Staf Wagemakers

Hi, I’m staf…

Thunderbird: Importing s/mime certificate failed

3 minute read

thunderbird

On http://kb.mozillazine.org/Getting_an_SMIME_certificate you get a list of free s/mime certificate.

I ordered a free 30 days certificate at globalsign: https://www.globalsign.com/en/personalsign/trial/

The import of the pkcs12 failed in Thunderbird with the message: “The PKCS #12 operation failed for unknown reasons.”

Searching the internet didn’t provide a solution. To debug this issue I started to extract the private / certificate from the pkcs12 file provided by globalsign and creating a new one.

To execute this command I use an encrypted luks volume.

Create a new pkcs12 file

verifying the pkx file

password too long?

The first issue was that the password of my pkx was too long by default the openssl pkcs12 command seems to have a limit of 32 characters.

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx 
Enter Import Password:
Can't read Password
[staf@vicky staf@wagemakers.be]$

Use the “-passin pass”, “-passin stdin” or “-passin file” argument resolves this issue. The “-passin pass” argument will show the password on the screen and in shell history, the “-passin stdin” will show your password on the screen, the “-passin file” will leave your password on the (hopefully encrypted) filesystem so I went with the “-pass file” option.

Created password file

Create the file that holds your password with the corrected file permissions, you must be the only one that is able to read this file:

[staf@vicky staf@wagemakers.be]$ touch pass
[staf@vicky staf@wagemakers.be]$ chmod 600 pass
[staf@vicky staf@wagemakers.be]$ vi pass

Try again

With the “-passin file” argument we are able to the pkcs12 file.

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -passin file:pass
MAC verified OK
Bag Attributes
    localKeyID: 9B B7 F3 7A 96 46 1F 08 28 A2 BC 2B 87 0E 53 92 29 B4 7D 7D 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Bag Attributes
    localKeyID: 9B B7 F3 7A 96 46 1F 08 28 A2 BC 2B 87 0E 53 92 29 B4 7D 7D 
subject=/CN=staf@wagemakers.be/emailAddress=staf@wagemakers.be
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
<snip>

Extract

We’ll extract the private key and the certificates and build a new pkcs12 file and import this pkcs12 file into thunderbird.

Extract the private key

The private key is encrypted with the “bag” so need to type it or copy/pass it…

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -nocerts -out key.pem -passin file:pass 
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Extract the client certificate

The client certificate isn’t encrypted so you can leave the pem password empty.

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -clcerts -out staf.pem -passin file:pass 
MAC verified OK

Enter PEM pass phrase:
[staf@vicky staf@wagemakers.be]$

Verify the key and certificate

To verify that the certificate and the private belongs together we need to verify the modulus of the key and the certificate the sha1sum should match.

staf@vicky staf@wagemakers.be]$ openssl rsa -in key.pem -modulus -noout | sha1sum
Enter pass phrase for key.pem:
1234567890123456789012345678901234567890  -
[staf@vicky staf@wagemakers.be]$ 

[staf@vicky staf@wagemakers.be]$ openssl x509 -in staf.pem -modulus -noout | sha1sum
1234567890123456789012345678901234567890  -
[staf@vicky staf@wagemakers.be]$

Extract the signing certificate(s)

The following command extracts the ca certificates.

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -cacerts -out cacerts.pem -passin file:pass
MAC verified OK
Enter PEM pass phrase:

Create a new pkcs12 file

This time we use a 32 characters password.

[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -export -in staf.pem -inkey key.pem -certfile cacerts.pem -out staf_new.p12
Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:

Import the the new pkcs12 file

thunderbird Not sure what the issue was with original pkcs12 but the import works now….

  • it might have been the 32 characters password -. After I was able to use the signing and encryption part in thunderbird.

** Have fun **

Leave a comment

You may also enjoy

Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD. https://stafwag.github.io/blog/blog/2023/09/10/migrate-from-ezjail-to-bastille-part1-introduction-to-bastillebsd/

tianocore

Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

OpenBSD 7.4

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Read more...

Getting started with GitLab-CE. Part 1: Installation

12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.

jenkins

Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.

Read more...