KeySpec AT_KEYEXCHANGE - Githubissues

patrickpr / YAOG

Yet Another Openssl GUI : Qt based openssl GUI to create CSR, certificates, keys (RSA / DSA / EC)

GNU General Public License v3.0

106 stars 11 forks source link

KeySpec AT_KEYEXCHANGE #10

Closed w8083 closed 3 years ago

w8083 commented 3 years ago

Hi, Is there any way to define the KeySpec AT_KEYEXCHANGE.?

Thanks.

patrickpr commented 3 years ago

Not for now. It is a MS specific when exporting PKCS#12. I'll have a look to see if it is simple to implement.

patrickpr commented 3 years ago

From openssl site about this ( openssl pkcs12 create ):

"This option was useful for old export grade software which could use signing only keys of arbitrary size but had restrictions on the permissible sizes of keys which could be used for encryption."

What is the use case for this ? Does MS software still uses it ?

w8083 commented 3 years ago

Hi Patrickpr, thanks for your reply and update. yes that is one of the mandatory options for certificate to use in Microsoft SQL Server to encrypt connections using TLS.

This is the certificate requirement: The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15

Thanks in advance.

patrickpr commented 3 years ago

This just needs a quick patch on existing p12 export, so I will start working on it, and should release a new version next week.

w8083 commented 3 years ago

sounds great Patrick! thank you very much.

patrickpr commented 3 years ago

Hi,

Made a quick change : now you can set the private key flag on p12 export :

and it seems to do something :-) :

But I don"t have anything to test it on.

I attached below the updated version of yaog. It's only the .exe, so you need to put it in your current yaog directory replacing your exe.

Can you make some test and give me feedback with this version ?

YetAnotherOpensslGui.zip

$ sha256sum.exe YetAnotherOpensslGui.exe
0617ed4fb044eeb9acd2c409bbde0f0ec614ec0c43be7bb59ddf85bfa98235cb *YetAnotherOpensslGui.exe

Note : you need to be currently using the latest yaog version.

w8083 commented 3 years ago

Hi Patrick, that's great. I'll download and test it. appreciate your help. I'll keep you posted about the result.

w8083 commented 3 years ago

Hi Patrick, good news. I could test it and it is working as expected. now MSSQL is able to recognize the certificate and I can use it. Thank you very much. congrats! very nice tool!

patrickpr commented 3 years ago

Ok, thanks for testing. I will finish the encryptions parameters of PKCS12 and release a new version soon.

patrickpr commented 3 years ago

@w8083 : the new release (1.1.2) is available, I suggest you download it to replace your current version.

w8083 commented 3 years ago

thanks @patrickpr I'll do.