SSL

openssl certificate + key generation

   1 openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/http2.pem -keyout /etc/ssl/private/http2.pem
   2 #Country Name: PT
   3 #Country Name (2 letter code) [XX]:PT
   4 #State or Province Name (full name) []:State
   5 #Locality Name (eg, city) [Default City]:City
   6 #Organization Name (eg, company) [Default Company Ltd]:example
   7 #Organizational Unit Name (eg, section) []:
   8 #Common Name (eg, your name or your server's hostname) []:*.example.org
   9 #Email Address []:user@example.org
  10

Check https connection

   1 openssl s_client -connect wiki.bitarus.allowed.org:443

Multiple SSL nginx

http://nginx.org/en/docs/http/configuring_https_servers.html

Multiple SSL Apache

https://wiki.apache.org/httpd/NameBasedSSLVHosts

As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port.

It is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:

All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com. You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)

Encrypt and decrypt with openssl + RSA keypair + base64

   1 # generate RSA key pair
   2 openssl genrsa -out private.pem 2048
   3 # export public key 
   4 openssl rsa -in private.pem -outform PEM -pubout -out public.pem
   5 
   6 rm test.txt test.txt.bin.enc test.txt.bin.enc.b64 decoded.enc test.txt.bin
   7 echo -n "test" > test.txt
   8 hexdump -C test.txt
   9 # encrypt with public key
  10 openssl rsautl -encrypt -inkey public.pem -pubin -in test.txt -out test.txt.bin.enc
  11 # encode 
  12 base64 test.txt.bin.enc > test.txt.bin.enc.b64
  13 # decode
  14 base64 -d test.txt.bin.enc.b64 > decoded.enc
  15 # decrypt with public key 
  16 openssl rsautl -decrypt -inkey private.pem -in decoded.enc -out test.txt.bin
  17 hexdump -C test.txt.bin

encrypt.sh

   1 # ssh-keygen
   2 # openssl rsa -in id_rsa -outform PEM -pubout -out id_rsa.pub.pem
   3 MESSAGE=message.txt
   4 MESSAGE_ENC=message.txt.enc
   5 MESSAGE_ENC_B64=message.txt.enc.b64
   6 PUB_KEY=~/.ssh/id_rsa.pub.pem
   7 
   8 echo -n $1 > $MESSAGE
   9 openssl rsautl -encrypt -inkey "$PUB_KEY" -pubin -in "$MESSAGE" -out "$MESSAGE_ENC" 
  10 base64 $MESSAGE_ENC > $MESSAGE_ENC_B64
  11 cat $MESSAGE_ENC_B64

decrypt.sh

   1 OUT_MESSAGE=message.txt.dec
   2 MESSAGE_ENC_B64=message.txt.enc.b64
   3 DECODED_ENC=message.dec.enc
   4 PRV_KEY=~/.ssh/id_rsa
   5  
   6 base64 -d $MESSAGE_ENC_B64 > $DECODED_ENC
   7 openssl rsautl -decrypt -inkey $PRV_KEY -in $DECODED_ENC -out $OUT_MESSAGE
   8 cat $OUT_MESSAGE

https://gethttpsforfree.com/

   1 cd ~
   2 openssl genrsa 4096 > httpsforfreeaccount.key
   3 openssl rsa -in httpsforfreeaccount.key -pubout > httpsforfreeaccount.pub
   4 openssl genrsa 4096 > domain.key
   5 openssl req -new -sha256 -key domain.key -subj "/" \
   6   -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
   7   <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

https://www.sslforfree.com/

Get expiration date

echo | openssl s_client -servername www.bitarus.allowed.org -connect www.bitarus.allowed.org:443 2>/dev/null | openssl x509 -noout -enddate

   1 import sys
   2 import os
   3 import time
   4 
   5 hostname = "www.bitarus.allowed.org"
   6 output_file = "/tmp/cert_info_%s.txt"%(hostname)
   7 command = "echo | openssl s_client -servername %s -connect %s:443 2>/dev/null | openssl x509 -noout -enddate > %s"
   8 
   9 threshold = 86400 * 5 # 5 days
  10 
  11 os.system(command%(hostname, hostname, output_file))
  12 
  13 with open(output_file) as f:
  14   for line in f:
  15     datex = line.split("=")[1].strip()
  16     print datex
  17     t = time.strptime(datex,'%b %d %H:%M:%S %Y %Z')
  18     delta = time.mktime(t) - time.time()
  19     if delta < 0: print "Expired %s"%(hostname)
  20     if delta >=0 and delta <= threshold: print "Will expire soon %s"%(hostname)
  21     if delta > threshold : print "Is okay %s"%(hostname)

Create root CA (certification authority) and signed certificate for darkstar host

   1 mkdir ~/certs
   2 cd ~/certs
   3 # create root CA private key
   4 openssl genrsa -des3 -out localCA.key 2048
   5 # create root CA certificate
   6 openssl req -x509 -new -nodes -key localCA.key -sha256 -days 1825 -out localCA.pem 
   7 # update certificates in the OS
   8 sudo cp ~/certs/localCA.pem /usr/local/share/ca-certificates/localCA.crt
   9 sudo update-ca-certificates
  10 # create darkstar host private key 
  11 openssl genrsa -out darkstar.key 2048
  12 # Create darkstar host CSR (certificate signing request)
  13 openssl req -new -key darkstar.key -out darkstar.csr

Create darkstar host configuration file called darkstar.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = darkstar

   1 # Create darkstar host signed certificate 
   2 openssl x509 -req -in darkstar.csr -CA ~/certs/localCA.pem -CAkey ~/certs/localCA.key -CAcreateserial -days 825 -sha256 -extfile darkstar.ext -out darkstar.crt 
   3 
   4 cd /etc/nginx/sites-available
   5 nano darkstar
   6 ssl_certificate /etc/ssl/certs/darkstar.crt;
   7 ssl_certificate_key /etc/ssl/private/darkstar.key;
   8 
   9 sudo mv darkstar.crt /etc/ssl/certs
  10 sudo mv darkstar.key /etc/ssl/private/
  11 service nginx restart

Import the root CA in the certificates authorities part in the browsers.

Firefox
- settings, privacy and security
- view certificates
- Authorities, import
- import localCA.pem
- trust to identify websites and email users
- Access https://darkstar/
Android Chrome
- Install root CA certificate from https://darkstar/localCA.crt
  - VPN and apps
  - cert name "localCA root cert"