Ubuntu/openssl

From r00tedvw.com wiki
Revision as of 11:57, 26 September 2018 by R00t (Talk | contribs)

Jump to: navigation, search

common openssl commands http://www.sslshopper.com/article-most-common-openssl-commands.html

generating a SSL cert with a SAN http://apetec.com/support/GenerateSAN-CSR.htm

Great overview about SSL certs and CAs https://gist.github.com/Soarez/9688998

Contents

Quick Reference

default location for openssl (system wide use)

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7

"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD

Generating SAN Certificate

Oracle Linux

find openssl.cnf. I found it located at:

/etc/pki/tls/openssl.cnf

Verify this is present and uncommented:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

You'll probably need to add the following:

[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain1.com
DNS.2 = sub.domain1.com
DNS.3 = domain2.com

Now we need to create the Key, CSR, and CRT

~$ openssl genrsa -out san_domain_com.key 2048
~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf
~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf

Converting to PKCS12

You may want to first merge the certs into a single CRT like this.
Export to PKCS12:

$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed
Enter Export Password:
Verifying - Enter Export Password:

Convert PKCS12 to JKS

If you have a java site and need to secure it, you'll probably need to create a jks.
You'll need know the following info:

  • alias
  • pkcs12 password
~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed

Check it to make sure its right:

~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks
Enter keystore password:

Discover the alias name from a JKS keystore

If you dont know the alias name, you can discover it as long as you know the keystore password.

~$ /usr/java/jdk1.8.0_74/bin/keytool -list -keystore /home/user/puppet/site/service/files/selfsigned.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

james, Aug 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 13:36:7B:A7:21:D9:50:82:D2:74:14:7D:A0:AA:AB:FE:93:74:A3:C9

Another way is to:

$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore ./selfsigned.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: SecretAlias
Creation date: Aug 16, 2016

Export CRT from JKS

~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_new_certificate_file

Example:
~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt
Enter keystore password:

Writing an ssl cert directly to a file

Here's a quick way to write a SSL cert to a file and strip everything except the cert.

~$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycertfile.pem


Creating your own CA

This can be beneficial within a local environment where you can deploy the CA certificate to connecting clients. After which, you can sign your own certificates at no cost and avoid certificate errors reported by client browsers.

Generate CA Key & Certificate

Really not much different from creating a normal ssl cert.

~$openssl genrsa -out ca.key 4096
~$ openssl req -new -x509 -key ca.key -out ca.crt

Signing the certificate

The next step is to sign the certificate provided, so you'll need the CSR you created for your site/application.

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
2020 Election
Volkswagen
Covid
NCDMV
Toolbox