i've written a small OPC-UA-Client in Python which acts as datalogger for PLC's with integrated OPC-UA Server.
The Connection with no security works fine but i want to secure it with a certificate.
I can import trusted certificates to the server and export the server certificate but how can i generate my own certificate ?
Thanks
You can use openssl to generate your own self-Signed certificate.
https://www.openssl.org/source/
Be Carefull with the extensions tho sometimes they demand .der .cer or as .pem and you might get an outform .crt.
How to create them:
https://www.ibm.com/support/knowledgecenter/en/SS8JFY_9.2.0/com.ibm.lmt.doc/Inventory/security/t_ssl_creating_certs.html
https://dzone.com/articles/secure-communication-with-tls-and-the-mosquitto-broker
Types of encryption:
https://blog.storagecraft.com/5-common-encryption-algorithms/
If you show your program maybe I can help you out.
Related
I have an issue, i want to access an http server
with ssh certificate using python requests library
however without any usage of private keys and inside server data
(only publicly known, f.e. public RSA key and simmilar stuff)
How can I do that?
I am working on Python script on Windows 10 to connect to consume KAFKA topic. The SSL certificate is installed on Windows server in .jks format. The SSL connection to KAFKA is possible only with his certificate.
I wanted to know if there is a way I can tell Python to get the default certificate from the specific location? Will Python accept .jks format certificate? If not then what options I have.
Python isn't Java. JKS files really only work within the context of a JVM
You can use keytool commands to export a PEM certificate from a JKS file to be used for non Java purposes
How to convert trust certificate from .jks to .pem?
My python application is running locally on http://0.0.0.0:80/
Later, to make SSL connection I generated MyCert.crt and Mycert.key files.
Later, after providing the location of certificate and key files. My application works perfect and starts running over https connection as per expectation.
code snippet:
from OpenSSL import SSL
context = ("C:/myCert.crt", "C:/Mycert.key")
app.run(host="0.0.0.0", port='80',ssl_context = context)
Now, I import the same certificate to: windows certificates manager -> Trusted Root Certification Authorities. It shows certificate name as localhost
Now, my goal is to access the certificate for same python application and start using it from windows certificate manager.
I referred couple of libraries(requests, wincertstore) but I am unable to understand them as I am new in this domain.
How Do I modify my python code to access this certificate.
you need to change your port firstly, 443 will be great (as far as we know, https go over 443)
and replace your line with this one:
app.run(host='0.0.0.0', port=443, debug=True, ssl_context=('/home/ubuntu/cert/myCert.pem', '/home/ubuntu/cert/myCert2.pem'))
read this article, it will help you:
https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https
So, the situation is: I want to know what path is a program sending the request to. With Wireshark, I can only know that it is sending https request and the corresponding domain but not the path.
I think there could be a way to at least inspect the outbound https traffic even without hacking the program.
Let's say if I run a fake website and redirect the connection to the real site to my local fake site. So the request will be sent to my fake site, and I can create a self-signed fake key pair for my fake site. Install the private key on the fake site, and install the public key on my local machine. Then the handshake should be approved.
But I have several problems:
How to launch a fake https server in the simplest way? Nginx? Or is there a simple solution in Python?
How can I install the public key on my local machine? I'm using Linux Mint 19 which is based on Ubuntu 18.04.
Any help is appreciated!
You may want to check Charles proxy. This a proxy with which you can inspect the outbound traffic (including HTTPS).
In order to inspect HTTPS traffic, it will be required to enable SSL Proxy which means that Charles will dynamically generate a certificate and become man-in-the-middle for HTTPS connections.
Charles signs these dynamic certificates with it's own which has to be added to the trusted storage of the application you use. Various instructions are available here.
I'm using Python's requests library to perform client side authentication with certificates. The scenario is the following: CA1 has issued a certificate for an intermediate CA (CA2) and CA2 has issued my client's certificate CLIENT. The server I'm connecting to trusts CA1's cert (but does not have CA2's cert). When I use:
requests.get('https:..', cert=('/path/CLIENT.cert', '/path/CLIENT.key'))
I get an error "certificate verify failed". I assumed that's because the server can not retrieve CA2's cert.
However, I'm unable to find a way to send CA2's cert to the server. If I include it in CLIENT, I get an error about private key and cert mismatch. I have also tried to include the chain of certificates in the verify parameter but there does not seem to be any difference on the result (as far as I understand, certs in the verify parameter are used for server side authentication).
Although I think this must be a quite common scenario, I'm unable to find a solution...
PD: If I verify CLIENT's cert with openssl and the full chain of certificates the validation is successful (so there is no problem with the certificates themselves).
Requests recommends using certifi as a CA bundle. Have you tried installing certifi, adding CA1, and passing the certifi bundle path to requests?