vADC Forum

Reply
Contributor
Posts: 27
Registered: ‎05-08-2013
Accepted Solution

How do I import SSL server certificates into Stingray?

I'm having problems importing SSL server certificates into Stingray.  Can you share some guidelines?

Frequent Contributor
Posts: 321
Registered: ‎11-29-2012

Re: How do I import SSL server certificates into Stingray?

The key point to understand is that Stingray accepts certificates and private keys in the PEM format.  It does not generally accept compound PEM files, where multiple objects are in the same PEM bundle - one exception is the use of chained certificates.

How do I recognise a PEM file?

PEM files are plain-text and have an easily-recognized format.

An SSL certificate in PEM format contains a header and footer, with a Base-64 encoded payload:


$ cat cert.public


-----BEGIN CERTIFICATE-----


MIIDTjCCAjYCCQDfYTLwGpnqtDANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJH


QjEOMAwGA1UECBMFY2FtYnMxEjAQBgNVBAcTCWNhbWJyaWRnZTERMA8GA1UEChMI


....


-----END CERTIFICATE-----



An SSL private key uses a different header:


$ cat key.private


-----BEGIN RSA PRIVATE KEY-----


MIIEogIBAAKCAQEAxfaFKP+7fbRmEjEbOc3ky4aA8oLargkv5hedIjaVAbwEWMfo


TuvneJRzhLxXKEaw9EzlExM5pMX8pRr9ad0vjSsv2HoHv5HZTYb70jq1nigUb/U+


....


-----END RSA PRIVATE KEY-----



Certificate signing requests (csr) use the header 'BEGIN NEW CERTIFICATE REQUEST', Certificate revocation lists (crl) begin 'BEGIN X509 CRL'.

Third-party systems may export certificates in other formats.  For example, Windows Server exports certificates in the pkcs12 format, so if you want to place a Windows server behind Stingray, and decrypt the traffic on the Stingray, you'll need to translate the certificate into a format that Stingray understands.

Use OpenSSL

The key tool to use is openssl - this swiss-army knife can translate between numerous different formats.

If you're using a Unix-like operating system (Linux, MacOSX, Solaris), openssl should be included, or will be easily installed from the package manager.  If you're using Windows, you can download a binary from OpenSSL: OpenSSL Binary Distributions.

Extracting the private key from a PKCS12 file


$ openssl pkcs12 -in key.p12 -nocerts -out key.pem -nodes



If you omit the -nodes flag, openssl will prompt you for an encryption password to protect your private key; Stingray does not support such encrypted keys.  If you inadvertently create an encrypted key, you can generate the decrypted version as follows:


$ openssl rsa -in key.encrypted.pem -out key.pem



Extracting the certificate from a PKCS12 file


$ openssl pkcs12 -in key.p12 -nokeys -out cert.pem



Managing other file formats

You may encounter a key or certificate file in DER format. DER (Distinguished Encoding Rules) files are binary equivalents of the Base-64 ASCII-encoded PEM files, and are commonly used by Java applications.  Files contain binary data and often use the extension .der or .cer.


$ openssl x509 -in file.cer -inform DER -outfile.pem -outform PEM



If you're using Windows, use the openssl.exe binary downloaded from the link above.

If openssl generates keys in a different format, then you can force the output format using the flag -outform PEM.

Use Stingray's cert program

The program 'cert' is bundled with Stingray; it's a less functional alternative to OpenSSL but it is useful to verify that certificates are in a format that is fully supported by Stingray.

Get help by running 'cert --help':


root@stingray# $ZEUSHOME/admin/bin/cert --help


Usage: cert [OPTIONS]


  -i, --in <filename>    Input file name


  -n, --new              Create a new certificate/key/request


  -t, --type <type>      Type of file to create, public|private|request


...



Check that your public certificate and private key are a valid pair:


# cert -in TEST.public -key TEST.private --check


private and public key are a valid pair



Finally, if you're confused about which file is a private key, and which is a public certificate, you can dump each of them using openssl or cert:


root@stingray-1:server_keys# cert --in TEST.private --text


    RSAPrivateKey:


        Version: 00


        n:


            d7:45:.........


        e:


            01:00:01


        d:


            8f:34:....


        p:


            f3:18:.....


        q:


            e2:bb:....


        dmp:


            87:10:...


        dmq:


            4b:31:...


        iqmp:


            ba:66:...



root@stingray-1:server_keys# cert --in TEST.public --text


X509 Certificate:


    Certificate Info:


        Version: 02


        Serial Number:


            4d:da:8a:9e


        Signature Algorithm: sha1withRSAEncryption


        Issuer:


            CN=ca, O=Riverbed Technology, OU=Development, L=Cambridge, C=GB


            Email=ca@cam.riverbed.com


...



The equivalent openssl commands are:


$ openssl x509 -in cert.pem -text


$ openssl rsa -in key.pem -text



Read more

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.