|
Size: 1319
Comment:
|
← Revision 21 as of 2023-09-07 16:23:46 ⇥
Size: 6007
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| {{{ | {{{#!highlight sh |
| Line 6: | Line 6: |
| COuntry Name: PT Country Name (2 letter code) [XX]:PT State or Province Name (full name) []:State Locality Name (eg, city) [Default City]:City Organization Name (eg, company) [Default Company Ltd]:example Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:*.example.org Email Address []:user@example.org |
#Country Name: PT #Country Name (2 letter code) [XX]:PT #State or Province Name (full name) []:State #Locality Name (eg, city) [Default City]:City #Organization Name (eg, company) [Default Company Ltd]:example #Organizational Unit Name (eg, section) []: #Common Name (eg, your name or your server's hostname) []:*.example.org #Email Address []:user@example.org |
| Line 17: | Line 17: |
| {{{ | {{{#!highlight sh |
| Line 33: | Line 33: |
== Encrypt and decrypt with openssl + RSA keypair + base64 == {{{#!highlight sh # generate RSA key pair openssl genrsa -out private.pem 2048 # export public key openssl rsa -in private.pem -outform PEM -pubout -out public.pem rm test.txt test.txt.bin.enc test.txt.bin.enc.b64 decoded.enc test.txt.bin echo -n "test" > test.txt hexdump -C test.txt # encrypt with public key openssl rsautl -encrypt -inkey public.pem -pubin -in test.txt -out test.txt.bin.enc # encode base64 test.txt.bin.enc > test.txt.bin.enc.b64 # decode base64 -d test.txt.bin.enc.b64 > decoded.enc # decrypt with public key openssl rsautl -decrypt -inkey private.pem -in decoded.enc -out test.txt.bin hexdump -C test.txt.bin }}} === encrypt.sh === {{{#!highlight sh # ssh-keygen # openssl rsa -in id_rsa -outform PEM -pubout -out id_rsa.pub.pem MESSAGE=message.txt MESSAGE_ENC=message.txt.enc MESSAGE_ENC_B64=message.txt.enc.b64 PUB_KEY=~/.ssh/id_rsa.pub.pem echo -n $1 > $MESSAGE openssl rsautl -encrypt -inkey "$PUB_KEY" -pubin -in "$MESSAGE" -out "$MESSAGE_ENC" base64 $MESSAGE_ENC > $MESSAGE_ENC_B64 cat $MESSAGE_ENC_B64 }}} === decrypt.sh === {{{#!highlight sh OUT_MESSAGE=message.txt.dec MESSAGE_ENC_B64=message.txt.enc.b64 DECODED_ENC=message.dec.enc PRV_KEY=~/.ssh/id_rsa base64 -d $MESSAGE_ENC_B64 > $DECODED_ENC openssl rsautl -decrypt -inkey $PRV_KEY -in $DECODED_ENC -out $OUT_MESSAGE cat $OUT_MESSAGE }}} == https://gethttpsforfree.com/ == {{{#!highlight sh cd ~ openssl genrsa 4096 > httpsforfreeaccount.key openssl rsa -in httpsforfreeaccount.key -pubout > httpsforfreeaccount.pub openssl genrsa 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com")) }}} == https://www.sslforfree.com/ == == Get expiration date == * echo | openssl s_client -servername www.bitarus.allowed.org -connect www.bitarus.allowed.org:443 2>/dev/null | openssl x509 -noout -enddate {{{#!highlight python import sys import os import time hostname = "www.bitarus.allowed.org" output_file = "/tmp/cert_info_%s.txt"%(hostname) command = "echo | openssl s_client -servername %s -connect %s:443 2>/dev/null | openssl x509 -noout -enddate > %s" threshold = 86400 * 5 # 5 days os.system(command%(hostname, hostname, output_file)) with open(output_file) as f: for line in f: datex = line.split("=")[1].strip() print datex t = time.strptime(datex,'%b %d %H:%M:%S %Y %Z') delta = time.mktime(t) - time.time() if delta < 0: print "Expired %s"%(hostname) if delta >=0 and delta <= threshold: print "Will expire soon %s"%(hostname) if delta > threshold : print "Is okay %s"%(hostname) }}} == Create root CA (certification authority) and signed certificate for darkstar host == {{{#!highlight sh mkdir ~/certs cd ~/certs # create root CA private key openssl genrsa -des3 -out localCA.key 2048 # create root CA certificate openssl req -x509 -new -nodes -key localCA.key -sha256 -days 1825 -out localCA.pem # update certificates in the OS sudo cp ~/certs/localCA.pem /usr/local/share/ca-certificates/localCA.crt sudo update-ca-certificates # create darkstar host private key openssl genrsa -out darkstar.key 2048 # Create darkstar host CSR (certificate signing request) openssl req -new -key darkstar.key -out darkstar.csr }}} === Create darkstar host configuration file called darkstar.ext === {{{ authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = darkstar }}} {{{#!highlight sh # Create darkstar host signed certificate openssl x509 -req -in darkstar.csr -CA ~/certs/localCA.pem -CAkey ~/certs/localCA.key -CAcreateserial -days 825 -sha256 -extfile darkstar.ext -out darkstar.crt cd /etc/nginx/sites-available nano darkstar ssl_certificate /etc/ssl/certs/darkstar.crt; ssl_certificate_key /etc/ssl/private/darkstar.key; sudo mv darkstar.crt /etc/ssl/certs sudo mv darkstar.key /etc/ssl/private/ service nginx restart }}} Import the root CA in the certificates authorities part in the browsers. * Firefox * settings, privacy and security * view certificates * Authorities, import * import localCA.pem * trust to identify websites and email users * Access https://darkstar/ * Android Chrome * Install root CA certificate from https://darkstar/localCA.crt * VPN and apps * cert name "localCA root cert" |
SSL
openssl certificate + key generation
1 openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/http2.pem -keyout /etc/ssl/private/http2.pem
2 #Country Name: PT
3 #Country Name (2 letter code) [XX]:PT
4 #State or Province Name (full name) []:State
5 #Locality Name (eg, city) [Default City]:City
6 #Organization Name (eg, company) [Default Company Ltd]:example
7 #Organizational Unit Name (eg, section) []:
8 #Common Name (eg, your name or your server's hostname) []:*.example.org
9 #Email Address []:user@example.org
10
Check https connection
1 openssl s_client -connect wiki.bitarus.allowed.org:443
Multiple SSL nginx
http://nginx.org/en/docs/http/configuring_https_servers.html
Multiple SSL Apache
https://wiki.apache.org/httpd/NameBasedSSLVHosts
As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port.
It is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:
All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com. You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)
Encrypt and decrypt with openssl + RSA keypair + base64
1 # generate RSA key pair
2 openssl genrsa -out private.pem 2048
3 # export public key
4 openssl rsa -in private.pem -outform PEM -pubout -out public.pem
5
6 rm test.txt test.txt.bin.enc test.txt.bin.enc.b64 decoded.enc test.txt.bin
7 echo -n "test" > test.txt
8 hexdump -C test.txt
9 # encrypt with public key
10 openssl rsautl -encrypt -inkey public.pem -pubin -in test.txt -out test.txt.bin.enc
11 # encode
12 base64 test.txt.bin.enc > test.txt.bin.enc.b64
13 # decode
14 base64 -d test.txt.bin.enc.b64 > decoded.enc
15 # decrypt with public key
16 openssl rsautl -decrypt -inkey private.pem -in decoded.enc -out test.txt.bin
17 hexdump -C test.txt.bin
encrypt.sh
1 # ssh-keygen
2 # openssl rsa -in id_rsa -outform PEM -pubout -out id_rsa.pub.pem
3 MESSAGE=message.txt
4 MESSAGE_ENC=message.txt.enc
5 MESSAGE_ENC_B64=message.txt.enc.b64
6 PUB_KEY=~/.ssh/id_rsa.pub.pem
7
8 echo -n $1 > $MESSAGE
9 openssl rsautl -encrypt -inkey "$PUB_KEY" -pubin -in "$MESSAGE" -out "$MESSAGE_ENC"
10 base64 $MESSAGE_ENC > $MESSAGE_ENC_B64
11 cat $MESSAGE_ENC_B64
decrypt.sh
https://gethttpsforfree.com/
1 cd ~
2 openssl genrsa 4096 > httpsforfreeaccount.key
3 openssl rsa -in httpsforfreeaccount.key -pubout > httpsforfreeaccount.pub
4 openssl genrsa 4096 > domain.key
5 openssl req -new -sha256 -key domain.key -subj "/" \
6 -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
7 <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
https://www.sslforfree.com/
Get expiration date
echo | openssl s_client -servername www.bitarus.allowed.org -connect www.bitarus.allowed.org:443 2>/dev/null | openssl x509 -noout -enddate
1 import sys
2 import os
3 import time
4
5 hostname = "www.bitarus.allowed.org"
6 output_file = "/tmp/cert_info_%s.txt"%(hostname)
7 command = "echo | openssl s_client -servername %s -connect %s:443 2>/dev/null | openssl x509 -noout -enddate > %s"
8
9 threshold = 86400 * 5 # 5 days
10
11 os.system(command%(hostname, hostname, output_file))
12
13 with open(output_file) as f:
14 for line in f:
15 datex = line.split("=")[1].strip()
16 print datex
17 t = time.strptime(datex,'%b %d %H:%M:%S %Y %Z')
18 delta = time.mktime(t) - time.time()
19 if delta < 0: print "Expired %s"%(hostname)
20 if delta >=0 and delta <= threshold: print "Will expire soon %s"%(hostname)
21 if delta > threshold : print "Is okay %s"%(hostname)
Create root CA (certification authority) and signed certificate for darkstar host
1 mkdir ~/certs
2 cd ~/certs
3 # create root CA private key
4 openssl genrsa -des3 -out localCA.key 2048
5 # create root CA certificate
6 openssl req -x509 -new -nodes -key localCA.key -sha256 -days 1825 -out localCA.pem
7 # update certificates in the OS
8 sudo cp ~/certs/localCA.pem /usr/local/share/ca-certificates/localCA.crt
9 sudo update-ca-certificates
10 # create darkstar host private key
11 openssl genrsa -out darkstar.key 2048
12 # Create darkstar host CSR (certificate signing request)
13 openssl req -new -key darkstar.key -out darkstar.csr
Create darkstar host configuration file called darkstar.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = darkstar
1 # Create darkstar host signed certificate
2 openssl x509 -req -in darkstar.csr -CA ~/certs/localCA.pem -CAkey ~/certs/localCA.key -CAcreateserial -days 825 -sha256 -extfile darkstar.ext -out darkstar.crt
3
4 cd /etc/nginx/sites-available
5 nano darkstar
6 ssl_certificate /etc/ssl/certs/darkstar.crt;
7 ssl_certificate_key /etc/ssl/private/darkstar.key;
8
9 sudo mv darkstar.crt /etc/ssl/certs
10 sudo mv darkstar.key /etc/ssl/private/
11 service nginx restart
Import the root CA in the certificates authorities part in the browsers.
- Firefox
- settings, privacy and security
- view certificates
- Authorities, import
- import localCA.pem
- trust to identify websites and email users
Access https://darkstar/
- Android Chrome
Install root CA certificate from https://darkstar/localCA.crt
- VPN and apps
- cert name "localCA root cert"