Forthcoming OpenSSL Bug Fix Release

[Ing. Martin Koci, MBA]

Hello,

In addition to the already announced 3.0.7 release, the OpenSSL project 
team would like to announce the forthcoming release of OpenSSL version 
1.1.1s that is a bug fix release.


This bug fix release will be made available on Tuesday 1st November 2022 
between 1300-1700 UTC too.


Yours
The OpenSSL Project Team

I have achieved PARTIAL SUCCESS in installing Godaddy SSL Certificate in UniFi Cloud Key Gen 2 Plus

[Turritopsis Dohrnii Teo En Ming]

Subject: I have achieved PARTIAL SUCCESS in installing Godaddy SSL
Certificate in UniFi Cloud Key Gen 2 Plus

Good day from Singapore,

I am posting here because UniFi Cloud Key Gen 2 Plus is powered by Debian
GNU/Linux 9.

I have found many reference guides on installing SSL certificate in UniFi
Cloud Key. Please refer to the following list.

[1] How to install a SSL Certificate on Unifi Cloud Key

Link:
https://community.ui.com/questions/How-to-install-a-SSL-Certificate-on-Unifi-Cloud-Key/944dbbd6-cbf6-4112-bff5-6b992fcbf2c4#:~:text=Rename%20your%20purchased%20SSL%20certificate,Upload%20to%20Cloud%20Key%E2%80%9D%20folder.=Before%20we%20restart%20our%20Cloud,your%20SSL%20certificate%20is%20installed

[2] How to install an SSL Certificate on Unifi Cloud Key?

Link:
https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/

[3] Protect the UniFi Cloud Key with a custom SSL certificate

Link:
https://clemens.ms/protect-the-unifi-cloud-key-with-a-custom-ssl-certificate/

[4] Deploy dehydrated generated certificate to Unifi controller

Link: https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f

[5] How to quickly setup SSL certificate on Unifi Cloud Key

Link:
https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63

[6] Unable to import the certificate into keystore

Link:
https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263

However, only 2 reference guides worked for me. They are:

[A] How to quickly setup SSL certificate on Unifi Cloud Key (Java method)

Link:
https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63

[B] Unable to import the certificate into keystore

Link:
https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263

I shall detail my attempts at following the instructions below. It is not
possible to install SSL certificate in the UniFi Cloud Key using Web GUI at
all. The only way to do it is through the Command Line Interface (CLI).
There is no other way out.

1st Attempt FAILED - following the guide at
https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/
==

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

openssl req -new -batch \
-subj "/C=SG/ST=Singapore/L=Singapore
/O=Teo-En-Ming-Corporation/OU=IT/CN=cloudkey.teo-en-ming-corp.com
/emailAddress=c...@teo-en-ming-corp.com" \
-key /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr

Upload the primary SSL certificate cloudkey.crt to /root

cp /root/cloudkey.crt /etc/ssl/private/

openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey
/etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name
unifi -password pass:temppass

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass
aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore
-srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12
-srcstorepass temppass -alias unifi

Importing keystore /etc/ssl/private/cloudkey.p12 to
/usr/lib/unifi/data/keystore...
Existing entry alias unifi exists, overwrite? [no]:  yes

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to
PKCS12 which is an industry standard format using "keytool -importkeystore
-srckeystore /usr/lib/unifi/data/keystore -destkeystore
/usr/lib/unifi/data/keystore -deststoretype pkcs12".

keytool -importkeystore -deststorepass temppass -destkeypass temppass
-destkeystore /usr/lib/unifi/data/keystore -srckeystore
/etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass
-alias unifi
Importing keystore /etc/ssl/private/cloudkey.p12 to
/usr/lib/unifi/data/keystore...
keytool error: java.io.IOException: Keystore was tampered with, or password
was incorrect

mkdir /root/backup

mv cloudkey.csr /root/backup/

mv cloudkey.p12 /root/backup/

tar -cvf cert.tar *

chown root:ssl-cert /etc/ssl/private/*

chmod 640 /etc/ssl/private/*

apt-get install nano

cp /etc/default/unifi /root/backup/

nano /etc/default/unifi

UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks

cd /etc/ssl/private

cp cloudkey.crt /usr/lib/unifi/

cd /root

cp gd_bundle-g2-g1.crt /usr/lib/unifi/

cd /usr/lib/unifi

root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.crt gd_bundle-g2-g1.crt
Unable to import the certificate into keystore
root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.crt
Unable to import the certificate into keystore

cd /root/backup/

cp cloudkey.p12 /usr/lib/unifi

cd /usr/lib/unifi

root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar
import_cert cloudkey.p12
Unable to import the certificate into keystore

Forthcoming OpenSSL Releases

[Ing. Martin Koci, MBA]

Hello,

The OpenSSL project team would like to announce the forthcoming release 
of OpenSSL version 3.0.7.


This release will be made available on Tuesday 1st November 2022 between 
1300-1700 UTC.


OpenSSL 3.0.7 is a security-fix release. The highest severity issue 
fixed in this release is CRITICAL:


https://www.openssl.org/policies/general/security-policy.html

Yours
The OpenSSL Project Team



OpenPGP_0x6D0A36D2E30590A6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Setting a group to an existing EVP_PKEY in OpenSSL 3

[Matt Caswell]

On 25/10/2022 00:21, Kory Hamzeh wrote:

I haven’t done exactly what you are trying, but something similar.

  See EVP_PKEY_set_params:

https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_set_params.html 



The specific parm to set the group could be set like this:

  OSSL_PARAM_BLD_push_utf8_string(param_bld, "group",
                                             curve, 0;




"group" is not a "settable" parameter for EC keys. You can "get" it. You 
can import it (using EVP_PKEY_from_data()). You can export it (using 
EVP_PKEY_to_data()). But you can't "set" it.


The group is immutable once the key is created.

It really doesn't make sense to change the group of a key from one thing 
to another. None of the rest of the parameters would be valid if the 
group changed.



On 25/10/2022 00:35, Martin via openssl-users wrote:
> Thanks for your response. I want to preserve the rest of the EC public
> key params. I did this. I haven’t test yet.

Preserving the rest of the EC public key params doesn't make sense. If 
the group has changed the key is no longer valid. Just create a new key 
instead.


Matt