======SSL======
=====Overview=====
This page shows how to create, request, install and manage SSL Certificates.
Extra info can also be found on [[http://www.sslshopper.com/article-most-common-openssl-commands.html|Certificates]] and [[https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html|Keystores]] and [[https://www.sslshopper.com/ssl-converter.html|Converting]].
=====Strip Password from Base64=====
Strip a password from a Base64 file that has both certificate and key.
openssl rsa -in [file1.key] -out [file2.key]
=====Add Password to Base64=====
Add a password to a Base64 file that is not
openssl rsa -aes256 -in your.key -out your.encrypted.key
===== Make LetsEncrypt Cert a Full Chain=====
This is on Nginx and we append intermediate.pem to the end of certfile.pem
sudo cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem
sudo systemctl restart nginx
===== Create Root CA and Web Cert =====
Generate Private Key:
openssl genrsa -out myCA.key 2048
Create Self-Signed Certificate:
openssl req -new -x509 -days 3650 -key myCA.key -out myCA.pem -subj "/C=GB/O=Vendor/CN=Lab Root CA" -addext "keyUsage = critical, keyCertSign, cRLSign"
Verify Certificate:
openssl x509 -in myCA.pem -text -noout
Create Web Certificate and Key
certtool --generate-certificate --outfile webserver.pem --load-ca-certificate myCA.pem --load-ca-privkey myCA.key --load-privkey webserver.key
CAs should include a Subject Key Identifier in all CA certificates.
Create web Certificate Signing Request AND new key
openssl req -newkey rsa:2048 -keyout webserver.key -out webserver.csr
=====SSL Info=====
Certificate information is of the following form
CN = server.example.com
OU = Department
O = Company Name
L = City
ST = County
C = GB
=====Nginx=====
Use these instructions for Apache HTTP server as well.
====Nginx CA Signed Certificate====
For the purposes of this example, we will be storing the certificates and keys in the /etc/nginx/conf.d directory. Alter as appropriate. In this example, we will generate a certificate for server.example.com that, internally, is server.example.com.
- Generate a CSR (certificate signing request) and server key using the following commands. Note that CN= must match the full, publicly visible hostname of the web server, which is not necessarily the hostname of the box.PUBLIC_HOSTNAME=server.example.comk
KEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`
openssl req -new -newkey rsa:2048 -nodes -out ${KEYSTORE}/${MACHINE}.csr \
-keyout ${KEYSTORE}/${MACHINE}.key \
-subj "/C=GB/ST=County/L=City/O=Company Name/OU=Department/CN=${PUBLIC_HOSTNAME}"
- Print the CSR to the screen. Keep this screen open as you will need to copy and paste the information soon.cat ${KEYSTORE}/${MACHINE}.csr
- Use the CSR to get a Certificate from the CA.
- In this example, we download from Thawte who provide the intermediate certificate along with the server certificate in a zip file.
- Log into the server as root and run the following to ensure that the variables set before are still validKEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`
FILENAME=GBORDER01.zip
- Unzip the zip fileunzip ${KEYSTORE}/${FILENAME} -d ${KEYSTORE}
- Concatenate the Intermediate Certificate with the servers Certificatecat ${KEYSTORE}/IntermediateCA.crt >> ${KEYSTORE}/ssl_certificate.crt
- Rename the ssl_certificate.crt filemv ${KEYSTORE}/ssl_certificate.crt ${KEYSTORE}/${MACHINE}.crt
- Remove the zip file and the getting_started.txt filerm -f ${KEYSTORE}/${FILENAME} ${KEYSTORE}/getting_started.txt ${KEYSTORE}/IntermediateCA.crt
- Set correct permissions for the certificate fileschmod 400 ${KEYSTORE}/${MACHINE}.crt
chmod 400 ${KEYSTORE}/${MACHINE}.key
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.crt
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.key
- Ensure that /etc/nginx/conf.d/default.conf has the following two lines (alter the path and file names as appropriatessl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
- Restart Nginxservice nginx restart
====Nginx Self Signed Certificate====
For the purposes of this example, we will be storing the certificates and keys in the /etc/nginx/conf.d directory. Alter as appropriate. In this example, we will generate a certificate for server.example.com.
- Start off by setting some variables to make our lives easierPUBLIC_HOSTNAME=server.example.com
KEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`
- Now we generate the private keyopenssl genrsa -des3 -out ${KEYSTORE}/${MACHINE}.key 2048
- Generate the self-signed certificateopenssl req -new -x509 -days 1825 -key ${KEYSTORE}/${MACHINE}.key -out ${KEYSTORE}/${MACHINE}.crt -subj "/C=GB/ST=County/L=City/O=Company Name/OU=Department/CN=${PUBLIC_HOSTNAME}"
- If we use the certificate 'as-is' then we will not be able to start Nginx without typing in the certificate password. Obviously we don't want to do this so we strip the password off using the following commandscp ${KEYSTORE}/${MACHINE}.key ${KEYSTORE}/${MACHINE}.key.original
openssl rsa -in ${KEYSTORE}/${MACHINE}.key.original -out ${KEYSTORE}/${MACHINE}.key
rm -f ${KEYSTORE}/${MACHINE}.key.original
- Set correct permissions for the certificate fileschmod 400 ${KEYSTORE}/${MACHINE}.crt
chmod 400 ${KEYSTORE}/${MACHINE}.key
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.crt
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.key
- Ensure that /etc/nginx/conf.d/default.conf has the following two lines (alter the path and file names as appropriatessl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
- Restart Nginxservice nginx restart
=====Tomcat=====
====Tomcat CA Signed Certificate====
- Log onto Tomcat server as 'tomcat'.
- Set up variables to make the following commands easier to adjust per server. Edit as appropriateKEYSTORE=/tomcat/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`
- Make a new directory (in this case we call it 'new' but you may need to alter this if it already exists, etc)mkdir -p ${NEW_KEYSTORE}
- Create the keystore. At all times use the password listed in /tomcat/base/instance/conf/server.xml as 'keystorePass='.keytool -genkey -alias ${PUBLIC_HOSTNAME} -keyalg RSA -keysize 2048 -keystore ${NEW_KEYSTORE}/keystore.new \
-dname "CN=${PUBLIC_HOSTNAME}, OU=Department, O=\"Company Name\", L=City, ST=County, C=GB"
- Create the CSR (Certificate Signing Request)keytool -certreq -alias ${PUBLIC_HOSTNAME} -file ${NEW_KEYSTORE}/${MACHINE}.csr -keystore ${NEW_KEYSTORE}/keystore.new
- Print the certificate signing request to screen so you can copy the data to the Thwate web pagecat ${NEW_KEYSTORE}/${MACHINE}.csr
- Use the CSR to get a certificate from the CA. In this example, we use Thawte who provide the Intermediate Certificate along with the Server Certificate in a zip file.
- Extract the file "ssl_certificate.p7b" from this zip file and upload it to the ${NEW_KEYSTORE} directory that you set earlier. Be sure to upload it as the user Tomcat to ensure correct file permissions.
- Log into the server as root and run the following to ensure that the variables set before are still validKEYSTORE=/webapp/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`
- Run the following command to add the certificate to the keystorekeytool -import -alias ${PUBLIC_HOSTNAME} -trustcacerts -file ${NEW_KEYSTORE}/ssl_certificate.p7b -keystore ${NEW_KEYSTORE}/keystore.new
- Remove p7b file as we no longer need itrm-f ${NEW_KEYSTORE}/ssl_certificate.p7b
- Set correct permissions for the certificate fileschmod 400 ${NEW_KEYSTORE}/keystore.new
- Stop Tomcatservice tomcat stop
- Move existing keystoremk ${KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks.old
- Place in new keystorecp ${NEW_KEYSTORE}/keystore.new ${KEYSTORE}/keystore.jks
- Start Tomcatservice tomcat start
- If it all goes well, the clean up with the following commandsrm -rf ${NEW_KEYSTORE} ${KEYSTORE}/keystore.jks.old
====Tomcat Self Signed Certificate====
- Log onto Tomcat server as 'tomcat'.
- Set up variables to make the following commands easier to adjust per server. Edit as appropriateKEYSTORE=/tomcat/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`
- Create the new directorymkdir -p ${NEW_KEYSTORE}
- Create a host private key using openSSLopenssl genrsa -out ${NEW_KEYSTORE}/${MACHINE}.key 2048
- Create a self-signed X509 certificate valid for five yearsopenssl req -new -x509 -days 1825 -key ${NEW_KEYSTORE}/${MACHINE}.key -out ${NEW_KEYSTORE}/${MACHINE}.crt \
-subj "/C=GB/ST=County/L=City/O=Company Name/OU=IT/CN=${PUBLIC_HOSTNAME}"
- Create a PKCS12 keystore and import the host certificate we just createdopenssl pkcs12 -export -out ${NEW_KEYSTORE}/keystore.new -in ${NEW_KEYSTORE}/${MACHINE}.crt -inkey ${NEW_KEYSTORE}/${MACHINE}.key
- Convert the PKCS12 keystore to Java keystore using Java keytool.keytool -importkeystore -srckeystore ${NEW_KEYSTORE}/keystore.new -srcstoretype PKCS12 -destkeystore ${NEW_KEYSTORE}/keystore.jks -deststoretype JKS
- Change password of keystorekeytool -storepasswd -keystore ${NEW_KEYSTORE}/keystore.jks
- Change password of key in keystorekeytool -keypasswd -alias 1 -new -keystore ${NEW_KEYSTORE}/keystore.jks
- Remove p7b file as we no longer need itrm-f ${NEW_KEYSTORE}/ssl_certificate.p7b
- Set correct permissions for the certificate fileschmod 400 ${NEW_KEYSTORE}/keystore.jks
- Stop Tomcatservice tomcat stop
- Move existing keystoremk ${KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks.old
- Place in new keystorecp ${NEW_KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks
- Start Tomcatservice tomcat start
- If it all goes well, the clean up with the following commandsrm -rf ${NEW_KEYSTORE} ${KEYSTORE}/keystore.jks.old
=====X509 File Extensions Info=====
This sections information comes from this [[http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/|useful page]].
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulate.
Encodings (also used as extensions)
* **.DER** = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be "I have a DER encoded certificate" not "I have a DER certificate".
* **.PEM** = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a "—– BEGIN …" line.
Common Extensions
* **.CSR** = Certificate Signing Request. This file is submitted to the CA (certificate authority). You will get a certificate back that can be used in conjunction with the key used to generate the CSR.
* **.CRT** or **.CER** = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. The CRT extension is common among *nix systems. The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
* **.KEY** = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
=====Make Chrome Happy With Self Signed Certificates=====
====Windows====
====Linux====
Create a script
#!/bin/sh
usage() {
ex="${1:-0}"
echo "Usage: $0 []"
echo "\n\tPort will be set to 443 by default"
exit $ex
}
host="$1"
if [ -z $host ] ; then
usage 1
fi
port="${2:-443}"
ssl=/usr/bin/openssl
cu=/usr/bin/certutil
tmp="/tmp/certtemp"
trap 'rm $tmp' 1 2 3 15
echo |
openssl s_client -connect $host:$port 2>&1 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $tmp
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i $tmp
rm $tmp
Run
vi cert_import.sh
chmod a+x ./cert_import.sh
./cert_import.sh server.example.com
=====Check CSR Info=====
Assuming that the csr is in the file /tmp/test.csr
openssl req -in /tmp/test.csr -noout -text
=====Passwordless Key Generation=====
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.key
=====Generate PKCS12=====
First, if the source file is a binary p7b file, convert it to the text based PEM format
openssl pkcs7 -in inputfile.p7b -inform DER -out outputfile.pem -print_certs
Now create the pkcs12 file that will contain your private key and the certification chain:
openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.pem -name my_name -out final_result.pfx
=====Extract Public Key From Certificate=====
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
===== Extract Key and Certs from PFX =====
To extract the key and certificate from a PFX file, run the following openssl command. If the cert.pfx file has a password, the command above will prompt you to enter the password. It will then generate details.txt. You have to open details.txt in a text editor.
openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes -legacy
You will see the private key (without a password) between
-----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
Copy that (including the ''-----BEGIN PRIVATE KEY-----'' and the ''-----END PRIVATE KEY-----'') into a new file and save as ''private.key''.
You will see the certificate between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Copy that (including the ''-----BEGIN CERTIFICATE-----'' and the ''-----END CERTIFICATE-----'') into a new file and save as ''public-cert.crt''.
You can get a similar result with the following commands that will include the metadata in the output that needs to be removed but will do a specific part (the first extracts the key + meta data and the second extracts the certificate + meta data). In both cases, edit the file to remove the metadata. The first line of the file should start with ''-----BEGIN'' and the last line should start with ''-----END''
**Extract Private Key from PFX**
openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem -legacy
**Extract Certificate from PFX**
openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem -legacy