Tag Archives: ssl

How to convert Google API Service Account certificate to base64

Recently in Google Developer Console by mistake I generated a new SSL certificate for my project’s Service Account so had to convert it again from p12 file to base64 representation and store its thumbprint separately.

Here’s how you can do it:

var cert = new X509Certificate2("project-595a8425b1d7.p12", "notasecret", X509KeyStorageFlags.Exportable);
var thumbprint = cert.Thumbprint;
var base64 = Convert.ToBase64String(cert.Export(X509ContentType.Pfx, "notasecret")); // or Pkcs12 which works as well

And just to make sure output string actually works and certificate contains private key:

var test = new X509Certificate2(Convert.FromBase64String(base64), "notasecret");
Debug.Assert(test.PrivateKey != null);

How to extract private key from pfx and remove passphrase using OpenSSL

When I tried to enable SSL for BitTorrent Sync installed on my new NAS Synology 215j it turned out it requires not pfx but private and public keys separately in base64 encoded form.

Here’s the command to extract certificate itself. It will prompt for existing pfx’s passphrase (password):

openssl pkcs12 -in synology.pfx -clcerts -nokeys -out synology.cer

To extract private key. It will prompt for pfx’s passphrase and for a passphrase to add to the key:

openssl pkcs12 -in synology.pfx -nocerts -out synology.private.key

To remove the later passphrase. Now private key doesn’t contain any:

openssl rsa -in synology.private.key -out synology.key

How to configure RDG behind NAT

This week’s problem was to make working Remote Desktop Gateway located behind a NAT. Here’s the lessons learned:

  • Issue an SSL certificate with the subject matching public DNS name (FQDN)
  • Use the default port 3389/TCP, otherwise SSL certificate’s name won’t match FQDN returning an error:

    The computer can’t verify the identity of the RD Gateway.

    or if you put it to current user’s Trusted Root Certification Authorities:

    Your computer can’t connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match.

  • Publish on the firewall, i.e. make available from outside, HTTPS port 443/TCP. Otherwise connection won’t be established returning another meaningless error:

    Your computer can’t connect to the remote computer because the RDG server is temporarily unavailable.

That’s all, folks!

How to issue a self-signed certificate

To have a properly working SSL web site you have to assign a SSL certificate to it. A real one costs real money. Easily especially for development to issue a self-signed one.

To create certificates I will use MakeCert.exe that is shipped with Windows SDK (usual path is %ProgramFiles%\Microsoft SDKs\Windows\v7.1A\Bin\).

First step: create a certificate at TempCA.cer with subject name CA=TempCA with private key kept in TempCA.pvk:

makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

Second step: create a certificate at SignedByCA.cer in container SignedByCA with subject name CN=example.com (probably should correspond to the web site address) signed by root authority certificate TempCA.cer with private key at TempCA.pvk and save it into the store named My for CurrentUser:

makecert -sk SignedByCA -n "CN=example.com" -iv TempCA.pvk -ic TempCA.cer SignedByCA.cer -sr CurrentUser -ss My

Third step: generate Personal Information Exchange (.pfx) file at TempCA.pfx from certificate TempCA.cert and private key TempCA.pvk (with no password):

Pvk2Pfx -pvk TempCA.pvk -spc TempCA.cer -pfx TempCA.pfx -f

See MSDN for more details.