OpenSSL: mudanças entre as edições
Ir para navegação
Ir para pesquisar
| Linha 52: | Linha 52: | ||
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=Get Certificate Revocation Date/Time= | |||
<syntaxhighlight lang=bash> | |||
function GET_REVOCATION() { | |||
wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O arq.crl | |||
openssl x509 -in $1 -noout -ocsp_uri | |||
openssl crl -inform DER -text -in arq.crl | |||
openssl crl -inform DER -text -in arq.crl | grep $(openssl x509 -in $1 -noout -serial) | |||
} | |||
</syntaxhighlight> | |||
=Displaying a remote SSL certificate details= | =Displaying a remote SSL certificate details= | ||
<syntaxhighlight lang=bash style="border:1px dashed gray"> | <syntaxhighlight lang=bash style="border:1px dashed gray"> | ||
Edição das 17h11min de 17 de agosto de 2021
- rootCA.key = chave privada do CA
- rootCA.pem = certificado raiz CA
- device.key = chave privada do certificado
- device.csr = requisição de certificado
- device.crt = certificado do site
ca
openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
cert
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
Altname
- Gera Chave Privada
openssl genrsa -out iam.key 2048
- Gera CSR com base na chave privada gerada e adicionando o parâmetro de SubjectAltName
openssl req -new -sha256 -key iam.key -out iam.csr -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:iam')
SSH
authorized_keys
Bizu de como fazer banner durante o login do chave SSH.
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" <key content here>
PFX Files
Extracting Certificate and Private Key Files from a .pfx File
Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
Run the following command to export the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Run the following command to export the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.crt
Run the following command to remove the passphrase from the private key:
openssl rsa -in key.pem -out server.key
Creating a PFX file
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Get Certificate Revocation Date/Time
function GET_REVOCATION() {
wget $(openssl x509 -in $1 -noout -text | grep crl | sed -e "s/URI://g" -e "s/. //g") -O arq.crl
openssl x509 -in $1 -noout -ocsp_uri
openssl crl -inform DER -text -in arq.crl
openssl crl -inform DER -text -in arq.crl | grep $(openssl x509 -in $1 -noout -serial)
}
Displaying a remote SSL certificate details
export SITE=wiki.clusterlab.com.br
openssl s_client -showcerts -servername $SITE -connect $SITE:443 | \
sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p"
Create a JKS
# From Key and CRT:
$ openssl pkcs12 -export -in company.crt -inkey company.key -name company.com -out company.p12
# Type PKCS12:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype pkcs12
# TYPE JKS:
$ keytool -importkeystore -destkeystore company.jks -srckeystore company.p12 -srcstoretype PKCS12 -deststoretype jks
# With more options
$ keytool \
-importkeystore \
-srckeystore company.p12 \
-destkeystore company.jks \
-srcstoretype PKCS12 \
-deststoretype jks \
-srcstorepass mystorepass \
-deststorepass myotherstorepass \
-srcalias myserverkey \
-destalias myotherserverkey \
-srckeypass mykeypass \
-destkeypass myotherkeypass