In this post I will show you how to
- Create a sample .net core 3.0 website.
- Deploy a website to an Azure App Service.
- Assign a custom domain.
- Enable Let’s Encrypt certificate
In this post I will show you how to
To display certificate information of a certificate issue the command below:
openssl x509 -in certificate -text
Information about the certificate is displayed. Some important items are:
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
The Issuer is a CA that signed this certificate.
Validity Not Before: Feb 6 00:00:00 2015 GMT Not After : Feb 26 23:59:59 2016 GMT
The validity period of the certificate. Remember to renew your certificate before it expires!
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.bjdejong.nl
The subject for this certificate. This certificate can be used for a website for the given CN.
With the help of OpenSSL you can easily encrypt and decrypt files. This method of encryption is of course also compatible with the openssl binaries you can download for the Windows platform. Use base64 encoding for better multi-plaform exchange.
Encrypt files with (a password is asked for encrypting):
openssl enc -aes-256-cbc -base64 -in <file to encrypt> -out <encrypted file>
Decrypt files with (a password is asked for decrypting):
openssl enc -aes-256-cbc -base64 -d -in <encrypted file> -out <decrypted file>
The commands above use base64 encoding for storing the encrypted data.
You give other people your public (encryption) key. Other people can encrypt data with your public key which you can only decrypt because you have the private (decryption) key for the public key that is used.
Generate a key pair (private / public) with 2048 bits length:
openssl genrsa 2048 > key.pem
Generate a password protected key pair (private / public) with 4096 bits length:
openssl genrsa -des3 -out key.pem 4096
Generate the public key from the private key:
openssl rsa -in key.pem -pubout > pub.key
Create a symmetric key (base 64 for convenience) and store in file:
openssl rand -base64 32 > symmetrickey.txt
Encrypt the symmetric key file with your public key:
openssl rsautl -in symmetrickey.txt -out symmetrickey.bin -pubin -inkey mypubkey.pem -encrypt
Decrypt the symmetric key with your private key:
openssl rsautl -in symmetrickey.bin -out symmetrickey.txt -inkey myprivkey.pem -decrypt
Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm which requires two separate keys, one of which is secret (or private) and one of which is public.
Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature.
The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional (“symmetric”) cryptography which relies on the same key to perform both.
The strength lies in the fact that it is “impossible” (computationally unfeasible) for a properly generated private key to be determined from its corresponding public key.
Thus the public key may be published without compromising security, whereas the private key must not be revealed to anyone not authorized to read messages or perform digital signatures.
Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.
Each user has a pair of cryptographic keys – a public encryption key and a private decryption key. Similarly, a key pair used for digital signatures consists of a private signing key and a public verification key.
In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.
The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.
DES has been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations
This article is about cryptography and asymmetric encryption / decyption.
Asymmetric (public / private key pair) and symmetric (one key to encrypt and decrypt).
– distribute your public key
– keep your private key secret and private 🙂
Ask people who want to send you a secret mail to encrypt it with the public key. Only you, the owner of the private key, are able to decrypt it.
Install openSSH from http://slproweb.com/products/Win32OpenSSL.html (Visual C++ 2008 Redistributables and Win32 OpenSSL v1.0.1c).
Add the installation folder to your path and adjust the environment variable OPENSSL_CONF to point to your configuration file.
Asymmetric encryption of a file:
1. Create a private key and public key pair:
> openssl genrsa -out private.pem 1024
1a. Encrypt you private key:
> openssl rsa -in private.pem -des3 -out private-enc-key.pem
2. Extract the public key from this file (the public.pem, created below, can be freely distributed):
> openssl rsa -in private.pem -out public.pem -outform PEM -pubout
3. Encrypt a file:
> openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file_enc.txt
4. Decrypt the file with your private key:
> openssl rsautl -decrypt -inkey private.pem -in file_enc.txt -out decrypted.txt
Retrieve information about your private key (generated with genrsa command):
> openssl rsa -in privateKey.pem -text
NOTES
Privacy Enhanced Email (PEM)
http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html
Display information about a X509 certificate with this little C# fragment:
using System; using System.Security.Cryptography.X509Certificates; class App { static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("Usage: Viewcert .cer"); return; } X509Certificate x509 = X509Certificate.CreateFromCertFile(args[0]); Console.WriteLine( "Issued to {0}nIssued by {1}nSerial# {2}n" + "From {3} To {4}nAlgo {5} Params {6}n" + "Format {7}n" + "Cert Hashn{8}nCert Datan{9}nPublic Keyn{10}", x509.Subject, x509.Issuer, x509.GetSerialNumberString(), x509.GetEffectiveDateString(), x509.GetExpirationDateString(), x509.GetKeyAlgorithm(), x509.GetKeyAlgorithmParametersString(), x509.GetFormat(), x509.GetCertHashString(), x509.GetRawCertDataString(), x509.GetPublicKeyString()); } }
For a project I have to test the signing of a MSI. The MSI has to be uploaded to a web server. The web server has to test the signing status of the MSI. The code below saves the MSI file (in the upload control) local. With help of the X509Certificate class a certificate object is instantiated. The SigningStatus is a enum.
internal static SigningStatus GetSigningStatus(FileUpload fileupload) { string fileName = Path.Combine( Context.Server.MapPath(WebConfigurationManager.AppSettings["IprTempDir"]), fileupload.FileName); try { // Save file so it can be uses in constructor for the X509 certificate (constructor does // not handle streams!) fileupload.SaveAs(fileName); 13: X509Certificate2 x509msi = new X509Certificate2(fileName); if (x509msi.GetHashCode() != 0) { X509Certificate2 key = new X509Certificate2(StrToByteArray(WebConfigurationManager.AppSettings["PublicKey"])); if (string.Compare( x509msi.PublicKey.EncodedKeyValue.Format(false), key.PublicKey.EncodedKeyValue.Format(false)) == 0) { // Public key web.config equal to public key of uploaded file => Company signed return SigningStatus.CompanySigned; } // File is signed but not with the Company public key return SigningStatus.Signed; } else return SigningStatus.NotSigned; } catch (CryptographicException) { return SigningStatus.NotSigned; } finally { if (File.Exists(fileName)) { File.Delete(fileName); } } }