Solved: How do I import SSL server certificates into Sting...

riverbedjo · ‎05-15-2013

I'm having problems importing SSL server certificates into Stingray. Can you share some guidelines?

owen · ‎05-15-2013

The key point to understand is that Stingray accepts certificates and private keys in the PEM format. It does not generally accept compound PEM files, where multiple objects are in the same PEM bundle - one exception is the use of chained certificates.

How do I recognise a PEM file?

PEM files are plain-text and have an easily-recognized format.

An SSL certificate in PEM format contains a header and footer, with a Base-64 encoded payload:

$ cat cert.public

-----BEGIN CERTIFICATE-----

MIIDTjCCAjYCCQDfYTLwGpnqtDANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJH

QjEOMAwGA1UECBMFY2FtYnMxEjAQBgNVBAcTCWNhbWJyaWRnZTERMA8GA1UEChMI

....

-----END CERTIFICATE-----

An SSL private key uses a different header:

$ cat key.private

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAxfaFKP+7fbRmEjEbOc3ky4aA8oLargkv5hedIjaVAbwEWMfo

TuvneJRzhLxXKEaw9EzlExM5pMX8pRr9ad0vjSsv2HoHv5HZTYb70jq1nigUb/U+

....

-----END RSA PRIVATE KEY-----

Certificate signing requests (csr) use the header 'BEGIN NEW CERTIFICATE REQUEST', Certificate revocation lists (crl) begin 'BEGIN X509 CRL'.

Third-party systems may export certificates in other formats. For example, Windows Server exports certificates in the pkcs12 format, so if you want to place a Windows server behind Stingray, and decrypt the traffic on the Stingray, you'll need to translate the certificate into a format that Stingray understands.

Use OpenSSL

The key tool to use is openssl - this swiss-army knife can translate between numerous different formats.

If you're using a Unix-like operating system (Linux, MacOSX, Solaris), openssl should be included, or will be easily installed from the package manager. If you're using Windows, you can download a binary from OpenSSL: OpenSSL Binary Distributions.

Extracting the private key from a PKCS12 file

$ openssl pkcs12 -in key.p12 -nocerts -out key.pem -nodes

If you omit the -nodes flag, openssl will prompt you for an encryption password to protect your private key; Stingray does not support such encrypted keys. If you inadvertently create an encrypted key, you can generate the decrypted version as follows:

$ openssl rsa -in key.encrypted.pem -out key.pem

Extracting the certificate from a PKCS12 file

$ openssl pkcs12 -in key.p12 -nokeys -out cert.pem

Managing other file formats

You may encounter a key or certificate file in DER format. DER (Distinguished Encoding Rules) files are binary equivalents of the Base-64 ASCII-encoded PEM files, and are commonly used by Java applications. Files contain binary data and often use the extension .der or .cer.

$ openssl x509 -in file.cer -inform DER -outfile.pem -outform PEM

If you're using Windows, use the openssl.exe binary downloaded from the link above.

If openssl generates keys in a different format, then you can force the output format using the flag -outform PEM.

Use Stingray's cert program

The program 'cert' is bundled with Stingray; it's a less functional alternative to OpenSSL but it is useful to verify that certificates are in a format that is fully supported by Stingray.

Get help by running 'cert --help':


[email protected]# $ZEUSHOME/admin/bin/cert --help

Usage: cert [OPTIONS]

  -i, --in <filename>    Input file name

  -n, --new              Create a new certificate/key/request

  -t, --type <type>      Type of file to create, public|private|request

...

Check that your public certificate and private key are a valid pair:


# cert -in TEST.public -key TEST.private --check

private and public key are a valid pair

Finally, if you're confused about which file is a private key, and which is a public certificate, you can dump each of them using openssl or cert:


[email protected]:server_keys# cert --in TEST.private --text

    RSAPrivateKey:

        Version: 00

        n:

            d7:45:.........

        e:

            01:00:01

        d:

            8f:34:....

        p:

            f3:18:.....

        q:

            e2:bb:....

        dmp:

            87:10:...

        dmq:

            4b:31:...

        iqmp:

            ba:66:...


[email protected]:server_keys# cert --in TEST.public --text

X509 Certificate:

    Certificate Info:

        Version: 02

        Serial Number:

            4d:da:8a:9e

        Signature Algorithm: sha1withRSAEncryption

        Issuer:

            CN=ca, O=Riverbed Technology, OU=Development, L=Cambridge, C=GB

            [email protected]

...

The equivalent openssl commands are:

$ openssl x509 -in cert.pem -text

$ openssl rsa -in key.pem -text

How do I recognise a PEM file?

PEM files are plain-text and have an easily-recognized format.

An SSL certificate in PEM format contains a header and footer, with a Base-64 encoded payload:

$ cat cert.public

-----BEGIN CERTIFICATE-----

MIIDTjCCAjYCCQDfYTLwGpnqtDANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJH

QjEOMAwGA1UECBMFY2FtYnMxEjAQBgNVBAcTCWNhbWJyaWRnZTERMA8GA1UEChMI

....

-----END CERTIFICATE-----

An SSL private key uses a different header:

$ cat key.private

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAxfaFKP+7fbRmEjEbOc3ky4aA8oLargkv5hedIjaVAbwEWMfo

TuvneJRzhLxXKEaw9EzlExM5pMX8pRr9ad0vjSsv2HoHv5HZTYb70jq1nigUb/U+

....

-----END RSA PRIVATE KEY-----

Certificate signing requests (csr) use the header 'BEGIN NEW CERTIFICATE REQUEST', Certificate revocation lists (crl) begin 'BEGIN X509 CRL'.

Third-party systems may export certificates in other formats. For example, Windows Server exports certificates in the pkcs12 format, so if you want to place a Windows server behind Stingray, and decrypt the traffic on the Stingray, you'll need to translate the certificate into a format that Stingray understands.

Use OpenSSL

The key tool to use is openssl - this swiss-army knife can translate between numerous different formats.

If you're using a Unix-like operating system (Linux, MacOSX, Solaris), openssl should be included, or will be easily installed from the package manager. If you're using Windows, you can download a binary from OpenSSL: OpenSSL Binary Distributions.

Extracting the private key from a PKCS12 file

$ openssl pkcs12 -in key.p12 -nocerts -out key.pem -nodes

If you omit the -nodes flag, openssl will prompt you for an encryption password to protect your private key; Stingray does not support such encrypted keys. If you inadvertently create an encrypted key, you can generate the decrypted version as follows:

$ openssl rsa -in key.encrypted.pem -out key.pem

Extracting the certificate from a PKCS12 file

$ openssl pkcs12 -in key.p12 -nokeys -out cert.pem

Managing other file formats

You may encounter a key or certificate file in DER format. DER (Distinguished Encoding Rules) files are binary equivalents of the Base-64 ASCII-encoded PEM files, and are commonly used by Java applications. Files contain binary data and often use the extension .der or .cer.

$ openssl x509 -in file.cer -inform DER -outfile.pem -outform PEM

If you're using Windows, use the openssl.exe binary downloaded from the link above.

If openssl generates keys in a different format, then you can force the output format using the flag -outform PEM.

Use Stingray's cert program

The program 'cert' is bundled with Stingray; it's a less functional alternative to OpenSSL but it is useful to verify that certificates are in a format that is fully supported by Stingray.

Get help by running 'cert --help':


[email protected]# $ZEUSHOME/admin/bin/cert --help

Usage: cert [OPTIONS]

  -i, --in <filename>    Input file name

  -n, --new              Create a new certificate/key/request

  -t, --type <type>      Type of file to create, public|private|request

...

Check that your public certificate and private key are a valid pair:


# cert -in TEST.public -key TEST.private --check

private and public key are a valid pair

Finally, if you're confused about which file is a private key, and which is a public certificate, you can dump each of them using openssl or cert:


[email protected]:server_keys# cert --in TEST.private --text

    RSAPrivateKey:

        Version: 00

        n:

            d7:45:.........

        e:

            01:00:01

        d:

            8f:34:....

        p:

            f3:18:.....

        q:

            e2:bb:....

        dmp:

            87:10:...

        dmq:

            4b:31:...

        iqmp:

            ba:66:...


[email protected]:server_keys# cert --in TEST.public --text

X509 Certificate:

    Certificate Info:

        Version: 02

        Serial Number:

            4d:da:8a:9e

        Signature Algorithm: sha1withRSAEncryption

        Issuer:

            CN=ca, O=Riverbed Technology, OU=Development, L=Cambridge, C=GB

            [email protected]

...

The equivalent openssl commands are:

$ openssl x509 -in cert.pem -text

$ openssl rsa -in key.pem -text

How do I import SSL server certificates into Stingray?

How do I import SSL server certificates into Stingray?

Re: How do I import SSL server certificates into Stingray?

How do I recognise a PEM file?

Use OpenSSL

Extracting the private key from a PKCS12 file

Extracting the certificate from a PKCS12 file

Managing other file formats

Use Stingray's cert program

Read more

Re: How do I import SSL server certificates into Stingray?

How do I recognise a PEM file?

Use OpenSSL

Extracting the private key from a PKCS12 file

Extracting the certificate from a PKCS12 file

Managing other file formats

Use Stingray's cert program

Read more

Re: How do I import SSL server certificates into Stingray?