Difference between revisions of "OpenSSL"

From Bashlinux
Jump to: navigation, search
(How to create SSL certificates for server/client(s) environment)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
 
=== How to create SSL certificates for server/client(s) environment ===
 
=== How to create SSL certificates for server/client(s) environment ===
* Create openssl directory structure for MySQL
+
* Create openssl directory structure for OpenSSL
 
mkdir -p /etc/pki/openssl
 
mkdir -p /etc/pki/openssl
 
mkdir -p /etc/pki/openssl/private
 
mkdir -p /etc/pki/openssl/private
Line 60: Line 60:
   
 
=== How to import an Certificate on Windows ===
 
=== How to import an Certificate on Windows ===
* Do a right click on the certificate
+
* Do a right-click on the certificate
* Select install certificate
+
* Select <code>Install certificate</code>
  +
If the file is not listed on "Server Certificates" on IIS, then generate a [[How_to_convert_a_CRT_into_a_Microsoft_compatible_CER | PFX]]
 
  +
If the file is not listed on "Server Certificates" on IIS, then:
 
* Generate a [[#How_to_convert_a_CRT_into_a_Microsoft_compatible_CER | PFX]]
  +
* Do a right-click on the pfx file
  +
* Select install <code>Install PFX</code>
  +
  +
=== How to setup Nginx to match AWS ELB Protocols/Ciphers ===
  +
* Add the following protocols and ciphers to nginx site
  +
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  +
ssl_ciphers HIGH:!aNULL:!MD5:!DH:!CAMELLIA;
  +
  +
=== How to check SSL ciphers on a website ===
  +
* List all the available ciphers by protocol with nmap
  +
# nmap --script ssl-enum-ciphers -p 443 <FQDN>

Latest revision as of 05:53, 5 October 2022

How to create SSL certificates for server/client(s) environment

  • Create openssl directory structure for OpenSSL
mkdir -p /etc/pki/openssl
mkdir -p /etc/pki/openssl/private
mkdir -p /etc/pki/openssl/newcerts
  • Initialize Index database
touch /etc/pki/openssl/index.txt
  • Create control serial number
date +%Y%m%d > /etc/pki/openssl/serial
  • Copy default openssl configuration file
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
  • Change the default dir on the new configuration file
replace ../../CA /etc/pki/openssl  -- /etc/pki/openssl/openssl.cnf
  • Generate CA
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
  • Create Server REQ and KEY
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
  • Remove passphrase from KEY
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
  • Sign server cert
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
  • Create REQ and KEY for the client
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
  • Remove passphrase from the client KEY
openssl rsa -in /etc/pki/openssl/client-key.pem  -out /etc/pki/openssl/client-key.pem
  • Sign client cert
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem

How to generate strong private key and CSR

In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL.

How to generate an RSA private key

  • Create a folder and place 3 larger files
# mkdir -p /etc/pki/local
# cd /etc/pki/local
# tar zcvf logs.tgz /var/logs
# cp /boot/vmlinuz-2.6.18-92.1.6.el5 .
  • Generate RSA private key
openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024
  • Patience, it will take a long, up to 10 minutes
  • Enter the passphrase when prompts
  • To remove passphrase if Apache, in order to avoid it asks for passphrase every time it starts
# openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem

How to generate a Self-Signed certificate that is good for 1 year

# openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt

How to generate Certificate Signing Request (CSR)

# openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr

How to generate a Personal Information Exchange file (PFX)

# openssl pkcs12 -export -out star.bashlinux.com.pfx -inkey star.bashlinux.com.key -in star.bashlinux.com.crt

How to convert a CRT into a Microsoft compatible CER

  • Double-cliek the CRT file
  • On the Details tab click on the button Copy to File...
  • Select Base-64 encoded X.509 (.CER) and click Next
  • Set the proper name ending with cer

How to import an Certificate on Windows

  • Do a right-click on the certificate
  • Select Install certificate

If the file is not listed on "Server Certificates" on IIS, then:

  • Generate a PFX
  • Do a right-click on the pfx file
  • Select install Install PFX

How to setup Nginx to match AWS ELB Protocols/Ciphers

  • Add the following protocols and ciphers to nginx site
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!DH:!CAMELLIA;

How to check SSL ciphers on a website

  • List all the available ciphers by protocol with nmap
# nmap --script ssl-enum-ciphers -p 443 <FQDN>