Ubuntu/openssl
Line 4: | Line 4: | ||
generating a SSL cert with a SAN | generating a SSL cert with a SAN | ||
http://apetec.com/support/GenerateSAN-CSR.htm | http://apetec.com/support/GenerateSAN-CSR.htm | ||
+ | |||
+ | Great overview about SSL certs and CAs | ||
+ | https://gist.github.com/Soarez/9688998 | ||
+ | |||
==Generating SAN Certificate== | ==Generating SAN Certificate== | ||
===Oracle Linux=== | ===Oracle Linux=== |
Revision as of 10:40, 26 September 2018
common openssl commands http://www.sslshopper.com/article-most-common-openssl-commands.html
generating a SSL cert with a SAN http://apetec.com/support/GenerateSAN-CSR.htm
Great overview about SSL certs and CAs https://gist.github.com/Soarez/9688998
Contents |
Generating SAN Certificate
Oracle Linux
find openssl.cnf
. I found it located at:
/etc/pki/tls/openssl.cnf
Verify this is present and uncommented:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req
You'll probably need to add the following:
[ v3_req ] subjectAltName = @alt_names
[alt_names] DNS.1 = domain1.com DNS.2 = sub.domain1.com DNS.3 = domain2.com
Now we need to create the Key, CSR, and CRT
~$ openssl genrsa -out san_domain_com.key 2048 ~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf ~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf
Converting to PKCS12
You may want to first merge the certs into a single CRT like this.
Export to PKCS12:
$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed Enter Export Password: Verifying - Enter Export Password:
Convert PKCS12 to JKS
If you have a java site and need to secure it, you'll probably need to create a jks.
You'll need know the following info:
- alias
- pkcs12 password
~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed
Check it to make sure its right:
~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks Enter keystore password:
Discover the alias name from a JKS keystore
If you dont know the alias name, you can discover it as long as you know the keystore password.
~$ /usr/java/jdk1.8.0_74/bin/keytool -list -keystore /home/user/puppet/site/service/files/selfsigned.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry james, Aug 16, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 13:36:7B:A7:21:D9:50:82:D2:74:14:7D:A0:AA:AB:FE:93:74:A3:C9
Another way is to:
$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore ./selfsigned.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: SecretAlias Creation date: Aug 16, 2016
Export CRT from JKS
~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_new_certificate_file Example: ~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt Enter keystore password:
Writing an ssl cert directly to a file
Here's a quick way to write a SSL cert to a file and strip everything except the cert.
~$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycertfile.pem