Key types:
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
.pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys:
How to add .p12 in browser ?
This solves "This site can’t provide a secure connection", picture below:
Using Chrome:
Settings- >Advanced-> Privacy and Security -> Manage certificates
It is possible to convert from .p12 to key.pem
# Removes key
$ openssl pkcs12 -in original.p12 -passin pass:password -out converted_from_p21.pem
$ openssl pkcs12 -in original.p12 -out cert.pem -nodes
-in option specifies what file to read the keys / certificates from.
-passin lets the user specify the password protecting the source PKCS12 file.
-out indicates which file to save the result to (the result being in this case both the public and private keys of alice). The default output format is PEM so we don’t need to specify anything else.
.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
$ python-m pip install --upgrade requests
$ python -m pip install --upgrade pip
$ python -m pip install --upgrade pyOpenSSL
$ python -m pip install requests[security]
Python `.pem` errors:
urllib2.URLError: <urlopen error [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:590)>
urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Requests lib:
If connection is not secure:
>>> import requests
>>> response = requests.get(far_url, cert=bundle_file, verify=False)
>>> print(response.content)
You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:
>>> requests.get('https://github.com', verify='/path/to/certfile')
This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.
Client Side Certificates
You can also specify a local cert to use as client side certificate, as a single file (containing the private key and the certificate) or as a tuple of both files' paths:
>>> requests.get('https://kennethreitz.org', cert=('/path/client.cert', '/path/client.key')
CERTIFICATE_VERIFY_FAILED usually means that the server is providing a certificate that is not signed by a CA certificate your client trusts (i.e. you've given the client the "wrong" CA root certificate), or that the server does not provide a complete chain of certificates from the root to the server certificate.
(Caused by SSLError(SSLError(0, u'unknown error (_ssl.c:2947)'),))
Read about this error here
RSA - RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session.
It is a part of the public key infrastructure that is generally used in case of SSL certificates. A public key infrastructure assumes asymmetric encryption where two types of keys are used: Private Key and Public Key (it is included in an SSL certificate). Since encrypted data transmission takes too much time in case of asymmetric encryption, this kind of encryption is used for a secure symmetric key exchange that is used for actual transmitted data encryption and decryption.
*
CA - certificate authority or certification authority (CA) is an entity that issues digital certificates.
PKI - Public Key Infrastructure.
CSR - Certification Request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some web browsers.
c_rehash - Create symbolic links to files named by the hash values. *
Key usages:
Digital signature - Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity.
Certificate signing:
Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
Certificate signing - Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy.
*
Resourses:
https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file - More information about certificates types.
https://wiki.openssl.org/index.php/Manual:Pkcs12(1) - openssl commands.
https://www.youtube.com/watch?v=Y2yXEjxNG04 - Cryptography/SSL 101 #5: SSL certificate chain in depth.
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - Internet X.509 Public Key Infrastructure certificate and Certificate Revocation List (CRL) Profile.
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
.pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys:
How to add .p12 in browser ?
This solves "This site can’t provide a secure connection", picture below:
Using Chrome:
Settings- >Advanced-> Privacy and Security -> Manage certificates
It is possible to convert from .p12 to key.pem
# Removes key
$ openssl pkcs12 -in original.p12 -passin pass:password -out converted_from_p21.pem
$ openssl pkcs12 -in original.p12 -out cert.pem -nodes
-in option specifies what file to read the keys / certificates from.
-passin lets the user specify the password protecting the source PKCS12 file.
-out indicates which file to save the result to (the result being in this case both the public and private keys of alice). The default output format is PEM so we don’t need to specify anything else.
-nodes don't encrypt the private keys at all.*
.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
Python
Upgrading python libs:$ python-m pip install --upgrade requests
$ python -m pip install --upgrade pip
$ python -m pip install --upgrade pyOpenSSL
$ python -m pip install requests[security]
Python `.pem` errors:
urllib2.URLError: <urlopen error [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:590)>
urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Requests lib:
If connection is not secure:
>>> import requests
>>> response = requests.get(far_url, cert=bundle_file, verify=False)
>>> print(response.content)
You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:
>>> requests.get('https://github.com', verify='/path/to/certfile')
This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.
Client Side Certificates
You can also specify a local cert to use as client side certificate, as a single file (containing the private key and the certificate) or as a tuple of both files' paths:
>>> requests.get('https://kennethreitz.org', cert=('/path/client.cert', '/path/client.key')
Errors:
CERTIFICATE_VERIFY_FAILED usually means that the server is providing a certificate that is not signed by a CA certificate your client trusts (i.e. you've given the client the "wrong" CA root certificate), or that the server does not provide a complete chain of certificates from the root to the server certificate.
(Caused by SSLError(SSLError(0, u'unknown error (_ssl.c:2947)'),))
Read about this error here
Definitions:
RSA - RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session.
It is a part of the public key infrastructure that is generally used in case of SSL certificates. A public key infrastructure assumes asymmetric encryption where two types of keys are used: Private Key and Public Key (it is included in an SSL certificate). Since encrypted data transmission takes too much time in case of asymmetric encryption, this kind of encryption is used for a secure symmetric key exchange that is used for actual transmitted data encryption and decryption.
*
CA - certificate authority or certification authority (CA) is an entity that issues digital certificates.
PKI - Public Key Infrastructure.
CSR - Certification Request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some web browsers.
c_rehash - Create symbolic links to files named by the hash values. *
Key usages:
Digital signature - Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity.
Certificate signing:
Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
Certificate signing - Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy.
*
Resourses:
https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file - More information about certificates types.
https://wiki.openssl.org/index.php/Manual:Pkcs12(1) - openssl commands.
https://www.youtube.com/watch?v=Y2yXEjxNG04 - Cryptography/SSL 101 #5: SSL certificate chain in depth.
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - Internet X.509 Public Key Infrastructure certificate and Certificate Revocation List (CRL) Profile.
https://www.youtube.com/watch?v=OKg4PqD01Z0 - Python blockchain digital signature tutorial
