SSL

This page shows how to create, request, install and manage SSL Certificates.

Extra info can also be found on Certificates and Keystores and Converting.

Strip a password from a Base64 file that has both certificate and key.

openssl rsa -in [file1.key] -out [file2.key]

Add a password to a Base64 file that is not

openssl rsa -aes256 -in your.key -out your.encrypted.key

This is on Nginx and we append intermediate.pem to the end of certfile.pem

sudo cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem

sudo systemctl restart nginx

Generate Private Key:

openssl genrsa -out myCA.key 2048

Create Self-Signed Certificate:

openssl req -new -x509 -days 3650 -key myCA.key -out myCA.pem -subj "/C=GB/O=Vendor/CN=Lab Root CA" -addext "keyUsage = critical, keyCertSign, cRLSign"

Verify Certificate:

openssl x509 -in myCA.pem -text -noout

Create Web Certificate and Key

certtool --generate-certificate --outfile webserver.pem --load-ca-certificate myCA.pem --load-ca-privkey myCA.key --load-privkey webserver.key

CAs should include a Subject Key Identifier in all CA certificates.

Create web Certificate Signing Request AND new key

openssl req -newkey rsa:2048 -keyout webserver.key -out webserver.csr

Certificate information is of the following form

CN = server.example.com
OU = Department
O = Company Name
L = City
ST = County
C = GB

Use these instructions for Apache HTTP server as well.

For the purposes of this example, we will be storing the certificates and keys in the /etc/nginx/conf.d directory. Alter as appropriate. In this example, we will generate a certificate for server.example.com that, internally, is server.example.com.

1. Generate a CSR (certificate signing request) and server key using the following commands. Note that CN= must match the full, publicly visible hostname of the web server, which is not necessarily the hostname of the box.

   PUBLIC_HOSTNAME=server.example.comk
KEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`
openssl req -new -newkey rsa:2048 -nodes -out ${KEYSTORE}/${MACHINE}.csr \
-keyout ${KEYSTORE}/${MACHINE}.key \
-subj "/C=GB/ST=County/L=City/O=Company Name/OU=Department/CN=${PUBLIC_HOSTNAME}"

2. Print the CSR to the screen. Keep this screen open as you will need to copy and paste the information soon.

   cat ${KEYSTORE}/${MACHINE}.csr

3. Use the CSR to get a Certificate from the CA.
4. In this example, we download from Thawte who provide the intermediate certificate along with the server certificate in a zip file.
5. Log into the server as root and run the following to ensure that the variables set before are still valid

   KEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`
FILENAME=GBORDER01.zip


6. Unzip the zip file

   unzip ${KEYSTORE}/${FILENAME} -d ${KEYSTORE}

7. Concatenate the Intermediate Certificate with the servers Certificate

   cat ${KEYSTORE}/IntermediateCA.crt >> ${KEYSTORE}/ssl_certificate.crt

8. Rename the ssl_certificate.crt file

   mv ${KEYSTORE}/ssl_certificate.crt ${KEYSTORE}/${MACHINE}.crt

9. Remove the zip file and the getting_started.txt file

   rm -f ${KEYSTORE}/${FILENAME} ${KEYSTORE}/getting_started.txt ${KEYSTORE}/IntermediateCA.crt

10. Set correct permissions for the certificate files

    chmod 400 ${KEYSTORE}/${MACHINE}.crt
chmod 400 ${KEYSTORE}/${MACHINE}.key
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.crt
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.key

11. Ensure that /etc/nginx/conf.d/default.conf has the following two lines (alter the path and file names as appropriate

    ssl_certificate      /etc/nginx/conf.d/server.crt;
ssl_certificate_key  /etc/nginx/conf.d/server.key;

12. Restart Nginx

    service nginx restart

For the purposes of this example, we will be storing the certificates and keys in the /etc/nginx/conf.d directory. Alter as appropriate. In this example, we will generate a certificate for server.example.com.

1. Start off by setting some variables to make our lives easier

   PUBLIC_HOSTNAME=server.example.com
KEYSTORE=/etc/nginx/conf.d
MACHINE=`hostname -s`

2. Now we generate the private key

   openssl genrsa -des3 -out ${KEYSTORE}/${MACHINE}.key 2048

3. Generate the self-signed certificate

   openssl req -new -x509 -days 1825 -key ${KEYSTORE}/${MACHINE}.key -out ${KEYSTORE}/${MACHINE}.crt -subj "/C=GB/ST=County/L=City/O=Company Name/OU=Department/CN=${PUBLIC_HOSTNAME}"

4. If we use the certificate 'as-is' then we will not be able to start Nginx without typing in the certificate password. Obviously we don't want to do this so we strip the password off using the following commands

   cp ${KEYSTORE}/${MACHINE}.key ${KEYSTORE}/${MACHINE}.key.original
openssl rsa -in ${KEYSTORE}/${MACHINE}.key.original -out ${KEYSTORE}/${MACHINE}.key
rm -f ${KEYSTORE}/${MACHINE}.key.original

5. Set correct permissions for the certificate files

   chmod 400 ${KEYSTORE}/${MACHINE}.crt
chmod 400 ${KEYSTORE}/${MACHINE}.key
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.crt
chcon -h -t httpd_config_t ${KEYSTORE}/${MACHINE}.key

6. Ensure that /etc/nginx/conf.d/default.conf has the following two lines (alter the path and file names as appropriate

   ssl_certificate      /etc/nginx/conf.d/server.crt;
ssl_certificate_key  /etc/nginx/conf.d/server.key;

7. Restart Nginx

   service nginx restart

1. Log onto Tomcat server as 'tomcat'.
2. Set up variables to make the following commands easier to adjust per server. Edit as appropriate

   KEYSTORE=/tomcat/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`

3. Make a new directory (in this case we call it 'new' but you may need to alter this if it already exists, etc)

   mkdir -p ${NEW_KEYSTORE}

4. Create the keystore. At all times use the password listed in /tomcat/base/instance/conf/server.xml as 'keystorePass='.

   keytool -genkey -alias ${PUBLIC_HOSTNAME} -keyalg RSA -keysize 2048 -keystore ${NEW_KEYSTORE}/keystore.new \
-dname "CN=${PUBLIC_HOSTNAME}, OU=Department, O=\"Company Name\", L=City, ST=County, C=GB"

5. Create the CSR (Certificate Signing Request)

   keytool -certreq -alias ${PUBLIC_HOSTNAME} -file ${NEW_KEYSTORE}/${MACHINE}.csr -keystore ${NEW_KEYSTORE}/keystore.new

6. Print the certificate signing request to screen so you can copy the data to the Thwate web page

   cat ${NEW_KEYSTORE}/${MACHINE}.csr

7. Use the CSR to get a certificate from the CA. In this example, we use Thawte who provide the Intermediate Certificate along with the Server Certificate in a zip file.
8. Extract the file “ssl_certificate.p7b” from this zip file and upload it to the ${NEW_KEYSTORE} directory that you set earlier. Be sure to upload it as the user Tomcat to ensure correct file permissions.
9. Log into the server as root and run the following to ensure that the variables set before are still valid

   KEYSTORE=/webapp/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`

10. Run the following command to add the certificate to the keystore

    keytool -import -alias ${PUBLIC_HOSTNAME} -trustcacerts -file ${NEW_KEYSTORE}/ssl_certificate.p7b -keystore ${NEW_KEYSTORE}/keystore.new

11. Remove p7b file as we no longer need it

    rm-f ${NEW_KEYSTORE}/ssl_certificate.p7b

12. Set correct permissions for the certificate files

    chmod 400 ${NEW_KEYSTORE}/keystore.new

13. Stop Tomcat

    service tomcat stop

14. Move existing keystore

    mk ${KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks.old

15. Place in new keystore

    cp ${NEW_KEYSTORE}/keystore.new ${KEYSTORE}/keystore.jks

16. Start Tomcat

    service tomcat start

17. If it all goes well, the clean up with the following commands

    rm -rf ${NEW_KEYSTORE} ${KEYSTORE}/keystore.jks.old

1. Log onto Tomcat server as 'tomcat'.
2. Set up variables to make the following commands easier to adjust per server. Edit as appropriate

   KEYSTORE=/tomcat/base/keystore
NEW_KEYSTORE=${KEYSTORE}/new
PUBLIC_HOSTNAME=server.example.com
MACHINE=`hostname -s`

3. Create the new directory

   mkdir -p ${NEW_KEYSTORE}

4. Create a host private key using openSSL

   openssl genrsa -out ${NEW_KEYSTORE}/${MACHINE}.key 2048

5. Create a self-signed X509 certificate valid for five years

   openssl req -new -x509 -days 1825 -key ${NEW_KEYSTORE}/${MACHINE}.key -out ${NEW_KEYSTORE}/${MACHINE}.crt \
-subj "/C=GB/ST=County/L=City/O=Company Name/OU=IT/CN=${PUBLIC_HOSTNAME}"

6. Create a PKCS12 keystore and import the host certificate we just created

   openssl pkcs12 -export -out ${NEW_KEYSTORE}/keystore.new -in ${NEW_KEYSTORE}/${MACHINE}.crt -inkey ${NEW_KEYSTORE}/${MACHINE}.key

7. Convert the PKCS12 keystore to Java keystore using Java keytool.

   keytool -importkeystore -srckeystore ${NEW_KEYSTORE}/keystore.new -srcstoretype PKCS12 -destkeystore ${NEW_KEYSTORE}/keystore.jks -deststoretype JKS

8. Change password of keystore

   keytool -storepasswd -keystore ${NEW_KEYSTORE}/keystore.jks

9. Change password of key in keystore

   keytool -keypasswd -alias 1 -new <new_pass> -keystore ${NEW_KEYSTORE}/keystore.jks

10. Remove p7b file as we no longer need it

    rm-f ${NEW_KEYSTORE}/ssl_certificate.p7b

11. Set correct permissions for the certificate files

    chmod 400 ${NEW_KEYSTORE}/keystore.jks

12. Stop Tomcat

    service tomcat stop

13. Move existing keystore

    mk ${KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks.old

14. Place in new keystore

    cp ${NEW_KEYSTORE}/keystore.jks ${KEYSTORE}/keystore.jks

15. Start Tomcat

    service tomcat start

16. If it all goes well, the clean up with the following commands

    rm -rf ${NEW_KEYSTORE} ${KEYSTORE}/keystore.jks.old

This sections information comes from this useful page.

The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulate. Encodings (also used as extensions)

• .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
• .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

• .CSR = Certificate Signing Request. This file is submitted to the CA (certificate authority). You will get a certificate back that can be used in conjunction with the key used to generate the CSR.
• .CRT or .CER = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. The CRT extension is common among *nix systems. The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
• .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

Create a script

#!/bin/sh
 
usage() {
    ex="${1:-0}"
    echo "Usage: $0 <host> [<port>]"
    echo "\n\tPort will be set to 443 by default"
    exit $ex
}
 
host="$1"
if [ -z $host ] ; then
    usage 1
fi
port="${2:-443}"
ssl=/usr/bin/openssl
cu=/usr/bin/certutil
tmp="/tmp/certtemp"
 
trap 'rm $tmp' 1 2 3 15
 
echo |
    openssl s_client -connect $host:$port 2>&1 |
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $tmp
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i $tmp
rm $tmp

Run

vi cert_import.sh
chmod a+x ./cert_import.sh 
./cert_import.sh server.example.com

Assuming that the csr is in the file /tmp/test.csr

openssl req -in /tmp/test.csr -noout -text

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.key

First, if the source file is a binary p7b file, convert it to the text based PEM format

openssl pkcs7 -in inputfile.p7b -inform DER -out outputfile.pem -print_certs

Now create the pkcs12 file that will contain your private key and the certification chain:

openssl pkcs12 -export -inkey your_private_key.key  -in your_certificate.pem -name my_name -out final_result.pfx

openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

To extract the key and certificate from a PFX file, run the following openssl command. If the cert.pfx file has a password, the command above will prompt you to enter the password. It will then generate details.txt. You have to open details.txt in a text editor.

openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes -legacy

You will see the private key (without a password) between

-----BEGIN PRIVATE KEY-----

and

-----END PRIVATE KEY-----

Copy that (including the —–BEGIN PRIVATE KEY—– and the —–END PRIVATE KEY—–) into a new file and save as private.key.

You will see the certificate between

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Copy that (including the —–BEGIN CERTIFICATE—– and the —–END CERTIFICATE—–) into a new file and save as public-cert.crt.

You can get a similar result with the following commands that will include the metadata in the output that needs to be removed but will do a specific part (the first extracts the key + meta data and the second extracts the certificate + meta data). In both cases, edit the file to remove the metadata. The first line of the file should start with —–BEGIN and the last line should start with —–END

Extract Private Key from PFX

openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem -legacy

Extract Certificate from PFX

openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem -legacy