full of sites that have something like the tool below, tap your ‘encrypted’ password in and it will reveal the Cisco password.

 

Input Type 7 Obfuscated Password: Output Plain Text Password:

As you can see I’ve specifically written ‘obfuscated’ above, because the password isn’t actually encrypted at all. All that happens is the Vigenere algorithm is used to obfuscate the password. While tools like the one above are all well and good, your Cisco router will do exactly the same for you, to demonstrate, paste the following into the tool above.

107D1C09560521580F16693F14082026351C1512

Hopefully you will get the password Sup3rS3cr#tP@ssword.

Your router can also convert that to clear text for you;

[box]

Petes-Router#
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#key chain decrypt
Petes-Router(config-keychain)#key 0
Petes-Router(config-keychain-key)#key-string 7 107D1C09560521580F16693F14082026351C1512
Petes-Router(config-keychain-key)#exit
Petes-Router(config-keychain)#exit
Petes-Router(config)#exit
Petes-Router#
*Mar 1 00:04:48.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#show key chain decrypt
Key-chain decrypt:
key 0 -- text "Sup3rS3cr#tP@ssword"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#no key chain decrypt

[/box]

So whats the point of these type 7 passwords? Well the only real benefit of them is if someone is looking over your shoulder while you are looking at the config, they can’t see actual passwords in the config.

The passwords in my config are in clear text? That’s because there are three levels of password storage 0 (not encrypted), 7 (weakly encrypted), and (5 strongly encrypted). If you want to convert your config to display them as 7 you need to enter the service password-encryption command;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#service password-encryption
Petes-Router(config)#

Before

username pete password 0 Password123

After

username pete password 7 142713181F13253920796166

[/box]

If Type 7 passwords are so weak, how do I use Type 5 passwords? When creating accounts use the secret command like so;

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#username petelong secret Password123
Petes-Router(config)#

Displays in the config as;

username petelong secret 5 $1$VkQd$Vma3sR7B1LL.v5lgy1NYc/

[/box]

Decrypting Type 5 Cisco Passwords

 

Decrypting a Type 5 Cisco password is an entirely different ball game, they are considered ‘secure’ because they are ‘salted’ (have some random text added to the password to create an MD5 hash) however that random salt is shown in the config.

[box]

username attackme secret 5 $1$TMnL$iAFs16ZXx7x18vR1DeIp6/

[/box]

Well armed with the salt and the hash, we can use exactly the same method that Cisco use to create the encrypted password, by brute force attacking the password, this might sound like a difficult piece of hacking ninja skill, but we simply use openssl on a Linux box (here I’m using CentOS 6.5), all you need is a wordlist.txt file (search the Internet).

Feed openssl the salt, and a piece of the hash (see the example above), and it will run through, (grep) the wordlist until it finds a match, where it spits out the decrypted password an the original hash like so;

[box]

[root@pnl-server1 ~]# openssl passwd -1 -salt TMnL -table -in wordlist.txt | grep 8vR1DeIp6
SECRETPASSWORD $1$TMnL$iAFs16ZXx7x18vR1DeIp6/
[root@pnl-server1 ~]#

[/box]

The decrypted password is SECRETPASSWORD

Note: The limitation here is the password has to be in the wordlist.txt file,but if you are adept at searching the Internet there are some impressive wordlist files out there, just make sure you use one that has full line breaks. Also remember, the longer the wordlist, the longer it takes.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Disable SSLv3 (Force TLSv1.0) – Mitigate POODLE

KB ID 0001052

Problem

By default the Cisco ASA will allow connection via SSLv3. The POODLE exploit works by forcing SSL to fall back to SSLv3 and then decrypting that communication. However you are still not completely protected as per this Threat Validation, so the ASA platform can still be attacked via TLSv1.0. Note: At time of writing TLSv1.2 is not supported, but it is on the road-map for version 9.3(2).

So this procedure will not completely eliminate the threat, but it’s as mitigated as it’s possible to be at this time, (And TLSv1 is considered more secure than SSLv3 anyway).

Solution

1. You can check your firewall is contactable via SSLv3, here I’m on MAC OSX and I’ve got OpenSSL installed. If I try to initiate an SSLv3 connection it works.

[box] openssl s_client -connect {IP_or_Hostname} -ssl3 [/box]

Or if you have nmap installed you can use that as well;

[box]nmap –script ssl-enum-ciphers {IP_of_Hostname}[/box]

2. Below you can see I’m confirming the SSL settings (i.e. it will accept SSLv3). Then I force the firewall to only accept TLSv1.0.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# ssl client-version tlsv1-only 
Petes-ASA(config)# ssl server-version tlsv1-only 

[/box]

You can see, afterwards when I view the SSL options, only TLSv1 will be accepted.

3. If you prefer to use the ADSM, then you will find the same settings at, Configuration > Remote Access VPN > Advanced > SSL Settings;

The SSL version for the security appliance to negotiate as a ‘server’ = TLS V1 Only

The SSL version for the security appliance to negotiate as a ‘client’ = TLS V1 Only

 

4. Don’t forget to ‘Apply’ and then save the changes.

Cisco ASA Testing for SSLv3

Simply perform the tests that I did above;

1. Proving the absence of SSLv3 with OpenSSL.

2. Proving the absence of SSLv3 with nmap.

Related Articles, References, Credits, or External Links

NA