How can I install certificates?

ZeR0ByTe · 10 January 2024 11:58

Hi, I’m trying to configure and use Manjaro in my work and I need to install .pfx. certificates.

I have all the steps in Windows but I don’t know which is the equivalent in Linux. Someone can help me?

This are the steps that I need to follow in Windows:

Step 1

Select Local Machine

Step 2

Select the .pfx

Step 3

Insert the password of certificate and mark this key ask exportable

Step 4

Put in the store Personal

And when I finish all the steps I should replicate all the steps again, except the Step 4 where I should change the certificate store to Trusted root Certification Authorities.

I hope someone can guide me to do exactly the same in Manjaro.

Thanks for your help!

Moderator edit: Removed Windows Setup Wizard screenshots

mithrial · 10 January 2024 12:27

If your company wants you to install a global certifica to MITM everything you do, run and never look back.

That said, where do you want to use it? The browsers have the option to install certificates.

ZeR0ByTe · 10 January 2024 12:52

Thanks for reply. Maybe I didn’t understand ok your comment.
I’m a web developer and this is a certificate that we are using in the backend (DOTNET C#) in order to communicate with another machine.

I don’t know where dotnet applications in linux will read the certificate from.

mithrial · 10 January 2024 13:23

Paging @linux-aarhus

linux-aarhus · 10 January 2024 13:59

Please remove the windows screenshots - they are irrelevant.

This question is not Manjaro specific but targeted dotnet

It is a common xy problem you are presenting where you ask for help for how you think it should be done rather than targeting the real problem - dotnet development environment.

dotnet dev-certs https

If you need a specific certificate for the local dev-server

 $ dotnet dev-certs https --help


Usage: dotnet dev-certs https [options]

Options:
  -ep|--export-path  Full path to the exported certificate
  -p|--password      Password to use when exporting the certificate with the private key into a pfx file or to encrypt the Pem exported key
  -np|--no-password  Explicitly request that you don't use a password for the key when exporting a certificate to a PEM format
  -c|--check         Check for the existence of the certificate but do not perform any action
  --clean            Cleans all HTTPS development certificates from the machine.
  -i|--import        Imports the provided HTTPS development certificate into the machine. All other HTTPS developer certificates will be cleared out
  --format           Export the certificate in the given format. Valid values are Pfx and Pem. Pfx is the default.
  -t|--trust         Trust the certificate on the current platform. When combined with the --check option, validates that the certificate is trusted.
  -v|--verbose       Display more debug information.
  -q|--quiet         Display warnings and errors only.
  -h|--help          Show help information

if youi need the certificate at system level - please read the page on TLS and certificates at Transport Layer Security - ArchWiki

ZeR0ByTe · 10 January 2024 14:45

Thank you for you reply.

Let me try to explain the specific scenario in a different way because I believe the first part is related to Manjaro but the 2nd might be indeed related to .NET.

I need to sign an XML document using .NET and the way we do that is by retrieving specific certificates (with private keys) and then using .NET sign them and use them elsewhere.

I understand that the retrieval of the certificate might be more .NET specific but regardless of that I need a place in which to either “install” or store the certificate with its private key to be used later to sign objects.

Does this make more sense?

Thanks again for your time!

linux-aarhus · 10 January 2024 15:59

No, it does not.

The second scenarios is not the same as the first scenario mentioned.

You don’t need the remote servers private key to communicate with it using TLS.

Signing a document is a completely different task and is not related to the remote server.

ZeR0ByTe · 10 January 2024 19:36

Thanks for reply again
I will try to investigate a little bit more and I will come back here again.

linux-aarhus · 11 January 2024 06:02

While I have no idea what you are trying to achieve, I am guessing here.

My guess is that you need a client certificate to identify the client connecting to the web service.

Please remember this - your fellow forum members is not a resource - and this information - you could easily have found it yourself.

As developer you must be used to dig and read documentation to be able to complete the task at hand.

I you are like me - you use a lot of time to educate yourself to stay ahead an keep being an asset to your employer

So based on my guess - I used the information from

This lead to the file:///usr/share/ca-certificates/trust-source/README

So to extracting the certificate using openssl storing it in a new PEM file (if the extractions fails - append the -legacy option)

openssl pkcs12 -in cert.pfx -clcerts -out cert.pem [-legacy]

To extract also the private key (again - if this fails - append -legacy option)

openssl pkcs12 -in cert.pfx -nodes -out cert.pem [-legacy]

A pfx file is usually password protected, so input the password when challenged.

Copy the extracted file to

sudo cp cert.pem /usr/share/ca-certificates/trust-source/anchors/

And update the trust

sudo update-ca-trust

ZeR0ByTe · 11 January 2024 11:40

Thanks again for the information, always I’m reading documentation or searching in google before asking.
My questions is more related where I can store certificates. I found this link where you can find the information of the path to store certificates:

~/.dotnet/corefx/cryptography/x509stores/

Besides, I found this another link where a user has created a tool to add certificates.
You can check here: GitHub - gsoft-inc/dotnet-certificate-tool: Command line tool to install and remove certificates from the current user's store.

I didn’t try it yet, because next week I will try to install Manjaro in my work’s computer and I was researching a little bit possible problems.

I hope with all this information has more sense to you because TLS is not something that I need. What I was interested in understand is how a .NET application will read a .pfx installed on a linux machine (since Linux doesn’t have certificates stores like in Windows).

Thanks again for your help

linux-aarhus · 11 January 2024 12:21

I actually looked into the .dotnet config folder - and this may be a viable solution - but I don’t know. The dotnet dev-certs is capable of importing a certificate but it will replace the existing - apparently only one certificate can used at any given time.

Adding certificates to the system certificate collection is done as described in my above comment.

Depending on the pfx files and if the certificate can be used for code signing you may not have success with the extraction command I mention.

I have a couple of web server certificates and I have those in various formats including pfx - so it was a no-brainer to test the extraction - which is why I mention the possible lack of success as I wasn’t able to extract the certificates even though I know the passphrase.

I have researched the error message and it has something to do with the pfx being in the older OpenSSL 1.1.1 as can be seen from this closed issue

github.com/openssl/openssl

Trouble reading legacy PKCS#12 files produced with OpenSSL 1.1.1

opened 09:08AM - 07 Apr 21 UTC

closed 02:25PM - 19 Apr 21 UTC

Akretsch

resolved: not a bug triaged: documentation

tested with 86522324d2a398ad3ed2f648a66b62b0a6176258 : ``` ../openssl pkcs12 -…in store.p12 -info ``` results in: > Enter Import Password: > MAC: sha1, Iteration 2048 > MAC length: 20, salt length: 8 > PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 > Error outputting keys and certificates > 80323002737F0000:error:0308010C:digital envelope > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 62), Properties () If *store.p12* was written with version 1.1.1f The man page for the pkcs12 command recommends the *-legacy* option for such problems. But ``` ../openssl pkcs12 -legacy -in store.p12 -info ``` results in > openssl pkcs12: unable to load provider legacy The legacy provider is not loaded by default.

One need to try with -legacy option.
See the man page → openssl(1ssl) — Arch manual pages
Specifically for pkcs12 → openssl-pkcs12(1ssl) — Arch manual pages

ZeR0ByTe · 11 January 2024 13:21

Thanks again.
Now I’m even more confused xD.

I don’t know if I should give up on this and just continue using Manjaro at home and at work, leave it with Windows and avoid problems.

I want to try and install it but it requires a lot of time and project setup and if something fails they will kill me because I’m “wasting” time when everyone is using Windows here lol.

Also, the library that I found in the previous post is abandoned and in .NET 6, I don’t know if it will work in .NET 7/8.

Nothing I have found assures me that it works 100% and that worries me

linux-aarhus · 11 January 2024 13:44

I use Manjaro primarily and there is nothing I have not been able to accomplish.

I code using several different languages - primarily C#, Python and MS-SQL with some Blazor WASM topping.

As I code full stack - I use Visual Studio in a VM for backend/sql - everything else is done on my Manjaro Linux using JetBrains toolbox.

It always requires thinking out of the box - and your topic was a chance to dive into the certificate storage that I couldn’t let pass unattended

I actually did unpack my certificates and appended them the the certificate store on my Manjaro Linux system.

So mission accomplished - added a new page to my notepad

When the app in you mention is made using dotnet 6 - then it is the LTS and it will work when the matching runtime is installed.

ZeR0ByTe · 11 January 2024 14:09

Are you using VM with Windows for your backend? Because I’m trying to use Manjaro for everything here in my work. Frontend (Angular/React) and backend (.NET). I don’t want to use a VM for my backend.

Could you share your notepad please?
Maybe can be helpful for others users here.

We are using 6, 7, and 8.

Thanks again for continue trying to help me

linux-aarhus · 11 January 2024 14:14

The location of my notepad is no secret here. Simply click on my profile image.

I am using a win10 VM because the backend is .NET4 - migrating to dotnet core 8 is on the roadmap along with migrating to MariaDB.

dotnet 7 is expiring fast … May 14,. 2024

ZeR0ByTe · 21 January 2024 09:03

Hi again, sorry for the delay and thanks again @linux-aarhus for your time
I have read your possible solution but I don’t know if my explanation was not good or maybe I don’t understand.

Anyway, I was able to build the project at work and I solved the problem. I leave my explanations and steps here:

My project has a .pfx file with a password. The first thing I had to research was where dotnet saves the files. This place is:

~/.dotnet/corefx/cryptography/x509stores/

Reading this link (that I posted before), I saw this code:

using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite))
{
    store.Add(new X509Certificate2(
        "./thePathToTheCert.pfx", "passwordOfTheCert", 
        X509KeyStorageFlags.PersistKeySet));
}

And finally, with this, I understood that the certificates are stored in ~/.dotnet/corefx/cryptography/x509stores/, and the filename is changed to the thumbprint of the .pfx.

I created a bash code doing this process:

importcert() {
    cert_path="$1"
    cert_password="$2"

    thumbprint=$(openssl pkcs12 -in "$cert_path" -passin "pass:$cert_password" -nokeys -nomacver -clcerts | openssl x509 -noout -fingerprint | cut -d'=' -f2 | tr -d ':')

    openssl pkcs12 -in "$cert_path" -passin "pass:$cert_password" -nodes -out ~/.dotnet/corefx/cryptography/x509stores/my/$thumbprint.pfx

    echo "Certificate stored in ~/.dotnet/corefx/cryptography/x509stores/my with the thumbprint: $thumbprint"
}

With this I could solve the first problem. After that I had another problem because I needed another certificate for the browser. I don’t remember exactly this step but I downloaded the certificate from Chrome and I stored in /etc/ssl/certs/ and my website was running perfectly.

I tested this removing the certificates, running the functions and all the things and yes, doing this steps all was working good.

And in my work, all are using Windows and for that I added an if to choose the platform to take the certicate:

var locations = Environment.OSVersion.Platform == PlatformID.Unix
    ? new[] { StoreLocation.CurrentUser }
    : new[] { StoreLocation.LocalMachine, StoreLocation.CurrentUser };

foreach (var location in locations)
{
    using (var store = new X509Store(storeName, location))
    {
        store.Open(OpenFlags.IncludeArchived);

        var cert = store.Certificates
            .OfType<X509Certificate2>()
            .FirstOrDefault(c => string.Equals(c.Thumbprint, thumbprint, StringComparison.CurrentCultureIgnoreCase));

        if (cert != null)
        {
            return cert;
        }
    }
}

In Linux is only the place:

{ StoreLocation.CurrentUser }

but in Windows the places are:

{ StoreLocation.LocalMachine, StoreLocation.CurrentUser }

I hope be clear and sorry again If you told me the same in another words and I didn’t understand.

system · 21 January 2024 12:04

This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.