PKI // Playing with OpenSSL

NetBSD Requirements

cp -pi /usr/share/examples/openssl/openssl.cnf /etc/openssl/
cp -pi /usr/share/examples/openssl/openssl.cnf /etc/openssl/openssl.cnf.dist
chmod 600 /etc/openssl/openssl.cnf
vi /etc/openssl/openssl.cnf

#default_md             = sha2

Self-Signed

cd /etc/openssl/
domain=xc.nethence.com
openssl req -x509 -newkey rsa:2048 -nodes -keyout selfsign.key -out $domain.self.cer -subj /CN=$domain
#-days 365
chmod 400 $domain.self.cer $domain.self.key

Official Certificate

Once you sent your CSR to your SSL provider, it will respond you with the PEM certificate, possibly as .crt.

Concatenate the Chain

You will also need their root CA and intermediate certificates – if those aren’t delivered, you might find it on their website. Eventually concatenate those two,

cd /etc/httpd/ssl/
cat intermediatecert rootcert > issuer-concat-cert.crt
chmod 400 issuer-concat-cert.crt

Resources

How To Create an SSL Certificate on Nginx for Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04

OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

PRNG

How can I use OpenSSL with an external source of randomness? https://security.stackexchange.com/questions/143051/how-can-i-use-openssl-with-an-external-source-of-randomness

Good entropy source for generating openssl keys https://crypto.stackexchange.com/questions/12571/good-entropy-source-for-generating-openssl-keys

Random Numbers https://wiki.openssl.org/index.php/Random_Numbers

How to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/

Using engines for random number generation https://stackoverflow.com/questions/29150585/using-engines-for-random-number-generation

passphrase

Is it possible to generate RSA key without pass phrase? https://serverfault.com/questions/366372/is-it-possible-to-generate-rsa-key-without-pass-phrase

Why openssl insist on requiring a passphrase on genrsa command? https://superuser.com/questions/407908/why-openssl-insist-on-requiring-a-passphrase-on-genrsa-command

Creating a .pem File for SSL Certificate Installations https://www.digicert.com/ssl-support/pem-ssl-creation.htm

concatenation

Does .pem file contains both private and public keys? https://stackoverflow.com/questions/7539625/does-pem-file-contains-both-private-and-public-keys


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml