Difference between revisions of "Openssl"
Jump to navigation
Jump to search
| Line 2: | Line 2: | ||
``` | ``` | ||
host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates | host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates | ||
| + | host=example.com; port=443; echo "Q" | openssl s_client -showcerts -connect $host:$port | ||
``` | ``` | ||
Revision as of 15:28, 19 April 2022
Expiration dates
host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates host=example.com; port=443; echo "Q" | openssl s_client -showcerts -connect $host:$port
PKS
# kb.dev.example.com.pks host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.key -nocerts -nodes host=kb.dev.example.com; openssl pkcs12 -in $host.pfx -out $host.crt -clcerts -nokeys
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key> openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer> openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
cipher scans
echo quit | openssl s_client -connect www.uvoo.io:443 -msg -debug 2>/dev/null | grep "Cipher :"
Self signed https certs
View & Download in Firefox
PEM (cert)PEM (chain)
export API_HOST=example.com
echo quit | openssl s_client -showcerts -servername "${API_HOST}" -connect "${API_HOST}":443 > cacert.pem
curl --cacert cacert.pem --location --silent https://${API_HOST}
https://www.redhat.com/sysadmin/6-openssl-commands
Extract cert and key
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
Update your Apache configuration file with:
<VirtualHost 192.168.0.1:443> ... SSLEngine on SSLCertificateFile /path/to/domain.crt SSLCertificateKeyFile /path/to/domain.key ... </VirtualHost>
echo quit | openssl s_client -connect log.example.com:6514 echo "Q" | openssl s_client -servername google.com -connect google.com:443 | openssl x509 -noout -dates host=example.com; port=443; echo "Q" | openssl s_client -servername $host -connect $host:$port | openssl x509 -noout -dates
echo quit | openssl s_client -showcerts -servername server -connect google.com:443 > cacert.pem true | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 rm -f cert.pem && echo -n | openssl s_client -connect google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cert.pem
curl --cacert google.pem https://google.com
Get cipher
echo quit | openssl s_client -connect lb.examle.com:443 2>/dev/null | grep -i cipher
openssl s_client -connect 10.x.x.x:6514
PKI
#!/usr/bin/env bash
set -eu
# ref: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
bits=4096
# cert_cn=insights.example.com
ca_dir=ca
keys_dir=ca/keys
mkdir -p $ca_dir
mkdir -p $keys_dir
# cd $ca_dir
ca_subject="-subj \"/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com\""
create_CA(){
echo "Configuring rootca certs for issueing certs to nodes via CN/fqdn."
openssl genrsa -out $ca_dir/ca.key $bits
openssl genrsa -des3 -out $ca_dir/ca.key $bits
# openssl genrsa -nodes -out $ca_dir/ca.key $bits
# openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.pem $ca_subject
openssl req -x509 -new -nodes -key $ca_dir/ca.key -sha256 -days 10240 -out $ca_dir/ca.crt -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=ca.example.com"
}
create_client(){
cert_cn=$1
echo "Configuring certs for nodes with CN/fqdn."
openssl genrsa -out $keys_dir/${cert_cn}.key $bits
openssl req -new -key $keys_dir/${cert_cn}.key -out $keys_dir/${cert_cn}.csr -subj "/C=US/ST=Utah/L=Lehi/O=Example/OU=IT/CN=$cert_cn"
openssl x509 -req -in $keys_dir/${cert_cn}.csr -CA $ca_dir/ca.crt -CAkey $ca_dir/ca.key -CAcreateserial -out $keys_dir/${cert_cn}.crt -days 730 -sha256
}
copy_keys_to_rsyslog(){
cert_cn=$1
cp $keys_dir/${cert_cn}.key ../files/etc/rsyslog.d/keys/
cp $keys_dir/${cert_cn}.crt ../files/etc/rsyslog.d/keys/
cp $ca_dir/ca.crt ../files/etc/rsyslog.d/keys/
}
create_CA
create_client insights.example.com
copy_keys_to_rsyslog insights.example.com
# Notes
# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Shadow
openssl passwd -6 -salt ly7/kMnF yourpass