PKI // Playing with OpenSSL

Self-signed

quick shot RSA w/o being prompted for any value

    cd /etc/ssl/
    #cd /etc/openssl/

openssl req -x509 -newkey rsa:2048 -nodes \
    -subj /CN=*.lab.nethence.com \
    -keyout /etc/ssl/self.key \
    -out /etc/ssl/self.crt
    # -days 365
    # -days 9999
    # -sha256
chmod 400 /etc/ssl/*.key
chmod 444 /etc/ssl/*.crt

instead of tweaking openssl.cnf you may also define more from the command line

-subj "/C=RU/L=Innopolis/O=Innopolis University/OU=SNE/CN=*.example.local/emailAddress=YOUR-EMAIL"

ECDSA with a 256-bit curve

openssl ecparam -name prime256v1
openssl req -x509 -days 365 -nodes \
    -newkey ec:<(openssl ecparam -name prime256v1) \
    -keyout prime256v1.key \
    -out prime256v1.crt

ECDSA with a 384-bit curve

openssl ecparam -name secp384r1
openssl req -x509 -days 3650 -nodes \
    -newkey ec:<(openssl ecparam -name secp384r1) \
    -keyout secp384r1.key \
    -out secp384r1.crt

Note - you can also use stdout instead of -out and stdin instead of -in

Note - -nodes to avoid encrypting the private key hence no passphrase

and review the newly created dummy certificate

ls -lF *.crt *.key
openssl x509 -in self.crt -text -noout -fingerprint
openssl x509 -in self.crt -text -noout | less

CSR

the important keyword here is -new and w/o -x509

domain=example.net

rsa

one shot

openssl req -new -newkey rsa:2048 -nodes \
    -keyout $domain.key \
    -out $domain.csr

–vs– privkey then csr

openssl genrsa -out $domain.key 2048

    openssl req -new -nodes \
    -key $domain.key \
    -out $domain.csr

ecdsa

openssl ecparam -list_curves | grep secp384r1
openssl ecparam -name secp384r1 -genkey -noout -out client-or-domain.key
chmod 400 client-or-domain.key
openssl req -new -sha256 -key client-or-domain.key -out client-or-domain.csr
chmod 444 client-or-domain.csr

ready to go

and check

    ls -lF *.csr
openssl req -noout -text -verify < client-or-domain.csr

PKCS12

in case you need a container for your keys

openssl pkcs12 -export -inkey self.key -in self.crt -out self.p12
openssl pkcs12 -export -inkey prime256v1.key -in prime256v1.crt -out prime256v1.p12
openssl pkcs12 -export -inkey secp384r1.key -in secp384r1.crt -out secp384r1.p12

Ubuntu’s Sake-oil

You already have a pair on Ubuntu

ls -lF /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key

but in case you need to re-generate those

make-ssl-cert generate-default-snakeoil --force-overwrite

#openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
#   -keyout /etc/ssl/private/ssl-cert-snakeoil.key \
#   -out /etc/ssl/certs/ssl-cert-snakeoil.pem

NetBSD fix

On NetBSD you need to fix the config first

cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/
cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/openssl.cnf.dist
vi /etc/openssl/openssl.cnf

#default_md             = sha2

Concat an official certificate chain

Once you sent your CSR to your SSL provider, it will respond you with the PEM certificate, possibly as .crt. You will also need their root CA and intermediate certificates – if those aren’t delivered, you might find it on their website. Eventually concatenate those two

cd /etc/httpd/ssl/
cat intermediatecert rootcert > issuer-concat-cert.crt
chmod 400 issuer-concat-cert.crt

Comparing trust stores

See https://lab.nethence.com/ca-bundles/

Assessing SSL end-points

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://github.com/nmap/nmap/blob/master/scripts/ssl-enum-ciphers.nse

nmap -sV --script ssl-enum-ciphers -p 443 nethence.com
nmap -sV --script ssl-enum-ciphers -p 25 xc.os3.su # finds starttls on its own

https://testssl.sh/ https://github.com/drwetter/testssl.sh

cd ~/opt/
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh/
./testssl.sh --help
./testssl.sh nethence.com:443
./testssl.sh --starttls smtp xc.nethence.com:25

https://github.com/nabla-c0d3/sslyze https://github.com/iSECPartners/sslyze https://nabla-c0d3.github.io/sslyze/documentation/testing-connectivity.html#additional-settings-starttls-sni-etc

Testing SSL/TLS certificates (SSLyze) https://vk9-sec.com/testing-ssl-tls-certificates-sslyze/

pip install --upgrade setuptools
pip install --upgrade sslyze

sslyze -h
sslyze --regular --sni=nethence.com nethence.com:443
sslyze --starttls=smtp xc.os3.su:25

Resources

How To Create an SSL Certificate on Nginx for Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04

OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

Command Line Utilities https://wiki.openssl.org/index.php/Command_Line_Utilities

/etc/ssl/certs/

A note about SSL/TLS trusted certificate stores, and platforms (OpenSSL and GnuTLS) https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

mk-ca-bundle the man page https://curl.haxx.se/docs/mk-ca-bundle.html

ubuntu

How do I re-issue OpenSSL snakeoil cert? https://askubuntu.com/questions/446228/how-do-i-re-issue-openssl-snakeoil-cert

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04

Creating a Self-Signed SSL Certificate on Ubuntu https://ubuverse.com/creating-a-self-signed-ssl-certificate-on-ubuntu/

Self-Signed_Certificate https://wiki.debian.org/Self-Signed_Certificate

PRNG

How can I use OpenSSL with an external source of randomness? https://security.stackexchange.com/questions/143051/how-can-i-use-openssl-with-an-external-source-of-randomness

Good entropy source for generating openssl keys https://crypto.stackexchange.com/questions/12571/good-entropy-source-for-generating-openssl-keys

Random Numbers https://wiki.openssl.org/index.php/Random_Numbers

How to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/

Using engines for random number generation https://stackoverflow.com/questions/29150585/using-engines-for-random-number-generation

passphrase

Is it possible to generate RSA key without pass phrase? https://serverfault.com/questions/366372/is-it-possible-to-generate-rsa-key-without-pass-phrase

Why openssl insist on requiring a passphrase on genrsa command? https://superuser.com/questions/407908/why-openssl-insist-on-requiring-a-passphrase-on-genrsa-command

Creating a .pem File for SSL Certificate Installations https://www.digicert.com/ssl-support/pem-ssl-creation.htm

concat certs

Does .pem file contains both private and public keys? https://stackoverflow.com/questions/7539625/does-pem-file-contains-both-private-and-public-keys

How to combine various certificates into single .pem https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem ==> leaf comes first

troubles

req: Unrecognized flag sha2

How to make OpenSSL with SHA256 instead of sha1? https://stackoverflow.com/questions/42857286/how-to-make-openssl-with-sha256-instead-of-sha1

Generating an SHA256 SSL CSR on CentOS/RHEL using genkey https://serverfault.com/questions/630692/generating-an-sha256-ssl-csr-on-centos-rhel-using-genkey

crypto

https://en.wikipedia.org/wiki/PKCS_12

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

https://gist.github.com/tsaarni/14f31312315b46f06e0f1ecc37146bf3

self-signed

Create a self-signed ECC certificate https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/

Generate self-signed certificate and key in one line https://major.io/2007/08/02/generate-self-signed-certificate-and-key-in-one-line/

Generate Self-Signed SSL Certificate without prompt https://gist.github.com/thbkrkr/aa16435cb6c183e55a33

Frequently used OpenSSL Commands https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands

self-signed w/ san

Create an OpenSSL self-signed SAN cert in a single command https://medium.com/@groksrc/create-an-openssl-self-signed-san-cert-in-a-single-command-627fd771f25

https://somoit.net/security/security-create-self-signed-san-certificate-openssl

https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58

s_client

2 Testing TLS with OpenSSL https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

How to Verify A Connection is Secure Using OpenSSL https://www.liquidweb.com/kb/how-to-verify-a-connection-is-secure-using-openssl/ ==> crlf

dst vs isrg

Root Certificates https://letsencrypt.org/certificates/

Certificate Compatibility https://letsencrypt.org/docs/certificate-compatibility/

Standing on Our Own Two Feet [Updated] https://letsencrypt.org/2020/11/06/own-two-feet.html

Valid-isrgrootx1 testing site working on devices it shouldn’t? https://community.letsencrypt.org/t/valid-isrgrootx1-testing-site-working-on-devices-it-shouldnt/94738

Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

RHEL/CentOS 7 Fix for Let’s Encrypt Change https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

Centos7 don’t trust certificate issued by lets encrypt https://serverfault.com/questions/791205/centos7-dont-trust-certificate-issued-by-lets-encrypt

Let’s Encrypt Transitioning to ISRG’s Root https://blog.hqcodeshop.fi/archives/436-Lets-Encrypt-Transitioning-to-ISRGs-Root.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun