OpenSSL Notes

-

Creating/Modifying

Generate a new private key

openssl genrsa -out example.key 2048

Remove a passphrase from a private key

openssl rsa -in example.key -out new_example.key

Generate a new private key and CSR (certificate signing request)

openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout example.key

Generate a self-signed SSL certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt

Generate a CSR using an existing private key

openssl req -out example.csr -key example.key -new

Generate a CSR based on an existing certificate

openssl x509 -x509toreq -in example.crt -out example.csr -signkey example.key

Generate a CSR with multiple Subject Alternative Names (SANs)

Create a config file:

[req]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = New York
L = New York
O = Secure Corp, LLC
OU = IT
CN = host.securecorp.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = other-host.securecorp.com
DNS.2 = best-host.securecorp.com
DNS.3 = worst-host.securecorp.com

Generate the key and CSR simultaneously:

openssl req -new -newkey rsa:2048 -nodes -sha256 -config csr_details.conf -keyout example.key -out example.csr

Checking Existing Keys/CSRs/Certificates

Display CSR contents

openssl req -text -noout -verify -in example.csr

Check a private key

openssl rsa -in example.key -check

Display a certificate's contents

openssl x509 -in example.crt -text -noout

Extract a PEM certificate from a PKCS7 file

openssl pkcs7 -print_certs -in source.p7b -out certificate.crt

Confirm that a key and certificate match

(openssl x509 -noout -modulus -in example.crt |openssl md5;openssl rsa -noout -modulus -in example.key |openssl md5) | uniq | wc -l

(A result of 1 means they match, 2 means they don't)

You can also check a CSR with:

openssl req -noout -modulus -in example.csr |openssl md5

Debugging site SSL certificate installation

Check an SSL connection. All the certificates (including intermediates) should be displayed

echo | openssl s_client -servername www.example.com -connect www.example.com:443

Show certificate details from a web server

echo | openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -noout -text

Comments

Post a Comment

Popular posts from this blog

SSH Private Keys - RSA vs. OpenSSH

-
It would seem that ssh-keygen on OS X Mojave generates OpenSSH Private Keys instead of the traditional RSA Private Keys. While on the surface this is not a problem at all, it recently created a problem for us in combination with our use of the net-ssh Ruby gem, specifically that only RSA Private Keys are supported by this particular version of the gem, unless other dependencies are explicitly installed. So there would appear to be two solutions to this problem. First, we could update the net-ssh gem or discover/install whatever other dependencies are required to support OpenSSH Private Keys. Option two is to convert the existing private key from OpenSSH to RSA. The man page for ssh-keygen is helpful, but not nearly clear enough for this use case, so I'm documenting it here because I'm sure it'll come back to bite me again in the future. Assuming ~/.ssh/id_rsa starts with: -----BEGIN OPENSSH PRIVATE KEY----- Run ssh-keygen -p -m PEM -f ~/.ssh/id_rsa and you will
Read more

Clearing IPTables rules

-
Occasionally I find it necessary to quickly clear out all the IPTables rules without accidentally losing access to the machine. I've found the below commands to be the quickest way to accomplish that goal (substitute ip6tables if you live in an IPv6 world) iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X You can confirm afterward by running iptables -nvL , which should produce output similar to: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Read more

tcgetattr: Inappropriate ioctl for device

-
Recently a colleague of mine was working on a bash script to copy a script to a group of servers, run the script and display the output. The basic structure of the script was: for host in $(host_list); do echo "Host = $host" scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no check_script.rb user@${host}:/tmp/check_script.rb ssh -tt -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@${host} 'chmod +x /tmp/check_script.rb' ssh -tt -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@${host} 'sudo ruby check_script.rb' done When he attempted to run his script, it was failing after copying the script to the first remote host with the error tcgetattr: Inappropriate ioctl for device .  A google search turned up a bunch of results, but nothing helpful enough to resolve the issue. The issue turns out to be the ssh command requesting a TTY and erroring out because it is unable to get one.  Removing the -tt option fro
Read more