pki // playing with OpenSSL / LibreSSL

self-signed

see sslhappy-self

csr

see sslhappy-csr

pkcs12

in case you need a container for your keys

openssl pkcs12 -export -inkey self.key -in self.crt -out self.p12
openssl pkcs12 -export -inkey prime256v1.key -in prime256v1.crt -out prime256v1.p12
openssl pkcs12 -export -inkey secp384r1.key -in secp384r1.crt -out secp384r1.p12

netbsd fix

on netbsd you need to fix the config first

cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/
cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/openssl.cnf.dist
vi /etc/openssl/openssl.cnf

#default_md             = sha2

concat a certificate chain

you usually don’t need to include the root certificate in the chain, as it’s supposed to be part of the client (or server) trust anchors already — and it is self-signed anyhow (client wouldn’t trust it)

cat server_cert intermediate_cert > issuer-concat.crt

and in case you need the private key to be in there (think of HAPROXY or POSTFIX’s chain_files layout) — private key comes first

cat privkey.pem fullchain.pem > concat.pem

comparing trust stores

see https://lab.nethence.com/ca-bundles/

assessing ssl end-points

see sslhappy-tools

resources

How To Create an SSL Certificate on Nginx for Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04

OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

Command Line Utilities https://wiki.openssl.org/index.php/Command_Line_Utilities

/etc/ssl/certs/

A note about SSL/TLS trusted certificate stores, and platforms (OpenSSL and GnuTLS) https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

mk-ca-bundle the man page https://curl.haxx.se/docs/mk-ca-bundle.html

ubuntu

How do I re-issue OpenSSL snakeoil cert? https://askubuntu.com/questions/446228/how-do-i-re-issue-openssl-snakeoil-cert

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04

Creating a Self-Signed SSL Certificate on Ubuntu https://ubuverse.com/creating-a-self-signed-ssl-certificate-on-ubuntu/

Self-Signed_Certificate https://wiki.debian.org/Self-Signed_Certificate

PRNG

How can I use OpenSSL with an external source of randomness? https://security.stackexchange.com/questions/143051/how-can-i-use-openssl-with-an-external-source-of-randomness

Good entropy source for generating openssl keys https://crypto.stackexchange.com/questions/12571/good-entropy-source-for-generating-openssl-keys

Random Numbers https://wiki.openssl.org/index.php/Random_Numbers

How to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/

Using engines for random number generation https://stackoverflow.com/questions/29150585/using-engines-for-random-number-generation

concat certs

https://stackoverflow.com/questions/7539625/does-pem-file-contains-both-private-and-public-keys

https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem ==> leaf comes first

https://security.stackexchange.com/questions/121884/should-i-concatenate-root-certs ==> no need for root cert

troubles

req: Unrecognized flag sha2

How to make OpenSSL with SHA256 instead of sha1? https://stackoverflow.com/questions/42857286/how-to-make-openssl-with-sha256-instead-of-sha1

Generating an SHA256 SSL CSR on CentOS/RHEL using genkey https://serverfault.com/questions/630692/generating-an-sha256-ssl-csr-on-centos-rhel-using-genkey

crypto

https://en.wikipedia.org/wiki/PKCS_12

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

https://gist.github.com/tsaarni/14f31312315b46f06e0f1ecc37146bf3

dst vs isrg

Root Certificates https://letsencrypt.org/certificates/

Certificate Compatibility https://letsencrypt.org/docs/certificate-compatibility/

Standing on Our Own Two Feet [Updated] https://letsencrypt.org/2020/11/06/own-two-feet.html

Valid-isrgrootx1 testing site working on devices it shouldn’t? https://community.letsencrypt.org/t/valid-isrgrootx1-testing-site-working-on-devices-it-shouldnt/94738

Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

RHEL/CentOS 7 Fix for Let’s Encrypt Change https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

Centos7 don’t trust certificate issued by lets encrypt https://serverfault.com/questions/791205/centos7-dont-trust-certificate-issued-by-lets-encrypt

Let’s Encrypt Transitioning to ISRG’s Root https://blog.hqcodeshop.fi/archives/436-Lets-Encrypt-Transitioning-to-ISRGs-Root.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT