Difference between revisions of "Openssl"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 44: Line 44:
  
 
bits=4096
 
bits=4096
# cert_cn=insights.mktp.io
+
# cert_cn=insights.example.com
rootCA_dir=rootCA
+
ca_dir=ca
keys_dir=rootCA/keys
+
keys_dir=ca/keys
mkdir -p $rootCA_dir
+
mkdir -p $ca_dir
 
mkdir -p $keys_dir
 
mkdir -p $keys_dir
# cd $rootCA_dir
+
# cd $ca_dir
ca_subject="-subj \"/C=US/ST=Utah/L=SLC/O=UVOO/OU=IT/CN=ca.example.com\""
+
ca_subject="-subj \"/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com\""
  
  
 
create_CA(){
 
create_CA(){
 
   echo "Configuring rootca certs for issueing certs to nodes via CN/fqdn."
 
   echo "Configuring rootca certs for issueing certs to nodes via CN/fqdn."
   openssl genrsa -out $rootCA_dir/rootCA.key $bits
+
   openssl genrsa -out $ca_dir/ca.key $bits
   openssl genrsa -des3 -out $rootCA_dir/rootCA.key $bits
+
   openssl genrsa -des3 -out $ca_dir/ca.key $bits
   # openssl genrsa -nodes -out $rootCA_dir/rootCA.key $bits
+
   # openssl genrsa -nodes -out $ca_dir/ca.key $bits
   # openssl req -x509 -new -nodes -key $rootCA_dir/rootCA.key -sha256 -days 10240 -out $rootCA_dir/rootCA.pem $ca_subject
+
   # openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.pem $ca_subject
   openssl req -x509 -new -nodes -key $rootCA_dir/rootCA.key -sha256 -days 10240 -out $rootCA_dir/rootCA.pem -subj "/C=US/ST=Utah/L=SLC/O=example/OU=IT/CN=ca.example.com"
+
   openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.crt -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com"
 
}
 
}
  
Line 67: Line 67:
 
   echo "Configuring certs for nodes with CN/fqdn."
 
   echo "Configuring certs for nodes with CN/fqdn."
 
   openssl genrsa -out $keys_dir/${cert_cn}.key $bits
 
   openssl genrsa -out $keys_dir/${cert_cn}.key $bits
   openssl req -new -key $keys_dir/${cert_cn}.key -out $keys_dir/${cert_cn}.csr -subj "/C=US/ST=Utah/L=SLC/O=EH/OU=IT/CN=$cert_cn"
+
   openssl req -new -key $keys_dir/${cert_cn}.key -out $keys_dir/${cert_cn}.csr -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=$cert_cn"
   openssl x509 -req -in $keys_dir/${cert_cn}.csr -CA $rootCA_dir/rootCA.pem -CAkey $rootCA_dir/rootCA.key -CAcreateserial -out $keys_dir/${cert_cn}.crt -days 730 -sha256
+
   openssl x509 -req -in $keys_dir/${cert_cn}.csr -CA $ca_dir/ca.crt -CAkey $ca_dir/ca.key -CAcreateserial -out $keys_dir/${cert_cn}.crt -days 730 -sha256
 
}
 
}
  
Line 75: Line 75:
 
   cp $keys_dir/${cert_cn}.key ../files/etc/rsyslog.d/keys/
 
   cp $keys_dir/${cert_cn}.key ../files/etc/rsyslog.d/keys/
 
   cp $keys_dir/${cert_cn}.crt ../files/etc/rsyslog.d/keys/
 
   cp $keys_dir/${cert_cn}.crt ../files/etc/rsyslog.d/keys/
   cp $rootCA_dir/rootCA.pem ../files/etc/rsyslog.d/keys/
+
   cp $ca_dir/ca.crt ../files/etc/rsyslog.d/keys/
 
}
 
}
 
  
 
create_CA
 
create_CA
 
create_client insights.example.com
 
create_client insights.example.com
 
copy_keys_to_rsyslog insights.example.com
 
copy_keys_to_rsyslog insights.example.com
 +
 +
 +
# Notes
  
 
# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
 
# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
 
```
 
```

Revision as of 01:31, 10 November 2021

https://www.redhat.com/sysadmin/6-openssl-commands

Extract cert and key

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key

Update your Apache configuration file with:

<VirtualHost 192.168.0.1:443>
 ...
 SSLEngine on
 SSLCertificateFile /path/to/domain.crt
 SSLCertificateKeyFile /path/to/domain.key
 ...
</VirtualHost>

echo quit | openssl s_client -connect log.example.com:6514
echo "Q" | openssl s_client -servername google.com -connect google.com:443 | openssl x509 -noout -dates

echo quit | openssl s_client -showcerts -servername server -connect google.com:443 > cacert.pem
true | openssl s_client -connect google.com:443 2>/dev/null | openssl x509
rm -f cert.pem && echo -n | openssl s_client -connect google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.pem

curl --cacert google.pem https://google.com 

openssl s_client -connect 10.x.x.x:6514

PKI 

#!/usr/bin/env bash
set -eu
# ref: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

bits=4096
# cert_cn=insights.example.com
ca_dir=ca
keys_dir=ca/keys
mkdir -p $ca_dir
mkdir -p $keys_dir
# cd $ca_dir
ca_subject="-subj \"/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com\""


create_CA(){
  echo "Configuring rootca certs for issueing certs to nodes via CN/fqdn."
  openssl genrsa -out $ca_dir/ca.key $bits
  openssl genrsa -des3 -out $ca_dir/ca.key $bits
  # openssl genrsa -nodes -out $ca_dir/ca.key $bits
  # openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.pem $ca_subject
  openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.crt -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com"
}


create_client(){
  cert_cn=$1
  echo "Configuring certs for nodes with CN/fqdn."
  openssl genrsa -out $keys_dir/${cert_cn}.key $bits
  openssl req -new -key $keys_dir/${cert_cn}.key -out $keys_dir/${cert_cn}.csr -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=$cert_cn"
  openssl x509 -req -in $keys_dir/${cert_cn}.csr -CA $ca_dir/ca.crt -CAkey $ca_dir/ca.key -CAcreateserial -out $keys_dir/${cert_cn}.crt -days 730 -sha256
}

copy_keys_to_rsyslog(){
  cert_cn=$1
  cp $keys_dir/${cert_cn}.key ../files/etc/rsyslog.d/keys/
  cp $keys_dir/${cert_cn}.crt ../files/etc/rsyslog.d/keys/
  cp $ca_dir/ca.crt ../files/etc/rsyslog.d/keys/
}

create_CA
create_client insights.example.com
copy_keys_to_rsyslog insights.example.com


# Notes

# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Retrieved from "https://tech.uvoo.io/index.php?title=Openssl&oldid=2436"