I am working on Python script on Windows 10 to connect to consume KAFKA topic. The SSL certificate is installed on Windows server in .jks format. The SSL connection to KAFKA is possible only with his certificate.
I wanted to know if there is a way I can tell Python to get the default certificate from the specific location? Will Python accept .jks format certificate? If not then what options I have.
Python isn't Java. JKS files really only work within the context of a JVM
You can use keytool commands to export a PEM certificate from a JKS file to be used for non Java purposes
How to convert trust certificate from .jks to .pem?
Related
I am trying to setup TLS encrypted connections to MongoDB database using PyMongo. I have 2 python binaries installation at 2 different locations. But, both have version: 3.6.8. For both of them I have installed PyMongo version: 4.1.1. Have completed the process for generating CA keys and server private keys. I then added the ca.pem to '/etc/pki/ca-trust/source/anchors/' and ran 'sudo update-ca-trust' to add the certificate authority in the operating system certificate store. Then, updated the mongod.conf file and restarted the mongod instance. I am able to connect to the mongo shell using this command
mongo --tls --host='server-host-name'
But, the main issue is I am able to connect to the database using one python package, but the other gives this error:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
error=AutoReconnect('SSL handshake failed:....)]
The output of the below command is:
openssl version -d
OPENSSLDIR: "/etc/pki/tls"
One workaround to make the other python binary also work was to explicitly export the path in the environment variable
export SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
But, I want the other python binary to also look for the CAs in the appropriate directory automatically.
All these tests are performed locally and not through some remote connections (which would require the certificate paths to be specified explicitly). I wanted to know the internal working of pymongo.MongoClient specifically for TLS connections in detail. Basically, I wanted some understanding how does it fetch the CAFiles from the operating system certificate store.
Also, how do I increase the logging for pymongo, any workaround for this? Can someone help me debug this? I can add additional information if required. Thank you.
We have a service that requires a client certificate to be presented with the request or the call will be rejected. For our .NET components, we have the certificate installed in the local Windows cert store. At runtime we can get the certificate by thumbprint and include that with our request.
For our python component, I am able to get the certificate from the store, but only the public data. I can't seem to access the private key. To get around this I have a pem file with the certificate data that python uses. We are cleaning all secrets out of our source repository, so I need to remove this file.
Does anyone have a suggesiton on how I can access the private key for the certificate without checking it in with my code? Things I am exploring are:
Get the private key with the certificate from the windows cert store
Continue to use the pem file, but encrypt it somehow
Something else?
Thanks,
~john
i've written a small OPC-UA-Client in Python which acts as datalogger for PLC's with integrated OPC-UA Server.
The Connection with no security works fine but i want to secure it with a certificate.
I can import trusted certificates to the server and export the server certificate but how can i generate my own certificate ?
Thanks
You can use openssl to generate your own self-Signed certificate.
https://www.openssl.org/source/
Be Carefull with the extensions tho sometimes they demand .der .cer or as .pem and you might get an outform .crt.
How to create them:
https://www.ibm.com/support/knowledgecenter/en/SS8JFY_9.2.0/com.ibm.lmt.doc/Inventory/security/t_ssl_creating_certs.html
https://dzone.com/articles/secure-communication-with-tls-and-the-mosquitto-broker
Types of encryption:
https://blog.storagecraft.com/5-common-encryption-algorithms/
If you show your program maybe I can help you out.
I'm trying to connect to an MQTT broker over SSL using the Eclipse Paho MQTT library with Python on Windows. In order to do so, you need to call the tls_set function and specify the location of the ca certificate files. On Linux, this is easy - you simply pass "/etc/ssl/certs/ca-certificates.crt" and job done. But how do you do this on Windows? I'm trying to connect to iot.eclipse.org.
Windows unfortunately doesn't have a file like this, but you can download one based on Mozilla's certificate store. The format they use is not compatible with the .crt file, however there is a tool from curl that converts it to a .pem file, which will work with Paho. You can download and use the file directly from there, or there are other options if you would like to generate the file yourself.
I changed my Webserver from HTTP to HTTPS with "Let"s Encrypt".
The Webserver contains an API, and I have an Python application, which uses the API.
Under Linux is all fine, but under Windows I receive this below, when I'm logging in.
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
My thought was, that the SSL certificate isn't installed.
So I downloaded the "isrgrootx1.der" and "lets-encrypt-x1-cross-signed.der" renamed both to the ending "*.cer".
Then I opened the Windows console, and run this:
certutil -addstore "Root" "isrgrootx1.cer".
certutil -addstore "Root" "lets-encrypt-x1-cross-signed.cer".
The second command failed, because it isn't a root certificate.
My question is: In which group has the "lets-encrypt-x1-cross-signed.cer" to be installed?
You shouldn't need to add "lets-encrypt-x1-cross-signed.cer" to your Windows machine, since it's only an intermediate certificate. And you shouldn't need to add "isrgrootx1.cer" either, since Let's Encrypt certificates chain to "DST Root X3", which is already included with Windows.
Most likely your web server was not configured to send the intermediate certificate. If you're using Certbot, for instance, you'll want to configure your web server using "fullchain.pem" rather than "cert.pem".