SysAdmin Wiki: SSL

Showing posts with label SSL. Show all posts

Monday, December 9, 2013

Create self signed CA and cert (version 1 and version 3)

Create CA cert

1. Create the ca root key

openssl genrsa -out rootCA.key 2048

1b. create the ca root key with password protection

openssl genrsa -des3 -out rootCA.key 2048

2. self sign the ca root cert

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

Create a normal ssl cert

1. create a private key

openssl genrsa -out server.key 2048

2. create csr

openssl req -new -key server.key -out server.csr

3. sign the cert using the ca

openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.crt -days 500

3b. self sign the cert without using ca

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Create a normal version 3 ssl cert with subject alternative name

1. create a private key

openssl genrsa -out server.key 2048

2. copy the default openssl.cnf file and add/modify the following:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = kb.example.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14

3. create the csr

openssl req -new -out server.csr -key server.key -config openssl.cnf

4. sign the cert using the ca

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -extensions v3_req -extfile openssl.cnf

4b. self sign the cert without using ca

openssl x509 -req -days 3650 -in server.csr -signkey server.key
-out server.crt-extensions v3_req -extfile openssl.cnf

Display the ssl cert info

openssl x509 -in server.crt -noout -text

or

openssl x509 -in server.crt -text

Friday, April 19, 2013

Add Intermediate CA cert file to your ssl cert

to add intermediate CA cert to your ssl cert, you need to add it in the following order:

site.com.crt
intermediate.crt (one or more, the order of these doesn't matter)
ROOT.crt

the result file should look something like this:

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

You can test your site's cert using the tool on this page:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9555

Wednesday, April 3, 2013

Converting SSH key format

To convert ssh key in PEM format to OpenSSH format, use this command:

ssh-keygen -i -f pem_format.pub > id_rsa.pub

To convert ssh key in OpenSSH format to PEM format, use this command:

ssh-keygen -e -f id_rsa.pub > pem_format.pub

To see the fingerprint of the ssh key use this command:

To see the fingerprint of the ssh key, use this command:

ssh-keygen -l -f id_rsa.pub

This will return three things:

the bit strength
the fingerprint
the filename

PEM format:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "4096-bit RSA, converted from OpenSSH by user@machine_name"

AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o

39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS

7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt

isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2

sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu

LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368

+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW

jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f

uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22

5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM

IB+X+OTUUI8=

---- END SSH2 PUBLIC KEY ----

OpenSSH format:

ssh-rsa