OpenSSL: mudanças entre as edições
		
		
		
		Ir para navegação
		Ir para pesquisar
		
| (17 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
| Linha 1: | Linha 1: | ||
| =[[Encrypt File|Encrypt File]]= | |||
| =SSH= | |||
| ==authorized_keys== | |||
| Bizu de como fazer banner durante o login do chave SSH. | |||
| <syntaxhighlight lang=bash style="border:1px dashed gray"> | |||
| no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here> | |||
| </syntaxhighlight> | |||
| =Certificates= | |||
| *rootCA.key = chave privada do CA | *rootCA.key = chave privada do CA | ||
| *rootCA.pem = certificado raiz CA | *rootCA.pem = certificado raiz CA | ||
| Linha 4: | Linha 12: | ||
| *device.csr = requisição de certificado | *device.csr = requisição de certificado | ||
| *device.crt = certificado do site | *device.crt = certificado do site | ||
| =ca= | ==ca== | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| openssl genrsa -out rootCA.key 2048 | openssl genrsa -out rootCA.key 2048 | ||
| openssl genrsa -des3 -out rootCA.key 2048 | openssl genrsa -des3 -out rootCA.key 2048 | ||
| openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem | openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| =cert= | ==cert== | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| openssl genrsa -out device.key 2048 | openssl genrsa -out device.key 2048 | ||
| openssl req -new -key device.key -out device.csr | openssl req -new -key device.key -out device.csr | ||
| openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 | openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| =Altname= | ==Simple key and cert== | ||
| <syntaxhighlight lang=bash style="border:1px dashed gray"> | |||
| openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 | |||
| </syntaxhighlight> | |||
| ==Altname== | |||
| *Gera Chave Privada | *Gera Chave Privada | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| openssl genrsa -out iam.key 2048 | openssl genrsa -out iam.key 2048 | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| *Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName | *Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam') | openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam') | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| == | ==PFX Files== | ||
| ===[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]=== | |||
| = | |||
| ==[https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File Extracting Certificate and Private Key Files from a .pfx File]== | |||
| Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key. | Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key. | ||
| ----- | ----- | ||
| Linha 41: | Linha 48: | ||
| Run the following command to export the certificate:   | Run the following command to export the certificate:   | ||
| <pre> | <pre> | ||
| openssl pkcs12 -in certname.pfx -nokeys -out cert. | openssl pkcs12 -in certname.pfx -nokeys -out cert.crt | ||
| </pre> | </pre> | ||
| Run the following command to remove the passphrase from the private key:   | Run the following command to remove the passphrase from the private key:   | ||
| Linha 48: | Linha 55: | ||
| </pre> | </pre> | ||
| ==Creating a PFX file== | ===Creating a PFX file=== | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt | ||
| </syntaxhighlight> | |||
| ==Get Certificate Revocation Date/Time== | |||
| <syntaxhighlight lang=bash> | |||
| function GET_REVOCATION() { | |||
|     export CRLFILE=$(mktemp) | |||
|     echo $CRLFILE | |||
|     wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE | |||
|     #openssl x509 -in $1  -noout -ocsp_uri | |||
|     #openssl crl -inform DER -text -in $CRLFILE  | |||
|     openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial) | |||
| } | |||
| $ GET_REVOCATION company.crt | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
| =Displaying a remote SSL certificate details= | ==Displaying a remote SSL certificate details== | ||
| <syntaxhighlight lang=bash style="border: | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
| export SITE=wiki.clusterlab.com.br | export SITE=wiki.clusterlab.com.br | ||
| openssl s_client -showcerts -servername $SITE -connect $SITE:443 | openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \ | ||
| sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p" | |||
| </syntaxhighlight> | |||
| ==Displaying a Local SSL certificate details, from file== | |||
| <syntaxhighlight lang=bash style="border:1px dashed gray"> | |||
| openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer'; | |||
| </syntaxhighlight> | |||
| ==Create a JKS== | |||
| <syntaxhighlight lang=bash> | |||
| # From Key and CRT: | |||
| $ openssl pkcs12 -export -in company.crt -inkey  company.key -name company.com -out company.p12  | |||
| # Type PKCS12: | |||
| $ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12 | |||
| # TYPE JKS: | |||
| $ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks | |||
| # With more options | |||
| $ keytool \ | |||
|   -importkeystore  \ | |||
|   -srckeystore company.p12 \ | |||
|   -destkeystore company.jks \ | |||
|   -srcstoretype PKCS12 \ | |||
|   -deststoretype jks \ | |||
|   -srcstorepass mystorepass \ | |||
|   -deststorepass myotherstorepass \ | |||
|   -srcalias myserverkey \ | |||
|   -destalias myotherserverkey \ | |||
|   -srckeypass mykeypass \ | |||
|   -destkeypass myotherkeypass | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
| Linha 62: | Linha 112: | ||
| *https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 | *https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 | ||
| *https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 | *https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 | ||
| *https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_effectively.md#working-behind-a-proxy | |||
Edição atual tal como às 13h04min de 21 de novembro de 2024
Encrypt File
SSH
authorized_keys
Bizu de como fazer banner durante o login do chave SSH.
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
Certificates
- rootCA.key = chave privada do CA
- rootCA.pem = certificado raiz CA
- device.key = chave privada do certificado
- device.csr = requisição de certificado
- device.crt = certificado do site
ca
openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
cert
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
Simple key and cert
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Altname
- Gera Chave Privada
openssl genrsa -out iam.key 2048
- Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
PFX Files
Extracting Certificate and Private Key Files from a .pfx File
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
Run the following command to export the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Run the following command to export the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.crt
Run the following command to remove the passphrase from the private key:
openssl rsa -in key.pem -out server.key
Creating a PFX file
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Get Certificate Revocation Date/Time
function GET_REVOCATION() {
    export CRLFILE=$(mktemp)
    echo $CRLFILE
    wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O $CRLFILE
    #openssl x509 -in $1  -noout -ocsp_uri
    #openssl crl -inform DER -text -in $CRLFILE 
    openssl crl -inform DER -text -in $CRLFILE | grep $(openssl x509 -in $1  -noout -serial)
}
$ GET_REVOCATION company.crt
Displaying a remote SSL certificate details
export SITE=wiki.clusterlab.com.br
openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"
Displaying a Local SSL certificate details, from file
openssl x509 -inform <pem|der> -noout -text -in 'cerfile.cer';
Create a JKS
# From Key and CRT:
$ openssl pkcs12 -export -in company.crt -inkey  company.key -name company.com -out company.p12 
# Type PKCS12:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12
# TYPE JKS:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks
# With more options
$ keytool \
  -importkeystore  \
  -srckeystore company.p12 \
  -destkeystore company.jks \
  -srcstoretype PKCS12 \
  -deststoretype jks \
  -srcstorepass mystorepass \
  -deststorepass myotherstorepass \
  -srcalias myserverkey \
  -destalias myotherserverkey \
  -srckeypass mykeypass \
  -destkeypass myotherkeypass