Ubuntu/openssl
(→Oracle Linux) |
(→Quick Reference) |
||
(22 intermediate revisions by one user not shown) | |||
Line 5: | Line 5: | ||
http://apetec.com/support/GenerateSAN-CSR.htm | http://apetec.com/support/GenerateSAN-CSR.htm | ||
− | ==Oracle Linux== | + | Great overview about SSL certs and CAs |
+ | https://gist.github.com/Soarez/9688998 | ||
+ | |||
+ | =Quick Reference= | ||
+ | default location for openssl (system wide use) | ||
+ | <nowiki>"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. | ||
+ | "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 | ||
+ | "/etc/ssl/ca-bundle.pem", // OpenSUSE | ||
+ | "/etc/pki/tls/cacert.pem", // OpenELEC | ||
+ | "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 | ||
+ | |||
+ | "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139 | ||
+ | "/system/etc/security/cacerts", // Android | ||
+ | "/usr/local/share/certs", // FreeBSD | ||
+ | "/etc/pki/tls/certs", // Fedora/RHEL | ||
+ | "/etc/openssl/certs", // NetBSD</nowiki> | ||
+ | |||
+ | Check CSR | ||
+ | <nowiki>~$ openssl req -text -noout -verify -in CSR.csr</nowiki> | ||
+ | Check Private key | ||
+ | <nowiki>~$ openssl rsa -in privateKey.key -check</nowiki> | ||
+ | Check Certificate | ||
+ | <nowiki>~$ openssl x509 -in certificate.crt -text -noout</nowiki> | ||
+ | |||
+ | ==Generating SAN Certificate== | ||
+ | ===Oracle Linux=== | ||
find <code>openssl.cnf</code>. I found it located at: | find <code>openssl.cnf</code>. I found it located at: | ||
<nowiki>/etc/pki/tls/openssl.cnf</nowiki> | <nowiki>/etc/pki/tls/openssl.cnf</nowiki> | ||
Verify this is present and uncommented: | Verify this is present and uncommented: | ||
− | <nowiki>distinguished_name = req_distinguished_name | + | <nowiki>[req] |
+ | distinguished_name = req_distinguished_name | ||
req_extensions = v3_req</nowiki> | req_extensions = v3_req</nowiki> | ||
+ | You'll probably need to add the following: | ||
+ | <nowiki>[ v3_req ] | ||
+ | subjectAltName = @alt_names</nowiki> | ||
+ | |||
+ | <nowiki>[alt_names] | ||
+ | DNS.1 = domain1.com | ||
+ | DNS.2 = sub.domain1.com | ||
+ | DNS.3 = domain2.com</nowiki> | ||
+ | |||
+ | Now we need to create the Key, CSR, and CRT | ||
+ | <nowiki> | ||
+ | ~$ openssl genrsa -out san_domain_com.key 2048 | ||
+ | ~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf | ||
+ | ~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf | ||
+ | </nowiki> | ||
+ | |||
+ | ====Converting to PKCS12==== | ||
+ | You may want to first merge the certs into a single CRT like [http://stackoverflow.com/questions/22618108/adding-an-intermediate-certificates-to-a-pkcs12-file this].<br> | ||
+ | Export to PKCS12: | ||
+ | <nowiki>$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed | ||
+ | Enter Export Password: | ||
+ | Verifying - Enter Export Password:</nowiki> | ||
+ | |||
+ | ====Convert PKCS12 to JKS==== | ||
+ | If you have a java site and need to secure it, you'll probably need to create a jks. <br> | ||
+ | You'll need know the following info: | ||
+ | *alias | ||
+ | *pkcs12 password | ||
+ | <nowiki>~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed</nowiki> | ||
+ | Check it to make sure its right: | ||
+ | <nowiki>~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks | ||
+ | Enter keystore password: | ||
+ | </nowiki> | ||
+ | |||
+ | ====Discover the alias name from a JKS keystore==== | ||
+ | If you dont know the alias name, you can discover it as long as you know the keystore password. | ||
+ | <nowiki> | ||
+ | ~$ /usr/java/jdk1.8.0_74/bin/keytool -list -keystore /home/user/puppet/site/service/files/selfsigned.jks | ||
+ | Enter keystore password: | ||
+ | |||
+ | Keystore type: JKS | ||
+ | Keystore provider: SUN | ||
+ | |||
+ | Your keystore contains 1 entry | ||
+ | |||
+ | james, Aug 16, 2016, PrivateKeyEntry, | ||
+ | Certificate fingerprint (SHA1): 13:36:7B:A7:21:D9:50:82:D2:74:14:7D:A0:AA:AB:FE:93:74:A3:C9 | ||
+ | </nowiki> | ||
+ | |||
+ | Another way is to: | ||
+ | <nowiki> | ||
+ | $ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore ./selfsigned.jks | ||
+ | Enter keystore password: | ||
+ | |||
+ | Keystore type: JKS | ||
+ | Keystore provider: SUN | ||
+ | |||
+ | Your keystore contains 1 entry | ||
+ | |||
+ | Alias name: SecretAlias | ||
+ | Creation date: Aug 16, 2016</nowiki> | ||
+ | ====Export CRT from JKS==== | ||
+ | <nowiki> | ||
+ | ~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_new_certificate_file | ||
+ | |||
+ | Example: | ||
+ | ~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt | ||
+ | Enter keystore password: | ||
+ | </nowiki> | ||
+ | |||
+ | =Writing an ssl cert directly to a file= | ||
+ | Here's a quick way to write a SSL cert to a file and strip everything except the cert. | ||
+ | <nowiki>~$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycertfile.pem</nowikI> | ||
+ | |||
+ | |||
+ | =Creating your own CA= | ||
+ | This can be beneficial within a local environment where you can deploy the CA certificate to connecting clients. After which, you can sign your own certificates at no cost and avoid certificate errors reported by client browsers. | ||
+ | ==Generate CA Key & Certificate== | ||
+ | Really not much different from creating a normal ssl cert. | ||
+ | <nowiki>~$openssl genrsa -out ca.key 4096 | ||
+ | ~$ openssl req -new -x509 -key ca.key -out ca.crt</nowiki> | ||
+ | |||
+ | ==Generate the CSR== | ||
+ | In case you need the steps, here they are below without much explanation. | ||
+ | <nowiki>~$ openssl genrsa -out website.com.key 4096 | ||
+ | ~$ openssl req -new -key website.com.key -out website.com.csr</nowiki> | ||
+ | |||
+ | ==Signing the certificate== | ||
+ | The next step is to sign the certificate provided, so you'll need the CSR you created for your site/application. | ||
+ | <nowiki>~$ openssl x509 -req -in ../website.com.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ../signed.website.com.crt</nowiki> | ||
+ | |||
+ | ==Adding the CA to CentOS== | ||
+ | copy the CA crt that you created to the following folder and then run the update | ||
+ | <nowiki>~$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ | ||
+ | ~$ sudo update-ca-trust extract</nowiki> | ||
+ | Verify that you have added the CA cert to your system | ||
+ | <nowiki>~$sudo openssl x509 -text -in /etc/pki/tls/certs/ca-bundle.crt</nowiki> | ||
+ | |||
+ | ==Test certificate== | ||
+ | I opted to do a quick and easy httpd server hosting the SSL cert. | ||
+ | <nowiki>~$ sudo yum install -y httpd mod-ssl openssl | ||
+ | ~$ sudo cp website.com.key /etc/pki/tls/private/ | ||
+ | ~$ sudo cp signed.website.com.crt /etc/pki/tls/certs/ | ||
+ | ~$ sudo vim /etc/httpd/conf.d/ssl.conf | ||
+ | ... | ||
+ | SSLCertificateFile /etc/pki/tls/certs/signed.website.com.crt | ||
+ | SSLCertificateKeyFile /etc/pki/tls/private/website.com.key</nowiki> |
Latest revision as of 23:51, 3 December 2020
common openssl commands http://www.sslshopper.com/article-most-common-openssl-commands.html
generating a SSL cert with a SAN http://apetec.com/support/GenerateSAN-CSR.htm
Great overview about SSL certs and CAs https://gist.github.com/Soarez/9688998
Contents |
[edit] Quick Reference
default location for openssl (system wide use)
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/pki/tls/cacert.pem", // OpenELEC "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139 "/system/etc/security/cacerts", // Android "/usr/local/share/certs", // FreeBSD "/etc/pki/tls/certs", // Fedora/RHEL "/etc/openssl/certs", // NetBSD
Check CSR
~$ openssl req -text -noout -verify -in CSR.csr
Check Private key
~$ openssl rsa -in privateKey.key -check
Check Certificate
~$ openssl x509 -in certificate.crt -text -noout
[edit] Generating SAN Certificate
[edit] Oracle Linux
find openssl.cnf
. I found it located at:
/etc/pki/tls/openssl.cnf
Verify this is present and uncommented:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req
You'll probably need to add the following:
[ v3_req ] subjectAltName = @alt_names
[alt_names] DNS.1 = domain1.com DNS.2 = sub.domain1.com DNS.3 = domain2.com
Now we need to create the Key, CSR, and CRT
~$ openssl genrsa -out san_domain_com.key 2048 ~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf ~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf
[edit] Converting to PKCS12
You may want to first merge the certs into a single CRT like this.
Export to PKCS12:
$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed Enter Export Password: Verifying - Enter Export Password:
[edit] Convert PKCS12 to JKS
If you have a java site and need to secure it, you'll probably need to create a jks.
You'll need know the following info:
- alias
- pkcs12 password
~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed
Check it to make sure its right:
~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks Enter keystore password:
[edit] Discover the alias name from a JKS keystore
If you dont know the alias name, you can discover it as long as you know the keystore password.
~$ /usr/java/jdk1.8.0_74/bin/keytool -list -keystore /home/user/puppet/site/service/files/selfsigned.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry james, Aug 16, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 13:36:7B:A7:21:D9:50:82:D2:74:14:7D:A0:AA:AB:FE:93:74:A3:C9
Another way is to:
$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore ./selfsigned.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: SecretAlias Creation date: Aug 16, 2016
[edit] Export CRT from JKS
~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_new_certificate_file Example: ~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt Enter keystore password:
[edit] Writing an ssl cert directly to a file
Here's a quick way to write a SSL cert to a file and strip everything except the cert.
~$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycertfile.pem
[edit] Creating your own CA
This can be beneficial within a local environment where you can deploy the CA certificate to connecting clients. After which, you can sign your own certificates at no cost and avoid certificate errors reported by client browsers.
[edit] Generate CA Key & Certificate
Really not much different from creating a normal ssl cert.
~$openssl genrsa -out ca.key 4096 ~$ openssl req -new -x509 -key ca.key -out ca.crt
[edit] Generate the CSR
In case you need the steps, here they are below without much explanation.
~$ openssl genrsa -out website.com.key 4096 ~$ openssl req -new -key website.com.key -out website.com.csr
[edit] Signing the certificate
The next step is to sign the certificate provided, so you'll need the CSR you created for your site/application.
~$ openssl x509 -req -in ../website.com.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ../signed.website.com.crt
[edit] Adding the CA to CentOS
copy the CA crt that you created to the following folder and then run the update
~$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ ~$ sudo update-ca-trust extract
Verify that you have added the CA cert to your system
~$sudo openssl x509 -text -in /etc/pki/tls/certs/ca-bundle.crt
[edit] Test certificate
I opted to do a quick and easy httpd server hosting the SSL cert.
~$ sudo yum install -y httpd mod-ssl openssl ~$ sudo cp website.com.key /etc/pki/tls/private/ ~$ sudo cp signed.website.com.crt /etc/pki/tls/certs/ ~$ sudo vim /etc/httpd/conf.d/ssl.conf ... SSLCertificateFile /etc/pki/tls/certs/signed.website.com.crt SSLCertificateKeyFile /etc/pki/tls/private/website.com.key