OpenSSL: mudanças entre as edições

De Wiki Clusterlab.com.br
Ir para navegação Ir para pesquisar
 
(19 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 1: Linha 1:
=[[Encrypt File|Encrypt File]]=
=SSH=
==authorized_keys==
Bizu de como fazer banner durante o login do chave SSH.
<syntaxhighlight lang=bash style="border:1px dashed gray">
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
</syntaxhighlight>
=Certificates=
*rootCA.key = chave privada do CA
*rootCA.key = chave privada do CA
*rootCA.pem = certificado raiz CA
*rootCA.pem = certificado raiz CA
Linha 4: Linha 12:
*device.csr = requisição de certificado
*device.csr = requisição de certificado
*device.crt = certificado do site
*device.crt = certificado do site
=ca=
==ca==
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl genrsa -out rootCA.key 2048
openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
</syntaxhighlight>
</syntaxhighlight>
=cert=
==cert==
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl genrsa -out device.key 2048
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
</syntaxhighlight>
</syntaxhighlight>
=Altname=
==Simple key and cert==
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
</syntaxhighlight>
==Altname==
*Gera Chave Privada
*Gera Chave Privada
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl genrsa -out iam.key 2048
openssl genrsa -out iam.key 2048
</syntaxhighlight>
</syntaxhighlight>
*Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
*Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
</syntaxhighlight>
</syntaxhighlight>
=SSH=
 
==authorized_keys==
==PFX Files==
Bizu de como fazer banner durante o login do chave SSH.
===[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]===
<syntaxhighlight lang=bash style="border:3px dashed gray">
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
</syntaxhighlight>
=PFX Files=
==[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]==
*Procedure
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
<syntaxhighlight lang=bash style="border:3px dashed gray">
-----
Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Run the following command to export the private key:  
Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
<pre>
Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key  
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
</pre>
Run the following command to export the certificate:  
<pre>
openssl pkcs12 -in certname.pfx -nokeys -out cert.crt
</pre>
Run the following command to remove the passphrase from the private key:  
<pre>
openssl rsa -in key.pem -out server.key  
</pre>
 
===Creating a PFX file===
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
</syntaxhighlight>
</syntaxhighlight>
==Creating a PFX file==
==Get Certificate Revocation Date/Time==
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash>
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
function GET_REVOCATION() {
    export CRLFILE=$(mktemp)
    echo $CRLFILE
    wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE
    #openssl x509 -in $1  -noout -ocsp_uri
    #openssl crl -inform DER -text -in $CRLFILE
    openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial)
}
$ GET_REVOCATION company.crt
</syntaxhighlight>
</syntaxhighlight>


=Displaying a remote SSL certificate details=
==Displaying a remote SSL certificate details==
<syntaxhighlight lang=bash style="border:3px dashed gray">
<syntaxhighlight lang=bash style="border:1px dashed gray">
export SITE=wiki.clusterlab.com.br
export SITE=wiki.clusterlab.com.br
openssl s_client -showcerts -servername $SITE -connect $SITE:443
openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"
</syntaxhighlight>
==Displaying a Local SSL certificate details, from file==
<syntaxhighlight lang=bash style="border:1px dashed gray">
openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer';
</syntaxhighlight>
 
==Create a JKS==
<syntaxhighlight lang=bash>
# From Key and CRT:
$ openssl pkcs12 -export -in company.crt -inkey  company.key -name company.com -out company.p12
 
# Type PKCS12:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12
 
# TYPE JKS:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks
 
# With more options
$ keytool \
  -importkeystore  \
  -srckeystore company.p12 \
  -destkeystore company.jks \
  -srcstoretype PKCS12 \
  -deststoretype jks \
  -srcstorepass mystorepass \
  -deststorepass myotherstorepass \
  -srcalias myserverkey \
  -destalias myotherserverkey \
  -srckeypass mykeypass \
  -destkeypass myotherkeypass
</syntaxhighlight>
</syntaxhighlight>


Linha 54: Linha 112:
*https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
*https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
*https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
*https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
*https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_effectively.md#working-behind-a-proxy

Edição atual tal como às 13h04min de 21 de novembro de 2024

Encrypt File

SSH

authorized_keys

Bizu de como fazer banner durante o login do chave SSH.

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>

Certificates

  • rootCA.key = chave privada do CA
  • rootCA.pem = certificado raiz CA
  • device.key = chave privada do certificado
  • device.csr = requisição de certificado
  • device.crt = certificado do site

ca

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

cert

openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

Simple key and cert

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Altname

  • Gera Chave Privada
openssl genrsa -out iam.key 2048
  • Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')

PFX Files

Extracting Certificate and Private Key Files from a .pfx File

Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.


Run the following command to export the private key:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Run the following command to export the certificate:

openssl pkcs12 -in certname.pfx -nokeys -out cert.crt

Run the following command to remove the passphrase from the private key:

openssl rsa -in key.pem -out server.key 

Creating a PFX file

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Get Certificate Revocation Date/Time

function GET_REVOCATION() {
    export CRLFILE=$(mktemp)
    echo $CRLFILE
    wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE
    #openssl x509 -in $1  -noout -ocsp_uri
    #openssl crl -inform DER -text -in $CRLFILE 
    openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial)
}
$ GET_REVOCATION company.crt

Displaying a remote SSL certificate details

export SITE=wiki.clusterlab.com.br
openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"

Displaying a Local SSL certificate details, from file

openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer';

Create a JKS

# From Key and CRT:
$ openssl pkcs12 -export -in company.crt -inkey  company.key -name company.com -out company.p12 

# Type PKCS12:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12

# TYPE JKS:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks

# With more options
$ keytool \
  -importkeystore  \
  -srckeystore company.p12 \
  -destkeystore company.jks \
  -srcstoretype PKCS12 \
  -deststoretype jks \
  -srcstorepass mystorepass \
  -deststorepass myotherstorepass \
  -srcalias myserverkey \
  -destalias myotherserverkey \
  -srckeypass mykeypass \
  -destkeypass myotherkeypass

Links