Self-Signed Certificate, vw7.10.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Self-Signed Certificate, vw7.10.1

Deyan Yanchev
Hi Everyone,

I used OpenSSL to create a self-signed certificate with the following command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'

Then I executed the following code in a Workspace:

certificate := Security.X509.Certificate fromFile: 'cert.pem'.
certificates := (Xtreams.TLSCertificateStore newWithDefaults)
   certificate: (Array with: certificate) key: myPrivateKey;
   yourself.

This simple piece of code raised exception 'This certificate is not suitable for any supported key exchange!' in Xtreams.TLSCertificateStore>>certificate:key:

I was wondering what's wrong with my code.

Thanks, Deyan
Reply | Threaded
Open this post in threaded view
|

Re: Self-Signed Certificate, vw7.10.1

Deyan Yanchev
I guess I should define it as "suitable for key exchange" with the following code:

certificate forKeyExchange.
Reply | Threaded
Open this post in threaded view
|

Re: Self-Signed Certificate, vw7.10.1

Holger Kleinsorgen
In reply to this post by Deyan Yanchev
Deyan Yanchev wrote
I used OpenSSL to create a self-signed certificate with the following command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'

Then I executed the following code in a Workspace:

certificate := Security.X509.Certificate fromFile: 'cert.pem'.
certificates := (Xtreams.TLSCertificateStore newWithDefaults)
   certificate: (Array with: certificate) key: myPrivateKey;
   yourself.

This simple piece of code raised exception 'This certificate is not suitable for any supported key exchange!' in Xtreams.TLSCertificateStore>>certificate:key:

There are two options:
1. Create a certificate with the required extensions for keyUsage using OpenSSL
See https://www.openssl.org/docs/apps/x509v3_config.html
Example: create a config file (e.g. ssl.config) with something like this:

[ req ]
x509_extensions    = cert_extensions
....
[ cert_extensions ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, keyAgreement, keyCertSign
...

and pass it to openssl
   openssl -config ssl.config .....


2. create a temporary certificate with VisualWorks on the fly

        key := PrivateKey algorithm: 'RSA' size: 2048.
        name := Security.X509.Name new CN: SocketAccessor getHostname;
                        yourself.
        certificate := Security.X509.Certificate new
                        serialNumber: Time microsecondClock;
                        issuer: name;
                        subject: name;
                        notBefore: Date today;
                        notAfter: Timestamp now + 1 year;
                        publicKey: key asX509Key asPublicKey;
                        forKeyExchange;
                        yourself.
        certificate signUsing: key hash: 'SHA256' padding: 'PKCS1'.
        certificateStore := TLSCertificateStore newWithDefaults.
        certificateStore known: certificate.
        certificateStore certificate: (Array with: certificate) key: key.