Can BigFix Webui accept .key extension as key file?

adeilson · October 25, 2024, 2:13pm

Hello,

I am having a problem generating a pvk file from out .pfx certificate, it seems to me that pvk is no longer supported with OpenSSL 3+, the error is as follows:

6C5B0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:342:Global default library context, Algorithm (PVKKDF : 0), Properties (<null>)

I was wondering, can I use .key instead? Does BigFix supports it?

I got the following when checking about the use of pvk extension:

.key or .pem files are commonly used in SSL/TLS configurations and are broadly compatible with web servers, software, and tools.

.pvk files were popularized in Windows environments and were often used for signing code and certificates in legacy Windows systems. However, .pvk files are rarely used outside of specialized cases.

What I find funny is that the webreports works quite well with a .pem certificate.

_WebReports_HTTPServer_SSLCertificateFilePath C:\Program Files (x86)\BigFix Enterprise\BES Server\BESReportsData\SelfWRCertificate.pem

Any idea if I can do that on WebUI? oh and yes I checked the guide here: Configure SSL certificates

JasonWalker · October 25, 2024, 3:16pm

I’m not entirely sure I understand your configuration. The .cer, .key, and .pem filename extensions are often used interchangeably, but what I think we’re really concerned about is base-64 PEM encoding versus binary DER encoding.

You need a Private Key file in PEM encoding, with no password; and a Certificate file, in PEM encoding.

The start of the Private Key file should look like

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEF
...
-----END PRIVATE KEY-----

If it doesn’t look like that, if it’s binary stuff, then it’s a DER-encoded binary file and we can’t deal with it. If it starts with -----BEGIN ENCRYPTED PRIVATE KEY----- then it is an encrypted private key, with a password, and we need to decrypt it and strip out the password. With OpenSSL we could to that with openssl rsa -in [original.key] -out [new.key]

The Certificate file should look like

<my webui server certificate>
-----BEGIN CERTIFICATE-----
MIIGhDCCBGygAwIBAgICEAwwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV
W/f3Cimv4BwhiB2G6COv/YK/VRUa1CnwAvKBES2vMYzzCCm28APJZA==
...
-----END CERTIFICATE-----

<intermediate issuing CA certificate>
-----BEGIN CERTIFICATE-----
MIIGcjCCBFqgAwIBAgIUIrJx2e/iTaB4ar7dM+l/T7UAWIMwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----

<root CA certificate>
-----BEGIN CERTIFICATE-----
MIIGcjCCBFqgAwIBAgIUIrJx2e/iTaB4ar7dM+l/T7UAWIMwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----

Can you check that your certificate & key are in this format, and your key is not encrypted/does not require a password? If those check out, I’d start looking at key sizes and ciphers and see if you’ve generated something our ciphers restrict.

adeilson · October 25, 2024, 3:42pm

Thank you for the response @JasonWalker.

I did the following: from my company.pfx I used OpenSSL to generate a company.crt and a company.key as following:

openssl pkcs12 -in company.pfx -clcerts -nokeys -out company.crt

then i generated a company.key from the company.pfx file, using:

openssl pkcs12 -in company.pfx -nocerts -out company.key -nodes

So my company.crt is like this:

Bag Attributes
localKeyID: 01 00 00 00
friendlyName: .company.com.br
subject=CN=.company.com.br
issuer=C=US, O=Cert Inc, OU=www.cert.com, CN=Trust TLS RSA CA G1
-----BEGIN CERTIFICATE-----
MIIGMTCCBRmgAwIBAgIQAUnxEFAGP8cpRS4Adu+QxjANBgkqhkiG9w0BAQ…
-----END CERTIFICATE-----

and the company.key looks like this:

Bag Attributes
Microsoft Local Key set:
localKeyID: 01 00 00 00
friendlyName: le-57redacted952-d5e0-bla-redacted6ebredactedc34fb9d
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQ3kbUyc3SOZRD
InHODqPlC4u2fR1HtKiKzPftC6JzaclrSlHUPMRIymEVHeqCrScnxli2ShM1dE5W…
-----END PRIVATE KEY-----

Does it looks right?

JasonWalker · October 25, 2024, 3:46pm

I think so. Do you have access to OpenSSL?

It may be useful to check that this private key matches the certificate.

For your SSL certificate: openssl x509 –noout –modulus –in <file>.crt | openssl md5

For your RSA private key: openssl rsa –noout –modulus –in <file>.key | openssl md5

You should get the same MD5 hashes from both files.

adeilson · October 25, 2024, 5:30pm

Hi @JasonWalker ,

Thank you very much for your valuable insights on this matter. With your guidance, I believe this task will be much easier for me in the future.

I used the commands you provided and successfully confirmed that they have the same MD5 checksum. I renamed the files to ssl.crt and ssl.key and placed them in the WebUI folder. After restarting the service, it didn’t work initially, but using task ID 2558, “Rotate WebUI Certificates,” resolved the issue!

Thank you once again for your assistance.

Best regards!