OpenSSL: mudanças entre as edições

De Wiki Clusterlab.com.br
Ir para navegação Ir para pesquisar
 
(5 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 1: Linha 1:
=[[Encrypt File|Encrypt File]]=
=SSH=
==authorized_keys==
Bizu de como fazer banner durante o login do chave SSH.
<syntaxhighlight lang=bash style="border:1px dashed gray">
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
</syntaxhighlight>
=Certificates=
*rootCA.key = chave privada do CA
*rootCA.key = chave privada do CA
*rootCA.pem = certificado raiz CA
*rootCA.pem = certificado raiz CA
Linha 4: Linha 12:
*device.csr = requisição de certificado
*device.csr = requisição de certificado
*device.crt = certificado do site
*device.crt = certificado do site
=ca=
==ca==
<syntaxhighlight lang=bash style="border:1px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl genrsa -out rootCA.key 2048
openssl genrsa -out rootCA.key 2048
Linha 10: Linha 18:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
</syntaxhighlight>
</syntaxhighlight>
=cert=
==cert==
<syntaxhighlight lang=bash style="border:1px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl genrsa -out device.key 2048
openssl genrsa -out device.key 2048
Linha 16: Linha 24:
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
</syntaxhighlight>
</syntaxhighlight>
=Altname=
==Simple key and cert==
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
</syntaxhighlight>
==Altname==
*Gera Chave Privada
*Gera Chave Privada
<syntaxhighlight lang=bash style="border:1px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
Linha 25: Linha 37:
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
</syntaxhighlight>
</syntaxhighlight>
=SSH=
 
==authorized_keys==
==PFX Files==
Bizu de como fazer banner durante o login do chave SSH.
===[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]===
<syntaxhighlight lang=bash style="border:1px dashed gray">
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
</syntaxhighlight>
=PFX Files=
==[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]==
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
-----
-----
Linha 48: Linha 55:
</pre>
</pre>


==Creating a PFX file==
===Creating a PFX file===
<syntaxhighlight lang=bash style="border:1px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
</syntaxhighlight>
</syntaxhighlight>
=Get Certificate Revocation Date/Time=
==Get Certificate Revocation Date/Time==
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
function GET_REVOCATION() {
function GET_REVOCATION() {
 
    export CRLFILE=$(mktemp)
     wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O arq.crl
    echo $CRLFILE
     openssl x509 -in $1  -noout -ocsp_uri
     wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE
     openssl crl -inform DER -text -in arq.crl
     #openssl x509 -in $1  -noout -ocsp_uri
     openssl crl -inform DER -text -in arq.crl | grep $(openssl x509 -in $1  -noout -serial)
     #openssl crl -inform DER -text -in $CRLFILE
     openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial)
}
}
$ GET_REVOCATION company.crt
</syntaxhighlight>
</syntaxhighlight>


=Displaying a remote SSL certificate details=
==Displaying a remote SSL certificate details==
<syntaxhighlight lang=bash style="border:1px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
export SITE=wiki.clusterlab.com.br
export SITE=wiki.clusterlab.com.br
Linha 69: Linha 78:
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"
</syntaxhighlight>
</syntaxhighlight>
=Create a JKS=
==Displaying a Local SSL certificate details, from file==
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer';
</syntaxhighlight>
 
==Create a JKS==
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
# From Key and CRT:
# From Key and CRT:

Edição atual tal como às 13h04min de 21 de novembro de 2024

Encrypt File

SSH

authorized_keys

Bizu de como fazer banner durante o login do chave SSH. 

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>

Certificates

  • rootCA.key = chave privada do CA
  • rootCA.pem = certificado raiz CA
  • device.key = chave privada do certificado
  • device.csr = requisição de certificado
  • device.crt = certificado do site

ca

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

cert

openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

Simple key and cert

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Altname

  • Gera Chave Privada
openssl genrsa -out iam.key 2048
  • Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')

PFX Files

Extracting Certificate and Private Key Files from a .pfx File

Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.

Run the following command to export the private key: 

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Run the following command to export the certificate: 

openssl pkcs12 -in certname.pfx -nokeys -out cert.crt

Run the following command to remove the passphrase from the private key: 

openssl rsa -in key.pem -out server.key

Creating a PFX file

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Get Certificate Revocation Date/Time

function GET_REVOCATION() {
    export CRLFILE=$(mktemp)
    echo $CRLFILE
    wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE
    #openssl x509 -in $1  -noout -ocsp_uri
    #openssl crl -inform DER -text -in $CRLFILE 
    openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial)
}
$ GET_REVOCATION company.crt

Displaying a remote SSL certificate details

export SITE=wiki.clusterlab.com.br
openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"

Displaying a Local SSL certificate details, from file

openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer';

Create a JKS

# From Key and CRT:
$ openssl pkcs12 -export -in company.crt -inkey  company.key -name company.com -out company.p12 

# Type PKCS12:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12

# TYPE JKS:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks

# With more options
$ keytool \
  -importkeystore  \
  -srckeystore company.p12 \
  -destkeystore company.jks \
  -srcstoretype PKCS12 \
  -deststoretype jks \
  -srcstorepass mystorepass \
  -deststorepass myotherstorepass \
  -srcalias myserverkey \
  -destalias myotherserverkey \
  -srckeypass mykeypass \
  -destkeypass myotherkeypass

Links

Disponível em “https://wiki.clusterlab.com.br/index.php?title=OpenSSL&oldid=1362