Re: Best way to store keys and certs on Windows [was: Windows Certificate Store Private Key]
On 26-06-2010 18:29, Mohan Radhakrishnan wrote: Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. (You really should have started a new thread for this question, but I'll answer anyway.) The answer to this depends a lot on what kind of keys you are storing. I note that you are going for PCI compliance, so I am assuming serious security here. 1. If you are storing the sensitive private keys, then the proper answer is: Key copies that are not used many times every day should be stored in secure hardware not connected to any computer and locked away in a serious well-guarded strong box, relevant hardware include Spyrus PCMCIA HSMs and high end smart cards. For very rarely used key copies, they should be split using Shamir's sharing scheme or similar into parts stored on separate smart cards guarded by different people in different strongboxes. For key copies that are used frequently by automated servers, you should use a large high end HSM (too heavy for anyone to put in their pocket) fitted with internal motion sensors that erase the keys if the device is physically moved anyway. 2. If you are storing just the public keys and certificates, and using Windows, I would recommend the following combination: Store each certificate in a PEM/Base64 DER file with extension .cer and the combined list of all of them in a binary DER file with extension .CRT. Burn all those files to a CD and keep it in a read-only optical drive (not a CD or DVD writer) in the server to prevent malicious modifications (These file formats can be directly read and used by both Windows and openssl, the openssl command line tool is good for making the combined .crt). Also put a copy of the certificates in Active Directory group policies under appropriate categories, for instance CAs under trusted CAs. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
A question for everyone: What If you only use the BIO structures to call RAND_bytes(), in your threads, and you are not using any of the SSL structures, do you still need a callback function? My purpose of using the OpenSSL library is to generate random numbers only. - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
Hi, Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. Thanks, Mohan On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. // Harshvir On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
On Sat June 26 2010, Mohan Radhakrishnan wrote: Hi, Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. A good, widely used, general storage for sensitive information is TrueCrypt: http://www.truecrypt.org/ Available for the most common operating systems. Mike Thanks, Mohan On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. // Harshvir On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
aerow...@gmail.com schrieb: Run mmc.exe (Microsoft Management Console), add the Certificates snap-in, and then export the certificate and private key to a PKCS#12 file. Then use openssl pkcs12 to parse it. Note that this works only if the private key is marked as exportable. Ted ;) -Kyle H On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. // Harshvir -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
On 24-06-2010 00:43, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Note that you are NEVER supposed to do that. The Windows Certificate Store is designed to behave like a smart card or HSM (even though it is technically just software and can probably be cracked). Private Keys are not supposed to go out, although you CAN extract those private keys that are marked exportable (which has nothing to do with the old crypto-export-across-borders restrictions). AeroWolf's reply is about the manual way to extract keys that are marked exportable, keys that are not so marked, cannot be extracted by ordinary means and cannot be retroactively marked as exportable. The best approach would be for someone to create an openssl engine plugin which can call MS CryptoAPI and thus access use any keys kept by it without actually compromising the private key storage. Maybe someone has already done that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. // Harshvir On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
On Thu, Jun 24, 2010, Harshvir Sidhu wrote: Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. The option -ssl_client_cert_engine to s_client uses the relevant functionality. All you do is lookup the capi ENGINE and assign it to the SSL_CTX, check the s_client.c source for more info. If you only have one client certificate for a given CA then that is sufficient. There are other options which can be set at compile time, such as displaying a dialog box if there are multiple certificates of just arbitrarily choosing the first one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Windows Certificate Store Private Key
Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. // Harshvir
Re: Windows Certificate Store Private Key
Run mmc.exe (Microsoft Management Console), add the Certificates snap-in, and then export the certificate and private key to a PKCS#12 file. Then use openssl pkcs12 to parse it. -Kyle H On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. // Harshvir smime.p7s Description: S/MIME Cryptographic Signature
Re: Windows Certificate Store Private Key
Run mmc.exe (Microsoft Management Console), add the Certificates snap-in, and then export the certificate and private key to a PKCS#12 file. Then use openssl pkcs12 to parse it. -Kyle H On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. // Harshvir smime.p7s Description: S/MIME Cryptographic Signature