OpenSSL
From Bashlinux
How to create SSL certificates for server/client(s) environment
- Create openssl directory structure for MySQL
mkdir -p /etc/pki/openssl mkdir -p /etc/pki/openssl/private mkdir -p /etc/pki/openssl/newcerts
- Initialize Index database
touch /etc/pki/openssl/index.txt
- Create control serial number
date +%Y%m%d > /etc/pki/openssl/serial
- Copy default openssl configuration file
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
- Change the default dir on the new configuration file
replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf
- Generate CA
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
- Create Server REQ and KEY
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
- Remove passphrase from KEY
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
- Sign server cert
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
- Create REQ and KEY for the client
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
- Remove passphrase from the client KEY
openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem
- Sign client cert
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem
How to generate strong private key and CSR
In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL.
How to generate an RSA private key
- Create a folder and place 3 larger files
# mkdir -p /etc/pki/local # cd /etc/pki/local # tar zcvf logs.tgz /var/logs # cp /boot/vmlinuz-2.6.18-92.1.6.el5 .
- Generate RSA private key
openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024
- Patience, it will take a long, up to 10 minutes
- Enter the passphrase when prompts
- To remove passphrase if Apache, in order to avoid it asks for passphrase every time it starts
# openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem
How to generate a Self-Signed certificate that is good for 1 year
# openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt
How to generate Certificate Signing Request (CSR)
# openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr
How to generate a Personal Information Exchange file (PFX)
# openssl pkcs12 -export -out star.bashlinux.com.pfx -inkey star.bashlinux.com.key -in star.bashlinux.com.crt
How to convert a CRT into a Microsoft compatible CER
- Double-cliek the CRT file
- On the Details tab click on the button Copy to File...
- Select Base-64 encoded X.509 (.CER) and click Next
- Set the proper name ending with
cer
How to import an Certificate on Windows
- Do a right-click on the certificate
- Select
Install certificate
If the file is not listed on "Server Certificates" on IIS, then:
- Generate a PFX
- Do a right-click on the pfx file
- Select install
Install PFX
How to setup Nginx to match AWS ELB Protocol/Ciphers
- Add the following protocol and ciphers to nginx site
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5:!DH:!CAMELLIA;
How to check SSL ciphers for a site
- List all the available ciphers by protocol with nmap
# nmap --script ssl-enum-ciphers -p 443 <FQDN>