Difference between revisions of "OpenSSL Notes"

From Wiki
Jump to: navigation, search
m (create CSR with SANs)
(create private key and certificate signing request)
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= OpenSSL tasks =
 
= OpenSSL tasks =
 +
 +
== Recreate a missing CSR ==
 +
You can regenerate a CSR file using the existing certificate and private key.
 +
 +
openssl x509 -x509toreq -in host.crt -signkey host.key -out ~/host.csr
  
 
== Creating a CSR and/or self-signed certificate ==
 
== Creating a CSR and/or self-signed certificate ==
 +
Set up project directory.
  
=== create the private key and certificate signing request ===
+
mkdir -p projects/certs
 +
cd !$
  
  cn='www.example.com'
+
  cp /etc/pki/tls/openssl.cnf ./openssl.cnf
openssl req -newkey rsa:4096 > ${cn}.csr
+
  
* Step two - remove the passphrase from the key (optional):
+
Edit the openssl.cnf file to define the proper defaults.  (Company name, email address, etc.)  This is optional, you will be prompted for the values if they are not defined.
  openssl rsa -in privkey.pem -out ${cn}.key
+
  
* Step three (optional) - convert the CSR into a self-signed certificate:
+
=== create private key and certificate signing request ===
  openssl x509 -in ${cn}.csr -out ${cn}.crt -req -signkey ${cn}.key -days 365
+
  
This will produce a self-signed cert that can be used for any SSL service.   
+
{{Box_note|This only needs to be done the first time.  Edit the file (or use sed) to set a new host name for future requests.  Additional DNS names are comma separatedFor example:
  
For example, the Apache-SSL directives are as follows:
+
DNS:example.com,DNS:www.example.com}}
  SSLCertificateFile /path/to/certs/new.cert.cert
+
  SSLCertificateKeyFile /path/to/certs/new.cert.key
+
  
=== create CSR with SANs ===
+
site=foo.example.com
 +
export sans="[SAN]\nsubjectAltName=DNS:${site}\n"
 +
printf $sans >> openssl.cnf
  
  openssl req -newkey rsa:4096 -sha256 -config /root/openssl.cnf -nodes -subj '/C=US/ST=Michigan/L=Mason/O=Example Company/OU=IT/CN=server.example.com/emailAddress=it@example.com' > newcert.csr
+
Sed example:
 +
sed -i -e "s/^subjectAltName=.*/subjectAltName=DNS:$site/" openssl.cnf
 +
 +
Create CSR with new key:
 +
  openssl req -new -sha256 -newkey rsa:4096 -reqexts SAN -config openssl.cnf > $site.csr.txt
  
  export sans="[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,DNS:www2.example.com\n"
+
Create a new CSR using an existing key:
 +
  openssl req -new -sha256 -key $site.key -reqexts SAN -config openssl.cnf > $site.csr.txt
  
  openssl req -new -sha256 -key domain.key \
+
* remove the passphrase from the key (optional):
    -subj "/C=US/ST=CA/O=Acme/CN=example.com" \
+
  openssl rsa -in $site.key -out $site.key
    -reqexts SAN \
+
 
    -config <(cat /etc/ssl/openssl.cnf \
+
* encrypt data for hiera
        <(printf "$sans")) \
+
openssl rsa -in $site.key | eyaml encrypt --stdin -o block | xsel
    -out domain.csr
+
 
 +
* paste key into data file
 +
 
 +
* convert the CSR into a self-signed certificate (optional):
 +
openssl x509 -in $site.csr.txt -out $site.crt -req -signkey $site.key -days 365
 +
 
 +
This will produce a self-signed cert that can be used for any SSL service. 
 +
 
 +
For example, the Apache-SSL directives are as follows:
 +
SSLCertificateFile /path/to/certs/new.cert.cert
 +
SSLCertificateKeyFile /path/to/certs/new.cert.key
  
 
== Generate a password hash (md5) ==
 
== Generate a password hash (md5) ==
Line 116: Line 135:
  
 
  openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
 
  openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
 +
 +
= OpenVPN =
 +
easy-rsa is located under the /usr/local/share/easy-rsa directory.  Certs are issued using ./easy-rsa
 +
 +
= Java =
 +
Java uses its own keystore format to store TLS certs.  The keytool command allows you to access and modify cert data.
 +
 +
./bin/keytool -exportcert -rfc -keystore /usr/share/tomcat/.keystore -alias tomcat
 +
 +
To extract private keys the keystore can be converted into pkcs12 format.
 +
 +
./bin/keytool -importkeystore -srckeystore /usr/share/tomcat/.keystore -destkeystore intermediate.p12 -srcstoretype JKS -deststoretype PKCS12
 +
openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes
  
 
= References =
 
= References =
Line 125: Line 157:
  
 
http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/
 
http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/
 +
 +
https://wiki.archlinux.org/index.php/Easy-RSA

Latest revision as of 14:39, 16 March 2020

OpenSSL tasks

Recreate a missing CSR

You can regenerate a CSR file using the existing certificate and private key.

openssl x509 -x509toreq -in host.crt -signkey host.key -out ~/host.csr

Creating a CSR and/or self-signed certificate

Set up project directory.

mkdir -p projects/certs
cd !$
cp /etc/pki/tls/openssl.cnf ./openssl.cnf

Edit the openssl.cnf file to define the proper defaults. (Company name, email address, etc.) This is optional, you will be prompted for the values if they are not defined.

create private key and certificate signing request

Note: This only needs to be done the first time. Edit the file (or use sed) to set a new host name for future requests. Additional DNS names are comma separated. For example: DNS:example.com,DNS:www.example.com
site=foo.example.com
export sans="[SAN]\nsubjectAltName=DNS:${site}\n"
printf $sans >> openssl.cnf

Sed example:

sed -i -e "s/^subjectAltName=.*/subjectAltName=DNS:$site/" openssl.cnf

Create CSR with new key:

openssl req -new -sha256 -newkey rsa:4096 -reqexts SAN -config openssl.cnf > $site.csr.txt

Create a new CSR using an existing key:

openssl req -new -sha256 -key $site.key -reqexts SAN -config openssl.cnf > $site.csr.txt
  • remove the passphrase from the key (optional):
openssl rsa -in $site.key -out $site.key
  • encrypt data for hiera
openssl rsa -in $site.key | eyaml encrypt --stdin -o block | xsel
  • paste key into data file
  • convert the CSR into a self-signed certificate (optional):
openssl x509 -in $site.csr.txt -out $site.crt -req -signkey $site.key -days 365

This will produce a self-signed cert that can be used for any SSL service.

For example, the Apache-SSL directives are as follows:

SSLCertificateFile /path/to/certs/new.cert.cert
SSLCertificateKeyFile /path/to/certs/new.cert.key

Generate a password hash (md5)

echo "blah" | openssl passwd -1 -stdin

Verify a server certificate

You can test an SSL connection using the s_client option.

openssl s_client -connect <server>:<port>

For servers using TLS you can use the -starttls command.

openssl s_client -showcerts -starttls smtp -connect host.example.com:25
openssl s_client -showcerts -connect  www.example.com:443 -tls1_2

Testing with a client cert:

openssl s_client -key <keyfile> -cert <cert> -CAfile <cafile> -connect <server>:8081

Extract cert used for a connection

openssl s_client -connect www.example.com:443 -tls1_2 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > www.example.com.crt

Check cert details

openssl x509 -in certificate.crt -text -noout

Verifying that a key and certificate match

To verify that a certificate and key file match you can compare certificate modulus on each cert to look for a match. The `modulus' and the `public exponent' portions of the key and the certificate must match. The following commands will produce an md5 sum which can be used to find the key that matches a cert or vice versa.

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

Converting SSL certs

Convert PFX to PEM:

openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem -nodes

Convert cert file to PFX:

#!/bin/bash
[ -n "$1" -a "$2" ]  || { echo "Usage: ./crt2pfx cert.crt .keyfile cert_name"; exit 0 ; }

openssl x509 -in $1 -out input.der -outform DER;

openssl x509 -in input.der -inform DER -out output.pem -outform PEM;

openssl pkcs12 -export -in output.pem -inkey $2 -out $3.pfx -name "$3";

echo "cleaning up...";
sleep 1;

echo "Removing input.der";
rm input.der;
sleep 1;

echo "Removing output.pem";
rm output.pem;
sleep 1;

exit 0;

List installed CA certs

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/cert.pem

If you're checking for a specific cert you can grep for the common name.

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/cert.pem  | grep -E "Dart|DCIssuing"

Fix ASN errors

If you see errors similar to below you will need to convert the certificate file into the proper encoding.

Openssl Unable to Load Certificate Wrong Asn1 Encoding routines:ASN 1_CHECK_TLEN::tag:tasn_dec.c:1319

140735207381436:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140735207381436:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_CINF
140735207381436:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509
140735207381436:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

While the certificate file visually appears to be in x.509 format, you will find it contains a far longer base64 string than x.509 certificates of the same bit length. The format in this case is p7b (PCKS #7). To convert the cert to x509 format run this command.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

OpenVPN

easy-rsa is located under the /usr/local/share/easy-rsa directory. Certs are issued using ./easy-rsa

Java

Java uses its own keystore format to store TLS certs. The keytool command allows you to access and modify cert data.

./bin/keytool -exportcert -rfc -keystore /usr/share/tomcat/.keystore -alias tomcat

To extract private keys the keystore can be converted into pkcs12 format.

./bin/keytool -importkeystore -srckeystore /usr/share/tomcat/.keystore -destkeystore intermediate.p12 -srcstoretype JKS -deststoretype PKCS12
openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes

References

https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

http://www.madboa.com/geek/openssl/#cert-test

https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/

http://blog.oneiroi.co.uk/openssl/x.509/pcks7/openssl-unable-to-load-certificate-wrong-asn1-encoding-routines-asn1-check-tlen-tag-tasn-dec-dot-c-1319/

https://wiki.archlinux.org/index.php/Easy-RSA