PHP Classes

File: fwphp/glomodul/mkd/01/001_config_ssl_tls/005_MakeOwnCertWithOpenSSLonWin.txt

Recommend this page to a friend!
  Classes of Slavko Srakocic  >  B12 PHP FW  >  fwphp/glomodul/mkd/01/001_config_ssl_tls/005_MakeOwnCertWithOpenSSLonWin.txt  >  Download  
File: fwphp/glomodul/mkd/01/001_config_ssl_tls/005_MakeOwnCertWithOpenSSLonWin.txt
Role: Documentation
Content type: text/plain
Description: Documentation
Class: B12 PHP FW
Manage database records with a PDO CRUD interface
Author: By
Last change: ver 7.0.1 mnu, msg, mkd FUNCTIONAL namespaces, CRUD PDO trait, pretty URL-s
Date: 3 months ago
Size: 26,920 bytes


Class file image Download
### Buy a Reliable SSL certificate, or get free SSL cert., or I DID: cre self-signed SSL .crt file

At end we have :     
dir J:\xampp\apache\conf\ssl.crt                          
29.03.2020.  14:13             1.286 server.crt           - step 5 x509     
30.03.2013.  14:29               623 server_original.crt    

dir J:\xampp\apache\conf\ssl.key                          
29.03.2020.  13:57             1.706 server.key           - step 4 rsa     
30.03.2013.  14:29               887 server_original.key    

<br /><br />
dir J:\xampp\apache\bin\z_sss         
29.03.2020.  14:13             1.286 **server.cert**    =**self-signed SSL server certificate .cert file**       
29.03.2020.  13:32             1.046 server.csr      =OpenSSL certificate request .csr file     

dir J:\xampp\apache\bin\z_ssl      
29.03.2020.  13:31             1.884 privkey.pem  =encrypted private key .pem file      
29.03.2020.  13:57             1.706 **server.key**     =rsa private key .key file     

<br />
1. j:          
    cd J:\xampp\apache\bin     
    mkdir z_sss  (rmdir)       
    mkdir z_sss        
2. set OPENSSL_CONF=J:\xampp\apache\conf\openssl.cnf        
3. openssl req -config J:\xampp\apache\conf\openssl.cnf -new -out .\z_sss\server.csr -keyout .\z_ssl\privkey.pem           
4. cd J:\xampp\apache\bin\z_ssl dir       
    openssl rsa -in privkey.pem -out server.key       
5. cd J:\xampp\apache\bin\z_sss         
    openssl x509 -in server.csr -out server.cert -req -signkey J:\xampp\apache\bin\z_ssl\server.key -days 3650      
6. delete .rnd file because it contains entropy information for creating key and could be used for cryptographic attacks against your private key
7. copy J:\xampp\apache\bin\z_sss\server.cert J:\xampp\apache\conf\ssl.crt\server.crt     
   copy J:\xampp\apache\bin\z_ssl\server.key J:\xampp\apache\conf\ssl.key\server.key     
8. Configuring Apache on XAMPP to start-run SSL/HTTPS server         
    **J:\xampp\apache\conf\httpd.conf**   : look for lines:      
   1. Listen 8083
   2. Listen 443
   3. LoadModule ssl_module modules/         
       and remove pound sign (#) characters preceding it.
   4. Include conf/extra/httpd-ssl.conf        
      and remove any pound sign (#) characters preceding it.
      eg below Include conf/extra/httpd-ssl.conf is :
   <IfModule ssl_module>
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
   **J:\xampp\apache\conf\extra\httpd-ssl.conf** :      
   DocumentRoot "J:/xampp/htdocs"      
   ServerName localhost:443        
   5. Restart Apache       
   6. https://localhost/fwphp/www/  displays :      
      "...potential security threat... attackers could try to steal information like your passwords, emails, or credit card details.      
      ...Firefox does not trust this site because it uses a certificate that is not valid for localhost.     
      Buttons : "Goback", "Advanced" -&gt; click "Advanced" then "Accept"      
      Now lock icon in ibrowser URL adress shows " added exception..."      

<br /><br /><br /><br />
On Chrome (Brave), MS Edge : ERR_SSL_PROTOCOL_ERROR  This site can?t provide a secure connection localhost sent an invalid response.      
On Firefox (Pale Moon)  SSL_ERROR_RX_RECORD_TOO_LONG       

Above error occurs when client is connecting to **port opened on the server** but the **SSL certificate is not properly configured for web server port.**. Wireshark - this error is considered as a bad request from a client?s side, since the requested certificate is not configured on the server.    

Fox example, in case of Apache error will show up in Firefox if you have a **line "Listen 443"** in your VirtualHost file **without (correct) VIrtualHost record for port 443 - you must have trusted SSL/TLS certificate on that port**. Make sure the certificate is installed and configured properly on the server side. Two main functions of the certificates : data encryption and authentication of the opposite side of web-session - certificate is not properly set up on the hosting side and means that the server's authenticity has not been approved.      

You need a configuration that will enable connection to use Port eg 443. Current TLS ver. is 1.3 2019 year (4 in Firefox about:config, 3 is TLS 1.2, 2011 year). Modifying in Firefox about:config means modifying sessions encryption strength which does not affect the certificate installation on server side.     

openssl s_client -connect localhost.tld:8083         =openssl s_client -connect yourdomain.tld:*port*      
7012:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../openssl-1.1.1d/crypto/bio/b_addr.c:724:N        

HTTP works on the application layer, and HTTPS works on the transport layer and is concerned with Port 443. 

To trace (find) your website's IP on Windows:     
? tracert localhost         
Tracing route to sspc2 [::1] over a maximum of 30 hops:         
  1    \<1 ms    \<1 ms    \<1 ms  sspc2 [\:\:1]           
j:\awww\www (master -> origin)          

? tracert dev1             
Tracing route to sspc2 [fe80::55f0:dde8:14c3:8d5d%14]               
over a maximum of 30 hops:        
  1    \<1 ms    \<1 ms    \<1 ms  sspc2.Home [fe80::55f0:dde8:14c3:8d5d]              

Trace complete.          

Type the IP address followed by 'HTTPS' or use Netcat, ncat to check if the Port 443 is open.      shows  "eg  and 443 is closed"      

1. create a Certificate Signing Request (CSR) using ComdLine **open_ssl** tool or through a control panel. Cert may work on multiple domains eg * (2048 bits here equates to 256-bit encryption; 1024 = 128-bit encryption).

Setting up Apache HTTPS / SSL-TLS on Windows 10 64 bit

# 1. Creating a self-signed SSL Certificate using OpenSSL

Open the command prompt and cd to your Apache installations "bin" directory.     

## 11111  cd to apache bin dir      
cd J:\xampp\apache\bin     
or cd J:\wamp... or cd J:\zwamp64\vdrive\.sys\Apache2\bin or cd "C:\Program Files\Apache Software Foundation\Apache2.2\bin"       

## 22222 openssl.cnf file location      

Is needed to create the SSL certificate but default location set by OpenSSL 
for this file is setup ACCORDING TO A LINUX DISTRIBUTION, so we need to fix it for Windows.       

We need to setup the Windows environment variable OPENSSL_CONF to point to 
openssl.cnf files location, my is 28.05.2019.  17:12   11.259 bytes :       

So we can set OPENSSL_CONF up by :     

**set OPENSSL_CONF=J:\xampp\apache\conf\openssl.cnf**         

we can specify configuration file location so :     
openssl req -config openssl.cnf -new -out ./sss/blarg.csr -keyout ./ssl/blarg.pem

All files generated from the following commands will reside in      
J:\xampp\apache\bin folder      

## 33333 Create new .csr and .pem files
eg create :         server.csr

1. **privkey.pem encrypted private key**           
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI+wqX0wqg0RICAggA...  etc             
-----END ENCRYPTED PRIVATE KEY-----            

2. **server.csr OpenSSL certificate request**       
-----BEGIN CERTIFICATE REQUEST-----           
-----END CERTIFICATE REQUEST-----         

3. **.rnd binary file** 
 Ew93d3cuZXhhbXBsZS5uZXQxJDAiBgkqhkiG9w0BCQEWFUxhcnJ5QERNQ0luc2ln... etc     

using following command:      
**cd J:\xampp\apache\bin :**
**openssl req -config J:\xampp\apache\conf\openssl.cnf -new -out .\z_sss\server.csr -keyout .\z_ssl\privkey.pem**       
or openssl req -new -out server.csr       

OUTPUT: ...writing new private key to 'privkey.pem'...     It will ask you questions, you can ignore them except :         
PEM pass phrase : **sspc2 ** = Password associated with private key you're generating (anything of your choice).       
**sspc2**, HR, Zagreb, Zagreb, ssorg, ssorgu, **dev1**,


## 44444 create rsa private key .key file

File "server.key" created from the following command should be **only readable by the apache server and the administrator**.          

**cd J:\xampp\apache\bin\z_ssl dir :**       
**openssl rsa -in privkey.pem -out server.key**         

Enter pass phrase for privkey.pem: sspc2        
writing RSA key         

Created is server.key file :        
-----BEGIN RSA PRIVATE KEY-----        
MIIEowIBAAKCAQEAsCgNp0sukyV9O9SCUY2zWLMiEdvkjOuzTANlxPqmrCOJ0uiL... etc         
-----END RSA PRIVATE KEY-----        

## 55555 set up expiry date for .cert file
We use 365 days below:    
**cd J:\xampp\apache\bin\z_sss**         
**openssl x509 -in server.csr -out server.cert -req -signkey J:\xampp\apache\bin\z_ssl\server.key -days 3650**       

Signature ok         
Getting Private key     

Created is: **server.cert** :       

-----BEGIN CERTIFICATE-----     
MIIDhjCCAm4CCQD9URp7J3eYzDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC... etc         
-----END CERTIFICATE-----      


## 66666
You should delete .rnd file because it contains entropy information for creating key and could be used for cryptographic attacks against your private key.          
               if you run the openssl genrsa command without .rnd or without setting the RANDFILE environment variable, you get an error:
              Loading 'screen' into random state - done
              Generating RSA private key, 2048 bit long modulus
              unable to write 'random state'

## 77777
Move "server.cert" and "server.key" file to "J:\xampp\apache\conf" location.

## 88888 Configuring Apache to start-run SSL/HTTPS server

J:\xampp\apache\conf\httpd.conf   : look for lines:      
1. Listen 8083
2. Listen 443
3. LoadModule ssl_module modules/         
   and remove pound sign (#) characters preceding it.
4. Include conf/extra/httpd-ssl.conf        
   and remove any pound sign (#) characters preceding it.
   eg below Include conf/extra/httpd-ssl.conf is :
   <IfModule ssl_module>
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin

Modify httpd-ssl.conf section below according to your need, I did **nothing for XAMPP** and for ZWAMP :        
c:/Apache24 -> J:/zwamp64/vdrive/.sys/Apache2        
J:/zwamp64/vdrive is / so we can :          
J:/zwamp64/vdrive -> nothing         

Listen 443       
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES          
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES        
SSLHonorCipherOrder on         
SSLProtocol all -SSLv3        
SSLProxyProtocol all -SSLv3        
SSLPassPhraseDialog  builtin       

### if error apache can not start :
#SSLSessionCache        "shmcb:J:/zwamp64/vdrive/.sys/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
  #   General setup for the virtual host   J:/zwamp64/vdrive/ = /
  DocumentRoot "J:/zwamp64/vdrive/.sys/Apache2/htdocs"
  ServerName dev1:443
  ErrorLog "J:/zwamp64/vdrive/.sys/Apache2/logs/error.log"
  TransferLog "J:/zwamp64/vdrive/.sys/Apache2/logs/access.log"
  SSLEngine on
  SSLCertificateFile "J:/zwamp64/vdrive/.sys/Apache2/conf/server.cert"
  SSLCertificateKeyFile "J:/zwamp64/vdrive/.sys/Apache2/conf/server.key"
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
  <Directory "J:/zwamp64/vdrive/.sys/Apache2/cgi-bin">
      SSLOptions +StdEnvVars

  BrowserMatch "MSIE [2-5]" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
  CustomLog "J:/zwamp64/vdrive/.sys/Apache2/logs/ssl_request.log" \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

--------------- or :
<VirtualHost _default_:443> 
    DocumentRoot "Your Root folder location" 
    ErrorLog "logs/anyFile-error.log" 
    CustomLog "logs/anyFile-access.log" common 
    SSLEngine on

    SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.cert"

    SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key" 

Make sure that "SSLCertificateFile" and "SSLCertificateKeyFile" are properly located.

For better organizing YOU CAN ALSO put the whole <VirtualHost></VirtualHost> section in the "J:\xampp\apache\conf\extra\httpd-vhosts.conf" along with your other Virtual Host settings there but you need to uncomment "Include conf/extra/httpd-vhosts.conf" in your conf\httpd.conf file to use that.

Opening SSL/HTTPS port on Windows:
Now we need to open an exception in Windows Firewall for TCP port 443. You can do that by going to "Windows Firewall" settings in Control Panel and adding a port in the exception section. Also C:\Windows\System32\drivers\etc\hosts file.

-- error Firefox :  SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
--usually displayed when the SSL certificate on the web server is not properly configured.

    1. Try connecting to the website over HTTP: If there is some problem with the SSL certificate on the web server, perhaps you can skip the HTTPS secure protocol altogether and connect to the website over the insecure HTTP protocol. You can do this simply by removing https:// from the website URL and adding http:// in its place.
    2. Disable Firefox add-ons: Some of the Firefox add-ons could also interfere in the way Firefox sends requests to web servers. For example, some add-ons might be hard-coded to connect to web servers over the secure HTTPS protocol and this could easily cause error in case of a missing SSL certificate or a mis-configured certificate. You can access all the installed add-ons by entering ***about:addons*** in the address bar.
    3. Refresh Firefox: If the error is being caused due to some settings related mess that you've caused yourself, then you can still fix the problem by refreshing all the Firefox entries. To do this, you have to enter about:support in the address bar and then click on the Refresh Firefox button to remove all the customizations and settings.
If even after trying the previous steps, you seem to keep getting error then perhaps your ISP is tempering with the data being sent or received by your computer. In this case, you should try using a VPN proxy software like Hotspot Shield, Tunnelbear or CyberGhost.
Sometimes when you try to visit a website over a secure HTTPS connection, Firefox throws up a warning that the connection is untrusted. This may be due to a variety of reasons like 
    - invalid security certificate, 
    - expired security certificate, 
    - missing security certificate 
    - ...
If you want to open that website anyway, then you can add an exception to this website which causes Firefox to start trusting it irrespective of its security certificate status. You can add the security certificate exception either temporarily or permanently. If you add the exception temporarily, then the exception is valid only for the current Firefox session. But if you add the exception permanently, then it becomes valid everytime you use Firefox - which makes it a security risk. If you have added such a security exception :

Firefox options -> Advanced -> Cerificates -> View Cerificates -> Authorities -> Import
-> J:\xampp\apache\bin\server.cert
--      -> J:\awww\apl\dev1\zz\2way_handshake\rootCA.crt
-> Trust this CA to identify websites -> View :
Issued by : ssorg (under this node is certificate server, Software security device)
--Issued by : testorg (under this node is certificate my2wayhanshake, Software security device)
Common name CN=dev1
--Common name CN=my2wayhanshake
O=ssorg        --testorg
OU=ssorgu      --testunit
-- Unceck Query OCSP responder servers to confirm the current validity of certificates
--        has no efect  - about:preferences#advanced  or  about:config
OCSP = online certificate status protocol) verification

April 12, 2016
When you connect to websites over a secure connection (HTTPS), the connection is encrypted using a security certificate issued by one of the certificate issuing authorities like Comodo, GoDaddy, Verizon, Symantec, Digicert etc. But if there is some problem with the certificates downloaded from these websites or if they cannot be verified, then Firefox will refuse to connect to the websites trying to use such certificates. While there could be problem in the certificate configuration on the web server itself, these errors in Firefox could also result from some local Firefox certificate database corruptions.

First thing you should check is the system date. 
Or certificates store database in your Firefox profile has become corrupt
    Help -> Troubleshooting Information -> Show Folder button to open your default Firefox profile folder
    -> When the Firefox profile folder opens up, close all the Firefox browser windows and wait for ten seconds to let the Firefox processes to be terminated.
    -> In the Firefox profile folder, locate a file named cert8.db and delete it.
    -> Restart Firefox. This will recreate the cert8.db file once again and now you should not have any security certificates related errors.

Certificate manager -> Add security exception -> https://dev1 -> Get certificate
shows data above

then you can remove it using the following steps

-- error Slimjet :  This site can't provide a secure connection
-- error Microsoft Edge 40.15063.0.0 :  Hmmm...can't reach this page

-- error :  Could not verify this certificate because the issuer is unknown :
--          This certificate has been verified for the following users
--          SSL Certificate Authority

Make Your Own Cert With OpenSSL on Windows
Didier Stevens 30.march 2015

Generate wildcard certificate with Intermediate/chain certificate and private key :

OpenSSL 1.1.0 or later, you'll get this ERROR: 
      "problem creating object tsa_policy1="
All root CAs are self-signed.

pkcs8 format is for private keys, not for certificates. The private key is in PEM format.

The certificate does not dictate which encryption has to be used for the TLS connection. This is determined by the settings of the server and the client. Check the settings of your webserver, you can use the Qualys' SSL Labs to help you.

cd J:\awww\apl\dev1\zz\1_own_openssl_cert

Before you start OpenSSL, you need to set 2 environment variables:

--set RANDFILE=c:\demo\.rnd
set RANDFILE=J:\awww\apl\dev1\zz\1_own_openssl_cert\.rnd
--set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
set OPENSSL_CONF=C:\Program Files\Git\mingw64\ssl\openssl.cnf

            ------------------- path science :
            J:\awww\apl\dev1\zz\1_own_openssl_cert>openssl version -d
            OPENSSLDIR: "c:/openssl-1.0.2k-win64/ssl"
            openssl version
            OpenSSL 1.0.2k  26 Jan 2017

            "C:\Program Files\Git\mingw64\bin\openssl.exe" version -d
            OPENSSLDIR: "/mingw64/ssl"
            "C:\Program Files\Git\mingw64\bin\openssl.exe" version
            OpenSSL 1.0.2l  25 May 2017
            (C:\Program Files\Git\mingw64\bin; --IS IN PATH)

            PATH=Z:\.sys\miniperl\bin;Z:\.sys\php;Z:\.sys\Apache2\bin;Z:\.sys\mysql\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\AMD\ATI.ACE\Core-Static;C:\ProgramData\ComposerSetup\bin;C:\Program Files\Git\cmd;C:\Program Files\Git\mingw64\bin;C:\Program Files\Git\usr\bin;C:\Users\ss\AppData\Roaming\Composer\vendor\bin

Now you can start OpenSSL, type: 
"C:\Program Files\Git\mingw64\bin\openssl.exe"
--it opens openssl CLI:

And from here on, commands are same as for my "Howto: Make Your Own Cert With OpenSSL".
(on Linux)

1. generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
OpenSSL> genrsa -out ca.key 4096

           (If you want to password-protect this key, add option -des3)

Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

2. create our self-signed root CA certificate ca.crt; 
OpenSSL>req -new -x509 -days 1826 -key ca.key -out ca.crt

         you'll need to provide an identity for your root CA:
         --ss1=CN = Common Name (e.g. server FQDN or YOUR name) []:MyRootAuthority 
         HR, Zagreb, Zagreb, org1, ou1, ss1,

         -x509 option is used for self-signed certificate. 
         1826 days gives us cert valid for 5 years.

3. create our subordinate CA that will be used for actual signing. 

3.1 generate key:
OpenSSL>genrsa -out ia.key 4096

3.2 request a certificate for this subordinate CA:
OpenSSL>req -new -key ia.key -out ia.csr
         --ssia1=CN = Common Name (e.g. server FQDN or YOUR name) []:MyRootAuthority 
         HR, Zagreb, Zagreb, orgia1, ouia1, ssia1,

Please enter the following 'extra' attributes  --Both type ENTER key
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

Make sure that the Common Name you enter here is different from the Common Name you entered previously for the root CA. If they are the same, you will get an error later on when creating the pkcs12 file.

4. process request for subordinate CA certificate and get it signed by the root CA.
OpenSSL>x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt

          Signature ok
          Getting CA Private Key

The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.

That's all there is to it! Of course, there are many options I didn't use. Consult the OpenSSL documentation for more info. 

For example, I didn't restrict my subordinate CA key usage to digital signatures. It can be used for anything, even making another subordinate CA. When you buy a code signing certificate, the CA company will limit its use to code signing. 

And I did not use passwords to protect my keys. In a production environment, you want to protect your keys with passwords.

To use this subordinate CA key for Authenticode signatures with Microsoft's signtool, 
you'll have to package the keys and certs in a PKCS12 file:
OpenSSL>pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt

              If you did not provide a different Common Name for the root CA and the intermediate CA, then you'll get this error:
              Error self-signed certificate getting chain.
              error in pkcs12

To sign executables in Windows with signtool: 
1. install file ia.p12 in your certificate store 

  1.1 The certificates (.crt files) you created here can be double-clicked in Windows 
  to view/install them:
  -- e.g. double click ia.crt to open Cert. properties after this opens Certificate import wizzard - SEE 1.2 below

   1.2 e.g. double click ia.p12 to open Certificate import wizzard which:
         -- copy disk-> : cert, list or cert.revocation list 
         CA cert. is 
         - confirmation of your identity 
         - and contains info to: protect data or to establish secure network conn.

2. use signtool /wizard to sign your PE file.

what's this for?

set RANDFILE=c:\demo\.rnd

From the OpenSSL documentation:
a file used to read and write random number seed information, or an EGD socket (see RAND_egd).

On Linux systems, this file is in your home folder: ~/.rnd
On Windows with the OpenSSL binaries I used, this file is in the root of the C: drive: C:\.rnd
And for normal users, that is a problem, because they don't have write access to C:\

So if you run the openssl genrsa command without setting the RANDFILE environment variable, you get an error:
Loading ?screen' into random state - done
Generating RSA private key, 2048 bit long modulus
unable to write ?random state'
e is 65537 (0x10001)

By pointing the RANDFILE to a file where the user has read and write access, openssl can write to the file and no error is generated.

Now you mention disabling all randomness in the keys. Are you maybe referring to /dev/random? Because that is not where RANDFILE points to.

For more information send a message to info at phpclasses dot org.