https://bgstack15.ddns.net/blog/enContents © 2024 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Mon, 02 Sep 2024 13:15:38 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://bgstack15.ddns.net/blog/posts/2024/09/02/asn1parse-and-underscores/bgstack15<p>If you are building a CSR that includes the oid for a Microsoft Certificate Services <a href="https://bgstack15.ddns.net/blog/posts/2016/06/30/manipulating-ssl-certificates/">template name</a>, and that name includes an underscore, you might get an error when building a csr.</p> <div class="code"><pre class="code literal-block">Error checking request extension section req_ext 00CCADFE01000000:error:0680007C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:crypto/asn1/a_mbstr.c:113: 00CCADFE01000000:error:0688000D:asn1 encoding routines:asn1_str2type:ASN1 lib:crypto/asn1/asn1_gen.c:681:string=ABC_NAME_TESTING 00CCADFE01000000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:crypto/x509/v3_conf.c:260:value=PRINTABLESTRING:ABC_NAME_TESTING </pre></div> <p>So what you can do is switch your openssl.cnf to use a different <a href="https://bgstack15.ddns.net/blog/outbound/https:/docs.openssl.org/3.0/man3/ASN1_generate_nconf/#generation-string-format">data type</a>: UTF8STRING.</p> <div class="code"><pre class="code literal-block">oid_section = new_oids [ new_oids ] certificateTemplateName = 1.3.6.1.4.1.311.20.2 [ req_ext ] certificateTemplateName = ASN1:UTF8STRING:ABC_NAME_TESTING </pre></div>certificatesopensslsslhttps://bgstack15.ddns.net/blog/posts/2024/09/02/asn1parse-and-underscores/Mon, 02 Sep 2024 13:08:00 GMThttps://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/bgstack15<p><a href="https://bgstack15.ddns.net/blog/files/2024/listings/smtp1.sh.html">files/2024/listings/smtp1.sh</a> <a href="https://bgstack15.ddns.net/blog/files/2024/listings/smtp1.sh">(Source)</a></p><div class="code"><table class="codetable"><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-1"><code data-line-number=" 1"></code></a></td><td class="code"><code><span class="ch">#!/bin/sh</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-2"><code data-line-number=" 2"></code></a></td><td class="code"><code><span class="c1"># File: smtp1.sh</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-3"><code data-line-number=" 3"></code></a></td><td class="code"><code><span class="c1"># Location: stackbin</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-4"><code data-line-number=" 4"></code></a></td><td class="code"><code><span class="c1"># Author: bgstack15</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-5"><code data-line-number=" 5"></code></a></td><td class="code"><code><span class="c1"># Startdate: 2024-08-05-2 14:05</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-6"><code data-line-number=" 6"></code></a></td><td class="code"><code><span class="c1"># SPDX-License-Identifier: GPL-3.0-only</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-7"><code data-line-number=" 7"></code></a></td><td class="code"><code><span class="c1"># Title: Send authenticated email with openssl s_client</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-8"><code data-line-number=" 8"></code></a></td><td class="code"><code><span class="c1"># Purpose: demo cli smtp auth</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-9"><code data-line-number=" 9"></code></a></td><td class="code"><code><span class="c1"># History:</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-10"><code data-line-number="10"></code></a></td><td class="code"><code><span class="c1"># References:</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-11"><code data-line-number="11"></code></a></td><td class="code"><code><span class="c1">#    https://stackoverflow.com/questions/1546367/how-to-send-mail-with-to-cc-and-bcc</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-12"><code data-line-number="12"></code></a></td><td class="code"><code><span class="c1">#    https://szclsya.me/posts/net/send-email-with-netcat/</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-13"><code data-line-number="13"></code></a></td><td class="code"><code><span class="c1">#    https://serverfault.com/questions/1101104/how-to-send-an-email-with-openssl-and-microsoft-exchange-online</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-14"><code data-line-number="14"></code></a></td><td class="code"><code><span class="c1">#    https://woshub.com/sending-email-via-telnet-using-smtp-authentication/</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-15"><code data-line-number="15"></code></a></td><td class="code"><code><span class="c1">#    https://learn.microsoft.com/en-us/exchange/mail-flow/test-smtp-telnet?view=exchserver-2019</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-16"><code data-line-number="16"></code></a></td><td class="code"><code><span class="c1">#    https://stackoverflow.com/questions/14640560/openssl-to-negotiate-ssl-encryption-for-starttls</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-17"><code data-line-number="17"></code></a></td><td class="code"><code><span class="c1">#    https://thelinuxcode.com/openssl-s-client/</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-18"><code data-line-number="18"></code></a></td><td class="code"><code><span class="c1">#    https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-19"><code data-line-number="19"></code></a></td><td class="code"><code><span class="c1">#    https://stackoverflow.com/questions/44250054/send-email-with-netcat</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-20"><code data-line-number="20"></code></a></td><td class="code"><code><span class="c1"># Improve:</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-21"><code data-line-number="21"></code></a></td><td class="code"><code><span class="c1"># Dependencies:</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-22"><code data-line-number="22"></code></a></td><td class="code"><code><span class="c1">#    dep-fedora: openssl, coreutils</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-23"><code data-line-number="23"></code></a></td><td class="code"><code><span class="c1">#    an smtp account and server</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-24"><code data-line-number="24"></code></a></td><td class="code"><code><span class="c1"># Documentation:</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-25"><code data-line-number="25"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-26"><code data-line-number="26"></code></a></td><td class="code"><code>slowcat<span class="o">()</span> <span class="o">{</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-27"><code data-line-number="27"></code></a></td><td class="code"><code>   <span class="k">while</span> <span class="nb">read</span> REPLY <span class="p">;</span> <span class="k">do</span> sleep .05<span class="p">;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$REPLY</span><span class="s2">"</span><span class="p">;</span> <span class="k">done</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-28"><code data-line-number="28"></code></a></td><td class="code"><code><span class="o">}</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-29"><code data-line-number="29"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-30"><code data-line-number="30"></code></a></td><td class="code"><code><span class="o">{</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-31"><code data-line-number="31"></code></a></td><td class="code"><code>   <span class="nv">message1</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> <span class="nb">printf</span> <span class="s1">'%s'</span> <span class="s1">'exampleuser@example.com'</span> <span class="p">|</span> base64 <span class="k">)</span><span class="s2">"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-32"><code data-line-number="32"></code></a></td><td class="code"><code>   <span class="nv">message2</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> cat ~/.config/smtp1 <span class="k">)</span><span class="s2">"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-33"><code data-line-number="33"></code></a></td><td class="code"><code>   <span class="nb">printf</span> <span class="s1">'%s\n'</span> <span class="s2">"EHLO exampleaddress.com"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-34"><code data-line-number="34"></code></a></td><td class="code"><code>   <span class="nb">printf</span> <span class="s1">'%s\n'</span> <span class="s2">"AUTH LOGIN"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-35"><code data-line-number="35"></code></a></td><td class="code"><code>   <span class="nb">printf</span> <span class="s1">'%s\n'</span> <span class="s2">"</span><span class="si">${</span><span class="nv">message1</span><span class="si">}</span><span class="s2">"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-36"><code data-line-number="36"></code></a></td><td class="code"><code>   <span class="nb">printf</span> <span class="s1">'%s\n'</span> <span class="s2">"</span><span class="si">${</span><span class="nv">message2</span><span class="si">}</span><span class="s2">"</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-37"><code data-line-number="37"></code></a></td><td class="code"><code>   <span class="c1"># Everybody, so TO, CC, BCC is a RCPT TO. The To, CC, BCC headers are the decorations visible to the mail client.</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-38"><code data-line-number="38"></code></a></td><td class="code"><code>   cat <span class="s">&lt;&lt;-EOF</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-39"><code data-line-number="39"></code></a></td><td class="code"><code><span class="s">MAIL FROM:&lt;exampleuser@example.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-40"><code data-line-number="40"></code></a></td><td class="code"><code><span class="s">RCPT TO:&lt;user2@local.example.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-41"><code data-line-number="41"></code></a></td><td class="code"><code><span class="s">RCPT TO:&lt;user3@anotherlocal.examplelong.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-42"><code data-line-number="42"></code></a></td><td class="code"><code><span class="s">DATA</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-43"><code data-line-number="43"></code></a></td><td class="code"><code><span class="s">From: [marco polo] &lt;exampleaddress.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-44"><code data-line-number="44"></code></a></td><td class="code"><code><span class="s">To: &lt;user3@anotherlocal.examplelong.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-45"><code data-line-number="45"></code></a></td><td class="code"><code><span class="s">BCC: &lt;user2@local.example.com&gt;</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-46"><code data-line-number="46"></code></a></td><td class="code"><code><span class="s">Date: Mon, 5 Aug 2024 17:31:32 +0000</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-47"><code data-line-number="47"></code></a></td><td class="code"><code><span class="s">Subject: Hello from netcat</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-48"><code data-line-number="48"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-49"><code data-line-number="49"></code></a></td><td class="code"><code><span class="s">sample message here</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-50"><code data-line-number="50"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-51"><code data-line-number="51"></code></a></td><td class="code"><code><span class="s">.</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-52"><code data-line-number="52"></code></a></td><td class="code"><code><span class="s">QUIT</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-53"><code data-line-number="53"></code></a></td><td class="code"><code><span class="s">EOF</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-54"><code data-line-number="54"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-55"><code data-line-number="55"></code></a></td><td class="code"><code><span class="c1"># | slowcat | nc -v mail.example.net 587</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/#-56"><code data-line-number="56"></code></a></td><td class="code"><code><span class="o">}</span> <span class="p">|</span> slowcat <span class="p">|</span> openssl s_client -crlf -connect mail.example.net:587 -starttls smtp -ign_eof </code></td></tr></table></div> <p>I needed to test (credentials, but also in general) the ability to send smtp messages. Here is my small script that does that.</p> <p>The slowcat is useful because smtp (or maybe just my email implementation) wanted to delay between some of the steps, particularly EHLO and AUTH.</p> <p>I couldn't get netcat (nc) to work with tls, although I thought I saw that once. At least s_client could do it.</p>emailopensslsmtptelnethttps://bgstack15.ddns.net/blog/posts/2024/08/09/send-smtp-with-openssl-cli/Fri, 09 Aug 2024 12:40:00 GMThttps://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/bgstack15<p>To request a certificate with the exact Microsoft OID for <a href="https://bgstack15.ddns.net/blog/outbound/https:/support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">Client Auth certs for the domain</a>, you can use an openssl.cnf that resembles the following.</p> <p>This also includes the SAN URI which is separate from the NTCS.</p> <p><a href="https://bgstack15.ddns.net/blog/files/2024/listings/openssl.cnf.html">files/2024/listings/openssl.cnf</a> <a href="https://bgstack15.ddns.net/blog/files/2024/listings/openssl.cnf">(Source)</a></p><div class="code"><table class="codetable"><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-1"><code data-line-number=" 1"></code></a></td><td class="code"><code><span class="o">[</span> req <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-2"><code data-line-number=" 2"></code></a></td><td class="code"><code><span class="nv">prompt</span>             <span class="o">=</span> no </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-3"><code data-line-number=" 3"></code></a></td><td class="code"><code><span class="nv">default_bits</span>       <span class="o">=</span> <span class="m">4096</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-4"><code data-line-number=" 4"></code></a></td><td class="code"><code><span class="nv">default_md</span>         <span class="o">=</span> sha256 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-5"><code data-line-number=" 5"></code></a></td><td class="code"><code><span class="nv">default_keyfile</span>    <span class="o">=</span> privkey.pem </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-6"><code data-line-number=" 6"></code></a></td><td class="code"><code><span class="nv">distinguished_name</span> <span class="o">=</span> req_distinguished_name </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-7"><code data-line-number=" 7"></code></a></td><td class="code"><code><span class="nv">req_extensions</span>     <span class="o">=</span> req_ext </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-8"><code data-line-number=" 8"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-9"><code data-line-number=" 9"></code></a></td><td class="code"><code><span class="o">[</span> req_distinguished_name <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-10"><code data-line-number="10"></code></a></td><td class="code"><code><span class="nv">C</span> <span class="o">=</span> US </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-11"><code data-line-number="11"></code></a></td><td class="code"><code><span class="nv">ST</span> <span class="o">=</span> Florida </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-12"><code data-line-number="12"></code></a></td><td class="code"><code><span class="nv">L</span> <span class="o">=</span> Miami </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-13"><code data-line-number="13"></code></a></td><td class="code"><code><span class="nv">O</span> <span class="o">=</span> Example Org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-14"><code data-line-number="14"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-15"><code data-line-number="15"></code></a></td><td class="code"><code><span class="nv">CN</span> <span class="o">=</span> hostname123498.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-16"><code data-line-number="16"></code></a></td><td class="code"><code><span class="c1">#emailAddress = noreply@example.org</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-17"><code data-line-number="17"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-18"><code data-line-number="18"></code></a></td><td class="code"><code><span class="o">[</span> req_ext <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-19"><code data-line-number="19"></code></a></td><td class="code"><code><span class="nv">basicConstraints</span>       <span class="o">=</span> CA:FALSE </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-20"><code data-line-number="20"></code></a></td><td class="code"><code><span class="nv">keyUsage</span>               <span class="o">=</span> digitalSignature, keyEncipherment </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-21"><code data-line-number="21"></code></a></td><td class="code"><code><span class="c1"># this oid is szOID_NTDS_CA_SECURITY_EXT</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-22"><code data-line-number="22"></code></a></td><td class="code"><code><span class="m">1</span>.3.6.1.4.1.311.25.2   <span class="o">=</span> ASN1:SEQUENCE:NTDSCASecurityExt </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-23"><code data-line-number="23"></code></a></td><td class="code"><code><span class="nv">subjectAltName</span>         <span class="o">=</span> @alt_names </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-24"><code data-line-number="24"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-25"><code data-line-number="25"></code></a></td><td class="code"><code><span class="o">[</span> alt_names <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-26"><code data-line-number="26"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-27"><code data-line-number="27"></code></a></td><td class="code"><code>DNS.1 <span class="o">=</span> hostname123498.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-28"><code data-line-number="28"></code></a></td><td class="code"><code>DNS.2 <span class="o">=</span> hostname123498.subnet.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-29"><code data-line-number="29"></code></a></td><td class="code"><code><span class="c1"># hardcoded text until the sid</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-30"><code data-line-number="30"></code></a></td><td class="code"><code>URI.1 <span class="o">=</span> tag:microsoft.com,2022-09-14<span class="p">;</span>sid:S-1-5-21-2059058832-2300889872-1288252972-490382 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-31"><code data-line-number="31"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-32"><code data-line-number="32"></code></a></td><td class="code"><code><span class="o">[</span> NTDSCASecurityExt <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-33"><code data-line-number="33"></code></a></td><td class="code"><code><span class="c1"># If you wanted to use another SEQUENCE but that does not conform to the M$ example.</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-34"><code data-line-number="34"></code></a></td><td class="code"><code><span class="c1">#wrappingSeq = EXPLICIT:0,SEQUENCE:ExtOid</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-35"><code data-line-number="35"></code></a></td><td class="code"><code><span class="c1"># The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-36"><code data-line-number="36"></code></a></td><td class="code"><code><span class="nv">szOID_NTDS_OBJECTSID</span> <span class="o">=</span> EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-37"><code data-line-number="37"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-38"><code data-line-number="38"></code></a></td><td class="code"><code><span class="nv">key</span> <span class="o">=</span> EXPLICIT:0,OCTETSTRING:S-1-5-21-2059058832-2300889872-1288252972-490382 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-39"><code data-line-number="39"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-40"><code data-line-number="40"></code></a></td><td class="code"><code><span class="o">[</span> ExtOid <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-41"><code data-line-number="41"></code></a></td><td class="code"><code><span class="nv">oid</span> <span class="o">=</span> OID:1.3.6.1.4.1.311.25.2.1 </code></td></tr></table></div> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71">[MS-WCCE]: szOID_NTDS_CA_SECURITY_EXT | Microsoft Learn</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/stackoverflow.com/questions/56894010/create-own-asn-1-module-for-custom-extension-in-openssl-command-line-tools">x509 - Create own ASN.1 module for custom extension in OpenSSL command line tools - Stack Overflow</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/www.openssl.org/docs/man1.1.1/man3/ASN1_generate_nconf.html">/docs/man1.1.1/man3/ASN1_generate_nconf.html</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts">is it possible making openssl skipping the country/common name prompts? - Stack Overflow</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/techcommunity.microsoft.com/t5/ask-the-directory-services-team/preview-of-san-uri-for-certificate-strong-mapping-for-kb5014754/ba-p/3789785">Preview of SAN URI for Certificate Strong Mapping for KB5014754 - Microsoft Community Hub</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1#extensions">certreq | Microsoft Learn</a></li> </ol> <h3>Auxiliary</h3> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/">Manually injecting a SID in a certificate – Q&amp;D Security</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/gist.github.com/LordVeovis/967bd83c36026f10847997d08cadd764">Generate-ServerCertificate.ps1</a></li> </ol>csropensslsslhttps://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/Wed, 24 Jul 2024 12:44:00 GMThttps://bgstack15.ddns.net/blog/posts/2024/06/02/openssl-read-cert-template/bgstack15<p>Here's a post that combines all my favorite technologies! This is so fun.</p> <p>If you want to use openssl to read the template name of a Microsoft Certificate Services certificate, you have to look up the <a href="https://bgstack15.ddns.net/blog/outbound/http:/oidref.com/1.3.6.1.4.1.311.21.7">OID</a> that is stored on the cert and find it in the directory.</p> <p><a href="https://bgstack15.ddns.net/blog/files/2024/listings/read-cert-template.sh.html">files/2024/listings/read-cert-template.sh</a> <a href="https://bgstack15.ddns.net/blog/files/2024/listings/read-cert-template.sh">(Source)</a></p><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span> <span class="normal">31</span> <span class="normal">32</span> <span class="normal">33</span></pre></div></td><td class="code"><div><pre><span></span><span class="ch">#!/usr/bin/env sh</span> <span class="c1"># File: read-cert-template.sh</span> <span class="c1"># Location: blog exclusive</span> <span class="c1"># Author: bgstack15</span> <span class="c1"># SPDX-License-Identifier: GPL-3.0-only</span> <span class="c1"># Startdate: 2024-05-16-5 10:23</span> <span class="c1"># Title: Read cert template</span> <span class="c1"># Purpose: read certificate and print cert tempalte name if discoverable</span> <span class="c1"># History:</span> <span class="c1"># Usage:</span> <span class="c1"># Reference: see blog post</span> <span class="c1"># Improve:</span> <span class="c1"># Dependencies:</span> <span class="c1"># openssl, ldapsearch, ldap credential in read-cert-template.conf</span> <span class="c1"># Load conf, RCT_LDAPSERVER RCT_LDAPBASE RCT_LDAPAUTH1 RCT_LDAPAUTH2</span> <span class="nv">RCT_CONF</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">RCT_CONF</span><span class="k">:-</span><span class="si">${</span><span class="nv">HOME</span><span class="si">}</span><span class="p">/.config/read-cert-template.conf</span><span class="si">}</span><span class="s2">"</span> <span class="nb">test</span> -f <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_CONF</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> . <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_CONF</span><span class="si">}</span><span class="s2">"</span> <span class="c1"># use RCT_IN env var or first parameter, or else standard input</span> <span class="nv">RCT_IN</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">RCT_IN</span><span class="k">:-</span><span class="si">${</span><span class="nv">1</span><span class="si">}}</span><span class="s2">"</span> <span class="nv">RCT_IN</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">RCT_IN</span><span class="k">:-</span><span class="p">/dev/stdin</span><span class="si">}</span><span class="s2">"</span> <span class="k">if</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_IN</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> grep -qE -e <span class="s1">'^-$|^stdin$'</span> <span class="p">;</span> <span class="k">then</span> <span class="nv">_input</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> cat <span class="k">)</span><span class="s2">"</span> <span class="k">else</span> <span class="nv">_input</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> cat <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_IN</span><span class="si">}</span><span class="s2">"</span> <span class="k">)</span><span class="s2">"</span> <span class="k">fi</span> <span class="nv">oid</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">_input</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> openssl x509 -in /dev/stdin -noout -text -certopt no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,ext_parse <span class="p">|</span> sed -n -r -e <span class="s1">'/1.3.6.1.4.1.311.21.7/,+2p'</span> <span class="p">|</span> awk <span class="s1">'/OBJECT/{print $NF}'</span> <span class="p">|</span> sed -r -e <span class="s1">'s/^://;'</span> <span class="k">)</span><span class="s2">"</span> <span class="nb">test</span> -n <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">printf</span> <span class="s1">'oid=%s\n'</span> <span class="s2">"</span><span class="si">${</span><span class="nv">oid</span><span class="si">}</span><span class="s2">"</span> <span class="m">1</span>&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="nv">LDAPTLS_REQCERT</span><span class="o">=</span>never ldapsearch -LLL -o ldif-wrap<span class="o">=</span><span class="m">9000</span> -H <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_LDAPSERVER</span><span class="si">}</span><span class="s2">"</span> <span class="si">${</span><span class="nv">RCT_LDAPAUTHUNQUOTED</span><span class="si">}</span> <span class="s2">"</span><span class="si">${</span><span class="nv">RCT_LDAPAUTHQUOTED</span><span class="si">}</span><span class="s2">"</span> -b <span class="s2">"CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration,</span><span class="si">${</span><span class="nv">RCT_LDAPBASE</span><span class="si">}</span><span class="s2">"</span> <span class="s2">"(msPKI-Cert-Template-OID=</span><span class="si">${</span><span class="nv">oid</span><span class="si">}</span><span class="s2">)"</span> CN <span class="p">|</span> awk <span class="s1">'$1~/cn:/{$1="";print;}'</span> <span class="p">|</span> sed -r -e <span class="s1">'s/^ +| +$//g;'</span> </pre></div></td></tr></table></div> <p><a href="https://bgstack15.ddns.net/blog/files/2024/listings/read-cert-template.conf.html">files/2024/listings/read-cert-template.conf</a> <a href="https://bgstack15.ddns.net/blog/files/2024/listings/read-cert-template.conf">(Source)</a></p><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span> <span class="normal">2</span> <span class="normal">3</span> <span class="normal">4</span> <span class="normal">5</span> <span class="normal">6</span></pre></div></td><td class="code"><div><pre><span></span><span class="c1"># File: ~/.config/read-cert-template.conf</span> <span class="nv">RCT_LDAPSERVER</span><span class="o">=</span>ldaps://example.corp <span class="c1"># The "CN=Certificate Templates,CN=Public Key,CN=Services,CN=Configuration," will be prepended to this:</span> <span class="nv">RCT_LDAPBASE</span><span class="o">=</span><span class="s2">"DC=example,DC=corp"</span> <span class="nv">RCT_LDAPAUTHUNQUOTED</span><span class="o">=</span><span class="s2">"-x -w see#keepass"</span> <span class="nv">RCT_LDAPAUTHQUOTED</span><span class="o">=</span><span class="s2">"-D CN=Service Account 319 (sa319),OU=Accounts,DC=example,DC=corp"</span> </pre></div></td></tr></table></div> <h2>References</h2> <p><a href="https://bgstack15.ddns.net/blog/outbound/https:/www.openssl.org/docs/manmaster/man1/openssl.html">man openssl</a> <a href="https://bgstack15.ddns.net/blog/outbound/https:/linux.die.net/man/3/x509">man x509</a></p>certificatesldaponelineropensslhttps://bgstack15.ddns.net/blog/posts/2024/06/02/openssl-read-cert-template/Sun, 02 Jun 2024 13:06:06 GMThttps://bgstack15.ddns.net/blog/posts/2024/05/25/query-ldap-cdp-with-ldapsearch/bgstack15<p>Quick and dirty note for manual inspection of the CRL distribution point stored in LDAP (so primarily for M$ use cases).</p> <div class="code"><pre class="code literal-block"><span class="nt">ldapsearch</span><span class="w"> </span><span class="nt">-LLL</span><span class="w"> </span><span class="nt">-o</span><span class="w"> </span><span class="nt">ldif-wrap</span><span class="o">=</span><span class="nt">9000</span><span class="w"> </span><span class="nt">-H</span><span class="w"> </span><span class="nt">ldap</span><span class="o">://</span><span class="nt">example</span><span class="p">.</span><span class="nc">corp</span><span class="w"> </span><span class="nt">-b</span><span class="w"> </span><span class="s2">"CN=CA Name V3,CN=hostname,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=corp"</span><span class="w"> </span><span class="s2">"(objectclass=cRLDistributionPoint)"</span><span class="w"> </span><span class="nt">-x</span><span class="w"> </span><span class="nt">-w</span><span class="w"> </span><span class="s2">"KEEPASS"</span><span class="w"> </span><span class="nt">-D</span><span class="w"> </span><span class="s2">"CN=Account,OU=Accounts,DC=example,DC=corp"</span><span class="w"> </span><span class="nt">certificateRevocationList</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nt">awk</span><span class="w"> </span><span class="nt">-F</span><span class="s1">'::'</span><span class="w"> </span><span class="s1">'$1~/certificateRevocationList/{print $NF}'</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="o">~/</span><span class="nt">tmp1</span><span class="w"></span> <span class="p">{</span><span class="w"> </span><span class="err">printf</span><span class="w"> </span><span class="err">'%s\n'</span><span class="w"> </span><span class="err">'-----BEGIN</span><span class="w"> </span><span class="err">X509</span><span class="w"> </span><span class="err">CRL-----'</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="err">&lt;~/tmp1</span><span class="w"> </span><span class="err">tr</span><span class="w"> </span><span class="err">-d</span><span class="w"> </span><span class="err">'\r\n</span><span class="w"> </span><span class="err">'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">fold</span><span class="w"> </span><span class="err">-w64</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="err">printf</span><span class="w"> </span><span class="err">'\n%s'</span><span class="w"> </span><span class="err">'-----END</span><span class="w"> </span><span class="err">X509</span><span class="w"> </span><span class="err">CRL-----'</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nt">openssl</span><span class="w"> </span><span class="nt">crl</span><span class="w"> </span><span class="nt">-in</span><span class="w"> </span><span class="o">/</span><span class="nt">dev</span><span class="o">/</span><span class="nt">stdin</span><span class="w"> </span><span class="nt">-noout</span><span class="w"> </span><span class="nt">-text</span><span class="w"></span> </pre></div> <h2>References</h2> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/openldap-software.0penldap.narkive.com/O4EBmfh3/getting-crl-from-active-directory-using-ldapsearch">getting CRL from Active Directory using ldapsearch</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/medium.com/@arpanagupta10/understanding-certificate-revocation-list-using-openssl-c57f1b7dc43c">Understanding Certificate Revocation List using OpenSSL | by Arpana Gupta | Medium</a></li> </ol>certificatesldapopensslhttps://bgstack15.ddns.net/blog/posts/2024/05/25/query-ldap-cdp-with-ldapsearch/Sat, 25 May 2024 13:21:55 GMThttps://bgstack15.ddns.net/blog/posts/2023/10/02/latest-way-to-get-certificate-in-freeipa/bgstack15<h2>Copy pasta</h2> <div class="code"><pre class="code literal-block">openssl genpkey -algorithm RSA -out https-app1.ipa.internal.com.key openssl req -new -key https-app1.ipa.internal.com.key -subj "/O=IPA.INTERNAL.COM/CN=app1.ipa.internal.com" -addext "subjectAltName = DNS:webapp.ipa.internal.com,DNS:app.ipa.internal.com" -out https-app1.ipa.internal.com.csr ipa host-add --force webapp.ipa.internal.com ipa host-add --force app.ipa.internal.com ipa service-add --force HTTP/app1.ipa.internal.com ipa service-add --force HTTP/webapp.ipa.internal.com ipa service-add --force HTTP/app.ipa.internal.com ipa cert-request --chain --principal=HTTP/app1.ipa.internal.com https-app1.ipa.internal.com.csr --certificate-out=https-app1.ipa.internal.com.pem </pre></div> <p>Extra, in case you forget to add "--chain" to the above command. It is not necessary for a 2-deep cert chain, that is, if you don't have an intermediate certificate.</p> <div class="code"><pre class="code literal-block">sn="$( ipa cert-find --raw --services=HTTP/"$( hostname -f )" | awk '/serial_number:/{print <span class="nv">$NF</span>}' )" ipa cert-show --chain "<span class="cp">${</span><span class="n">sn</span><span class="cp">}</span>" --certificate-out=https-app1.ipa.internal.com.chain.pem </pre></div> <h2>Explanation</h2> <p>I learned you can use <a href="https://linux.die.net/man/1/genpkey"><code>genpkey</code></a> from the (openssl) <code>genrsa</code> man page. This simplifies the command a little. And now, with the later versions of openssl, you can pass SAN extensions and even the subject on the command line! I remember reading about that years ago but this is the first time my server environment has a new enough version of openssl to take advantage of that.</p> <h2>References</h2> <ol> <li><a href="https://bgstack15.ddns.net/blog/posts/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/">Generate certificate with SubjectAltName attributes in FreeIPA</a></li> <li><a href="https://linux.die.net/man/1/genpkey">openssl-genpkey(1ossl)</a></li> </ol>certificatesclifreeipaopensslhttps://bgstack15.ddns.net/blog/posts/2023/10/02/latest-way-to-get-certificate-in-freeipa/Mon, 02 Oct 2023 12:46:38 GMThttps://bgstack15.ddns.net/blog/posts/2022/10/28/send-https-request-with-openssl-s_client/bgstack15<p>Inspired by <a href="https://news.ycombinator.com/item?id=32903694">https://news.ycombinator.com/item?id=32903694</a>.</p> <p>To send a simple http get with <code>openssl s_client</code>, use this template.</p> <div class="code"><pre class="code literal-block"><span class="nv">sed</span> <span class="o">-</span><span class="nv">r</span> <span class="o">-</span><span class="nv">e</span> <span class="s1">'</span><span class="s">s/$/\r/;</span><span class="s1">'</span> <span class="o">&lt;&lt;</span><span class="nv">EOF</span> <span class="o">|</span> <span class="nv">openssl</span> <span class="nv">s_client</span> <span class="o">-</span><span class="k">connect</span> <span class="nv">www</span>.<span class="nv">example</span>.<span class="nv">com</span>:<span class="mi">443</span> <span class="o">-</span><span class="nv">ign_eof</span> <span class="nv">GET</span> <span class="o">/</span><span class="nv">internal</span><span class="o">/</span><span class="nv">directory</span>.<span class="nv">html</span> <span class="nv">HTTP</span><span class="o">/</span><span class="mi">1</span>.<span class="mi">1</span> <span class="nv">Host</span>: <span class="nv">www</span>.<span class="nv">example</span>.<span class="nv">com</span> <span class="nv">Connection</span>: <span class="nv">close</span> <span class="nv">EOF</span> </pre></div> <p>Or with printf.</p> <div class="code"><pre class="code literal-block"><span class="nv">printf</span> <span class="s1">'</span><span class="s">GET /internal/directory.html HTTP/1.1\r</span><span class="se">\n</span><span class="s">Host: www.example.com\r</span><span class="se">\n</span><span class="s">Connection: close\r</span><span class="se">\n</span><span class="s">\r</span><span class="se">\n</span><span class="s1">'</span> <span class="o">|</span> <span class="nv">openssl</span> <span class="nv">s_client</span> <span class="o">-</span><span class="k">connect</span> <span class="nv">www</span>.<span class="nv">example</span>.<span class="nv">com</span>:<span class="mi">443</span> <span class="o">-</span><span class="nv">ign_eof</span> </pre></div> <p>Here is a sample post:</p> <div class="code"><pre class="code literal-block"><span class="nt">sed</span><span class="w"> </span><span class="nt">-r</span><span class="w"> </span><span class="nt">-e</span><span class="w"> </span><span class="s1">'s/$/\r/;'</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="nt">EOF</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nt">openssl</span><span class="w"> </span><span class="nt">s_client</span><span class="w"> </span><span class="nt">-connect</span><span class="w"> </span><span class="nt">server3</span><span class="p">.</span><span class="nc">ipa</span><span class="p">.</span><span class="nc">internal</span><span class="p">.</span><span class="nc">com</span><span class="p">:</span><span class="nd">443</span><span class="w"> </span><span class="nt">-ign_eof</span><span class="w"></span> <span class="nt">POST</span><span class="w"> </span><span class="o">/</span><span class="nt">coupons</span><span class="o">/</span><span class="nt">search</span><span class="o">/</span><span class="w"> </span><span class="nt">HTTP</span><span class="o">/</span><span class="nt">1</span><span class="p">.</span><span class="nc">0</span><span class="w"></span> <span class="nt">Host</span><span class="o">:</span><span class="w"> </span><span class="nt">server3</span><span class="p">.</span><span class="nc">ipa</span><span class="p">.</span><span class="nc">internal</span><span class="p">.</span><span class="nc">com</span><span class="w"></span> <span class="nt">Connection</span><span class="o">:</span><span class="w"> </span><span class="nt">close</span><span class="w"></span> <span class="nt">Content-Type</span><span class="o">:</span><span class="w"> </span><span class="nt">text</span><span class="o">/</span><span class="nt">plain</span><span class="o">;</span><span class="nt">charset</span><span class="o">=</span><span class="nt">UTF-8</span><span class="w"></span> <span class="nt">Accept</span><span class="o">:</span><span class="w"> </span><span class="nt">text</span><span class="o">/</span><span class="nt">plain</span><span class="w"></span> <span class="nt">cheese</span><span class="w"></span> <span class="nt">EOF</span><span class="w"></span> </pre></div>opensslshellhttps://bgstack15.ddns.net/blog/posts/2022/10/28/send-https-request-with-openssl-s_client/Fri, 28 Oct 2022 12:48:28 GMThttps://bgstack15.ddns.net/blog/posts/2021/02/10/view-details-of-a-certificate/bgstack15<p>Sometimes you need to inspect your certificate or certificate chain presented by a server. Here are several ways to do that.</p> <h2>Inspect certificate with web browser</h2> <p>If the certificate or cert chain in question is being used to present a web site, you can visit the site in a browser, such as Firefox. Visit your site, and select the padlock icon in the address bar beside the URL. <a href="https://bgstack15.ddns.net/blog/2021/02/inspect-cert1.png"><img alt="Padlock icon with popup menu with annotated arrow that takes the user to the cert info view" src="https://bgstack15.ddns.net/blog/2021/02/inspect-cert1.png"></a> Select the arrow pointing to the right, and then select the "More information" link. <a href="https://bgstack15.ddns.net/blog/2021/02/inspect-cert2.png"><img alt='Cert info popup with "More information" annotated' src="https://bgstack15.ddns.net/blog/2021/02/inspect-cert2.png"></a> On the new modal window that appears, select the "View certificate" button. <a href="https://bgstack15.ddns.net/blog/2021/02/inspect-cert3.png"><img alt="" src="https://bgstack15.ddns.net/blog/2021/02/inspect-cert3.png"></a> Firefox will show you the certificate and its chain (if Firefox knows about it, or the web server presents the chain) for your inspection. <a href="https://bgstack15.ddns.net/blog/2021/02/inspect-cert4.png"><img alt="" src="https://bgstack15.ddns.net/blog/2021/02/inspect-cert4.png"></a></p> <h2>Inspect certificate chain with openssl command</h2> <p>The <a href="https://www.openssl.org/">openssl</a> reference implementation is available for both Windows and Linux through various means. Sufficiently high versions of openssl (&gt;=1.0.1a) will be able to perform these tasks. Openssl can make network connections to https sites, and can also inspect files.</p> <h3>Inspect certificate chain presented by web server</h3> <p>The simplest way is to search for the descriptors provided by openssl natively with s_client. You can make sure the number and order of certificates is what you expect to make a complete intermediate-server cert chain.</p> <pre class="code literal-block"><span></span><code><span class="err">$</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="ss">""</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">openssl</span><span class="w"> </span><span class="n">s_client</span><span class="w"> </span><span class="o">-</span><span class="k">connect</span><span class="w"> </span><span class="n">xkcd</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="mi">443</span><span class="w"> </span><span class="o">-</span><span class="n">showcerts</span><span class="w"> </span><span class="mi">2</span><span class="o">&gt;&amp;</span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="o">-</span><span class="n">iE</span><span class="w"> </span><span class="s1">'[si]:'</span><span class="w"></span> <span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nl">s</span><span class="p">:</span><span class="n">C</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">US</span><span class="p">,</span><span class="w"> </span><span class="n">ST</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">California</span><span class="p">,</span><span class="w"> </span><span class="n">L</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">San</span><span class="w"> </span><span class="n">Francisco</span><span class="p">,</span><span class="w"> </span><span class="n">O</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"Fastly, Inc."</span><span class="p">,</span><span class="w"> </span><span class="n">CN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">i</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">fastly</span><span class="p">.</span><span class="n">net</span><span class="w"></span> <span class="w"> </span><span class="nl">i</span><span class="p">:</span><span class="n">C</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BE</span><span class="p">,</span><span class="w"> </span><span class="n">O</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">nv</span><span class="o">-</span><span class="n">sa</span><span class="p">,</span><span class="w"> </span><span class="n">CN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">Organization</span><span class="w"> </span><span class="n">Validation</span><span class="w"> </span><span class="n">CA</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SHA256</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">G2</span><span class="w"></span> <span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nl">s</span><span class="p">:</span><span class="n">C</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BE</span><span class="p">,</span><span class="w"> </span><span class="n">O</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">nv</span><span class="o">-</span><span class="n">sa</span><span class="p">,</span><span class="w"> </span><span class="n">CN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">Organization</span><span class="w"> </span><span class="n">Validation</span><span class="w"> </span><span class="n">CA</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SHA256</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">G2</span><span class="w"></span> <span class="w"> </span><span class="nl">i</span><span class="p">:</span><span class="n">C</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BE</span><span class="p">,</span><span class="w"> </span><span class="n">O</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">nv</span><span class="o">-</span><span class="n">sa</span><span class="p">,</span><span class="w"> </span><span class="n">OU</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Root</span><span class="w"> </span><span class="n">CA</span><span class="p">,</span><span class="w"> </span><span class="n">CN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GlobalSign</span><span class="w"> </span><span class="n">Root</span><span class="w"> </span><span class="n">CA</span><span class="w"></span> </code></pre> <p>A well-behaved web server will present, at a minimum, the server certificate and all intermediate certificates. Serving the root certificate is optional, because well-behaved clients will already trust the root certificate. You can also dump the whole chain to a file, so you can split it up and read each certificate with the commands farther down on this page.</p> <pre class="code literal-block"><span></span><code>$ <span class="nb">echo</span> <span class="s2">""</span> <span class="p">|</span> openssl s_client -connect xkcd.com:443 -showcerts &gt; certchain.pem </code></pre> <h3>Inspect certificate in a file</h3> <p>Openssl will only read one certificate per file! If you have a certificate chain in a file, split it into multiple files before running these commands.</p> <pre class="code literal-block"><span></span><code>$ openssl x509 -in cert1.pem -noout -subject -issuer -dates -fingerprint -serial <span class="nv">subject</span><span class="o">=</span><span class="nv">C</span> <span class="o">=</span> US, <span class="nv">ST</span> <span class="o">=</span> California, <span class="nv">L</span> <span class="o">=</span> San Francisco, <span class="nv">O</span> <span class="o">=</span> <span class="s2">"Fastly, Inc."</span>, <span class="nv">CN</span> <span class="o">=</span> i.ssl.fastly.net <span class="nv">issuer</span><span class="o">=</span><span class="nv">C</span> <span class="o">=</span> BE, <span class="nv">O</span> <span class="o">=</span> GlobalSign nv-sa, <span class="nv">CN</span> <span class="o">=</span> GlobalSign Organization Validation CA - SHA256 - G2 <span class="nv">notBefore</span><span class="o">=</span>Jun <span class="m">16</span> <span class="m">18</span>:30:07 <span class="m">2020</span> GMT <span class="nv">notAfter</span><span class="o">=</span>Jul <span class="m">28</span> <span class="m">18</span>:43:49 <span class="m">2022</span> GMT SHA1 <span class="nv">Fingerprint</span><span class="o">=</span>7A:63:0B:5F:F6:72:E8:4D:70:B7:8B:45:1D:CF:27:94:AF:2C:F1:9A <span class="nv">serial</span><span class="o">=</span>0F40947DD38354936AD7D7D0 </code></pre> <h2>See also</h2> <p><a href="https://bgstack15.ddns.net/blog/posts/2016/06/30/manipulating-ssl-certificates/">Manipulating ssl certificates</a></p>certificatesopensslhttps://bgstack15.ddns.net/blog/posts/2021/02/10/view-details-of-a-certificate/Wed, 10 Feb 2021 13:38:03 GMThttps://bgstack15.ddns.net/blog/posts/2018/09/18/install-openssl-1-1-0-on-centos7/bgstack15<p>I really wanted the -proxy flag on the openssl command. It's not available in the provided openssl package (1.0.1 series), but it is in the 1.1.0 which is now the base package in Fedora. But for the Enterprise Linux users, you need to do a little bit of work to get it.</p> <h2>Download a pre-compiled package</h2> <p>You could just download the package from my copr. Save the contents of the <a href="https://copr.fedorainfracloud.org/coprs/bgstack15/stackrpms/repo/epel-7/bgstack15-stackrpms-epel-7.repo">.repo file</a> [copr.fedorainfracloud.org] or use them from here.</p> <pre class="code literal-block"><span></span><code><span class="k">[bgstack15-stackrpms]</span> <span class="na">name</span><span class="o">=</span><span class="s">Copr repo for stackrpms owned by bgstack15</span> <span class="na">baseurl</span><span class="o">=</span><span class="s">https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/epel-7-$basearch/</span> <span class="na">type</span><span class="o">=</span><span class="s">rpm-md</span> <span class="na">skip_if_unavailable</span><span class="o">=</span><span class="s">True</span> <span class="na">gpgcheck</span><span class="o">=</span><span class="s">1</span> <span class="na">gpgkey</span><span class="o">=</span><span class="s">https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/pubkey.gpg</span> <span class="na">repo_gpgcheck</span><span class="o">=</span><span class="s">0</span> <span class="na">enabled</span><span class="o">=</span><span class="s">1</span> <span class="na">enabled_metadata</span><span class="o">=</span><span class="s">1</span> </code></pre> <p>Install with:</p> <pre class="code literal-block"><span></span><code>yum install openssl110 </code></pre> <p>And then the binary has been named <strong>openssl110</strong></p> <h2>Download and compile the source</h2> <pre class="code literal-block"><span></span><code>wget https://www.openssl.org/source/openssl-1.1.0i.tar.gz tar -zxf openssl-1.1.0i.tar.gz cd openssl-1.1.0i ./config make sudo make install </code></pre> <p>To prevent an error that resembles:</p> <pre class="code literal-block"><span></span><code><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">openssl</span> <span class="n">version</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">openssl</span><span class="p">:</span> <span class="n">error</span> <span class="k">while</span> <span class="n">loading</span> <span class="n">shared</span> <span class="n">libraries</span><span class="p">:</span> <span class="n">libcrypto</span><span class="o">.</span><span class="n">so</span><span class="o">.</span><span class="mf">1.1</span><span class="p">:</span> <span class="n">cannot</span> <span class="n">open</span> <span class="n">shared</span> <span class="n">object</span> <span class="n">file</span><span class="p">:</span> <span class="n">No</span> <span class="n">such</span> <span class="n">file</span> <span class="ow">or</span> <span class="n">directory</span> </code></pre> <p>You have to provide the library files in a directory that the dynamic linker is looking in. There are multiple ways to tackle this.</p> <h5>Option 1: update library path</h5> <p>Add the directory containing the libcrypt.so.1.1 and similar files to the LD_LIBRARY_PATH environment variable.</p> <pre class="code literal-block"><span></span><code><span class="k">export</span> <span class="n">LD_LIBRARY_PATH</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">lib64</span><span class="p">:</span><span class="o">$</span><span class="p">{</span><span class="n">LD_LIBRARY_PATH</span><span class="p">}</span> </code></pre> <h5>Option 2: move library files to lib directory</h5> <p>Or just move the files to the main library location. On a x86_64 system, that would be:</p> <pre class="code literal-block"><span></span><code>mv libcrypto.so.1.1 libssl.so.1.1 /usr/lib64/ </code></pre> <h2>References</h2> <h3>Weblinks</h3> <p>Internet search <a href="https://duckduckgo.com/?q=openssl+s_client+http+proxy&amp;ia=qa">openssl s_client http proxy</a> [duckduckgo.com] <a href="https://stackoverflow.com/questions/3220419/openssl-s-client-using-a-proxy#22504506">openssl s_client using a proxy</a> [stackoverflow.com] <a href="https://linuxscriptshub.com/update-openssl-1-1-0-centos-6-9-7-0/">How to update openssl 1.1.0 in Centos 6.9/7.0</a> [linuxscriptshub.com]</p>centosopensslproxyhttps://bgstack15.ddns.net/blog/posts/2018/09/18/install-openssl-1-1-0-on-centos7/Tue, 18 Sep 2018 12:59:59 GMThttps://bgstack15.ddns.net/blog/posts/2017/12/27/automated-certreq-for-gnu-linux/bgstack15<p><em>Last updated 2018-11-14</em></p> <h2>Background</h2> <p>Microsoft provides the <a href="https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx">certreq</a> utility for its non-free operating system. This tool makes it easy to get certificates from the Microsoft sub-CA on your network. GNU Linux hosts do not get that tool, so a viable alternative is to script the interaction with the website. My content in this post is shamelessly ripped from a <a href="https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983">StackOverflow post</a> and beefed up. In my research, I came across a question: "<a href="https://serverfault.com/questions/538270/how-to-submit-certificate-request-from-red-hat-to-windows-ca">How to submit certificate request from red hat to windows ca</a>".</p> <h2>The solution</h2> <h3>Dependencies</h3> <p>Certreq needs the framework.sh shell library available from my <a href="https://gitlab.com/bgstack15/bgscripts">bgscripts</a> package. At the very least, you need <a href="https://gitlab.com/bgstack15/bgscripts/blob/master/src/usr/libexec/bgscripts/framework.sh">framework.sh</a>, which you can place either in the same directory as certreq.sh or you can modify the framework lookup paths in the script to point to where you placed it. This will solve the issue "certreq.sh: validateparams: not found."</p> <h3>The script</h3> <p>I present my shell script, <a href="https://gitlab.com/bgstack15/certreq/blob/master/files/certreq.sh">certreq.sh</a>. This shell script:</p> <ul> <li>Generates CSR and submits it to the Microsoft Sub-CA.</li> <li>Saves private key, public key (the certificate), and cert chain to a temporary directory</li> <li>Removes the temp directory after 5 minutes automatically to remove the private key</li> <li>Sends to standard out the file names and purposes, for consumption by automation tool, e.g., ansible</li> </ul> <h4>Code walkthrough</h4> <p>Instead of copying and pasting the whole code here, I will discuss only snippets. Here is the usage block.</p> <pre class="code literal-block"><span></span><code><span class="n">usage</span><span class="o">:</span> <span class="n">certreq</span><span class="o">.</span><span class="na">sh</span> <span class="o">[-</span><span class="n">dhV</span><span class="o">]</span> <span class="o">[-</span><span class="n">u</span> <span class="n">username</span><span class="o">]</span> <span class="o">[-</span><span class="n">p</span> <span class="n">password</span><span class="o">]</span> <span class="o">[-</span><span class="n">w</span> <span class="n">tempdir</span><span class="o">]</span> <span class="o">[-</span><span class="n">t</span> <span class="n">template</span><span class="o">]</span> <span class="o">[--</span><span class="n">cn</span> <span class="n">CN</span><span class="o">]</span> <span class="o">[--</span><span class="n">ca</span> <span class="o">]</span> <span class="n">version</span> <span class="n">$</span><span class="o">{</span><span class="n">certreqversion</span><span class="o">}</span> <span class="o">-</span><span class="n">d</span> <span class="n">debug</span> <span class="n">Show</span> <span class="n">debugging</span> <span class="n">info</span><span class="o">,</span> <span class="n">including</span> <span class="n">parsed</span> <span class="n">variables</span><span class="o">.</span> <span class="o">-</span><span class="n">h</span> <span class="n">usage</span> <span class="n">Show</span> <span class="k">this</span> <span class="n">usage</span> <span class="n">block</span><span class="o">.</span> <span class="o">-</span><span class="n">V</span> <span class="n">version</span> <span class="n">Show</span> <span class="n">script</span> <span class="n">version</span> <span class="n">number</span><span class="o">.</span> <span class="o">-</span><span class="n">u</span> <span class="n">username</span> <span class="n">User</span> <span class="n">to</span> <span class="n">connect</span> <span class="n">via</span> <span class="n">ntlm</span> <span class="n">to</span> <span class="n">CA</span><span class="o">.</span> <span class="n">Can</span> <span class="n">be</span> <span class="s2">"username"</span> <span class="n">or</span> <span class="s2">"domain\\username"</span> <span class="o">-</span><span class="n">p</span> <span class="n">password</span> <span class="o">-</span><span class="n">w</span> <span class="n">workdir</span> <span class="n">Temp</span> <span class="n">directory</span> <span class="n">to</span> <span class="n">work</span> <span class="k">in</span><span class="o">.</span> <span class="n">Default</span> <span class="k">is</span> <span class="n">a</span> <span class="o">(</span><span class="n">mktemp</span> <span class="o">-</span><span class="n">d</span><span class="o">).</span> <span class="o">-</span><span class="n">t</span> <span class="n">template</span> <span class="n">Template</span> <span class="n">to</span> <span class="n">request</span> <span class="n">from</span> <span class="n">CA</span><span class="o">.</span> <span class="n">Default</span> <span class="k">is</span> <span class="s2">"ConfigMgrLinuxClientCertificate"</span> <span class="o">--</span><span class="n">cn</span> <span class="n">CN</span> <span class="n">to</span> <span class="n">request</span><span class="o">.</span> <span class="n">Default</span> <span class="k">is</span> <span class="n">the</span> <span class="o">\</span><span class="n">$</span><span class="o">(</span> <span class="n">hostname</span> <span class="o">-</span><span class="n">f</span> <span class="o">)</span> <span class="o">--</span><span class="n">ca</span> <span class="n">CA</span> <span class="n">hostname</span> <span class="n">or</span> <span class="n">base</span> <span class="n">URL</span><span class="o">.</span> <span class="n">Example</span><span class="o">:</span> <span class="n">ca2</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span> <span class="n">Return</span> <span class="n">values</span> <span class="n">under</span> <span class="mi">1000</span><span class="o">:</span> <span class="n">A</span> <span class="n">non</span><span class="o">-</span><span class="n">zero</span> <span class="n">value</span> <span class="k">is</span> <span class="n">the</span> <span class="n">sum</span> <span class="n">of</span> <span class="n">the</span> <span class="n">items</span> <span class="n">listed</span> <span class="n">here</span><span class="o">:</span> <span class="mi">0</span> <span class="n">Everything</span> <span class="n">worked</span> <span class="mi">1</span> <span class="n">Cert</span> <span class="n">file</span> <span class="k">is</span> <span class="n">still</span> <span class="n">a</span> <span class="n">CSR</span> <span class="mi">2</span> <span class="n">Cert</span> <span class="n">file</span> <span class="k">is</span> <span class="n">html</span><span class="o">,</span> <span class="n">probably</span> <span class="n">due</span> <span class="n">to</span> <span class="n">permissions</span><span class="o">/</span><span class="n">credentials</span> <span class="n">issue</span> <span class="mi">4</span> <span class="n">Return</span> <span class="n">code</span> <span class="n">of</span> <span class="n">curl</span> <span class="n">statement</span> <span class="n">that</span> <span class="n">saves</span> <span class="n">cert</span> <span class="n">file</span> <span class="k">is</span> <span class="n">non</span><span class="o">-</span><span class="n">zero</span> <span class="mi">8</span> <span class="n">Cert</span> <span class="n">file</span> <span class="n">does</span> <span class="n">not</span> <span class="n">contain</span> <span class="n">whole</span> <span class="n">certificate</span> <span class="mi">16</span> <span class="n">Cert</span> <span class="n">does</span> <span class="n">not</span> <span class="n">contain</span> <span class="n">an</span> <span class="n">issuer</span> <span class="n">Return</span> <span class="n">values</span> <span class="n">above</span> <span class="mi">1000</span><span class="o">:</span> <span class="mi">1001</span> <span class="n">Help</span> <span class="n">or</span> <span class="n">version</span> <span class="n">info</span> <span class="n">displayed</span> <span class="mi">1002</span> <span class="n">Count</span> <span class="n">or</span> <span class="n">type</span> <span class="n">of</span> <span class="n">flaglessvals</span> <span class="k">is</span> <span class="n">incorrect</span> <span class="mi">1003</span> <span class="n">Incorrect</span> <span class="n">OS</span> <span class="n">type</span> <span class="mi">1004</span> <span class="n">Unable</span> <span class="n">to</span> <span class="n">find</span> <span class="n">dependency</span> <span class="mi">1005</span> <span class="n">Not</span> <span class="n">run</span> <span class="k">as</span> <span class="n">root</span> <span class="n">or</span> <span class="n">sudo</span> </code></pre> <p>All the magic happens at line 239, the main loop. These blocks perform the different web requests, and are the real meat of this script. Block GENERATE PRIVATE KEY makes the csr and saves in to the file that will eventually hold the cert.</p> <pre class="code literal-block"><span></span><code> # GENERATE PRIVATE KEY openssl req -new -nodes \ -out "<span class="cp">${</span><span class="n">CERTREQ_WORKDIR</span><span class="cp">}</span>/<span class="cp">${</span><span class="n">CERTREQ_CNPARAM</span><span class="cp">}</span>.crt" \ -keyout "<span class="cp">${</span><span class="n">CERTREQ_WORKDIR</span><span class="cp">}</span>/<span class="cp">${</span><span class="n">CERTREQ_CNPARAM</span><span class="cp">}</span>.key" \ -subj "<span class="cp">${</span><span class="n">CERTREQ_SUBJECT</span><span class="cp">}</span>" CERT="$( cat "<span class="cp">${</span><span class="n">CERTREQ_WORKDIR</span><span class="cp">}</span>/<span class="cp">${</span><span class="n">CERTREQ_CNPARAM</span><span class="cp">}</span>.crt" | tr -d '\n\r' )" DATA="Mode=newreq<span class="err">&amp;</span>CertRequest=<span class="cp">${</span><span class="n">CERT</span><span class="cp">}</span><span class="err">&amp;</span>C<span class="err">&amp;</span>TargetStoreFlags=0<span class="err">&amp;</span>SaveCert=yes" CERT="$( echo <span class="cp">${</span><span class="n">CERT</span><span class="cp">}</span> | sed -e 's/+/%2B/g' | tr -s ' ' '+' )" CERTATTRIB="CertificateTemplate:<span class="cp">${</span><span class="n">CERTREQ_TEMPLATE</span><span class="cp">}</span>" </code></pre> <p>SUBMIT CERTIFICATE SIGNING REQUEST submits the CSR to the website</p> <pre class="code literal-block"><span></span><code> # SUBMIT CERTIFICATE SIGNING REQUEST OUTPUTLINK="$( curl -k -u "<span class="cp">${</span><span class="n">CERTREQ_USER</span><span class="cp">}</span>:<span class="cp">${</span><span class="n">CERTREQ_PASS</span><span class="cp">}</span>" --ntlm \ "<span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certfnsh.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: <span class="cp">${</span><span class="n">CERTREQ_CAHOST</span><span class="cp">}</span>" \ -H "Referer: <span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data "Mode=newreq<span class="err">&amp;</span>CertRequest=<span class="cp">${</span><span class="n">CERT</span><span class="cp">}</span><span class="err">&amp;</span>CertAttrib=<span class="cp">${</span><span class="n">CERTATTRIB</span><span class="cp">}</span><span class="err">&amp;</span>TargetStoreFlags=0<span class="err">&amp;</span>SaveCert=yes<span class="err">&amp;</span>ThumbPrint=" | grep -A 1 'function handleGetCert() {' | tail -n 1 | cut -d '"' -f 2 )" CERTLINK="<span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/<span class="cp">${</span><span class="n">OUTPUTLINK</span><span class="cp">}</span>" </code></pre> <p>FETCH SIGNED CERTIFICATE downloads the cert that the previous page links to.</p> <pre class="code literal-block"><span></span><code> # FETCH SIGNED CERTIFICATE curl -k -u "<span class="cp">${</span><span class="n">CERTREQ_USER</span><span class="cp">}</span>:<span class="cp">${</span><span class="n">CERTREQ_PASS</span><span class="cp">}</span>" --ntlm <span class="nv">$CERTLINK</span> \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: <span class="cp">${</span><span class="n">CERTREQ_CAHOST</span><span class="cp">}</span>" \ -H "Referer: <span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' &gt; "<span class="cp">${</span><span class="n">CERTREQ_WORKDIR</span><span class="cp">}</span>/<span class="cp">${</span><span class="n">CERTREQ_CNPARAM</span><span class="cp">}</span>.crt" finaloutput=$? </code></pre> <p>My additions to this secret sauce start with GET NUMBER OF CURRENT CA CERT. I needed the cert chain, so I automated fetching it from the server. You have to find out how many different CA certs are being offered by this server, and then use the latest.</p> <pre class="code literal-block"><span></span><code> # GET NUMBER OF CURRENT CA CERT RESPONSE="$( curl -s -k -u "<span class="cp">${</span><span class="n">CERTREQ_USER</span><span class="cp">}</span>:<span class="cp">${</span><span class="n">CERTREQ_PASS</span><span class="cp">}</span>" --ntlm \ "<span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certcarc.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: <span class="cp">${</span><span class="n">CERTREQ_CAHOST</span><span class="cp">}</span>" \ -H "Referer: <span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' )" CURRENTNUM="$( echo "<span class="cp">${</span><span class="n">RESPONSE</span><span class="cp">}</span>" | grep -cE 'Option' )" # GET LATEST CA CERT CHAIN CURRENT_P7B="$( curl -s -k -u "<span class="cp">${</span><span class="n">CERTREQ_USER</span><span class="cp">}</span>:<span class="cp">${</span><span class="n">CERTREQ_PASS</span><span class="cp">}</span>" --ntlm \ "<span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certnew.p7b?ReqID=CACert<span class="err">&amp;</span>Renewal=<span class="cp">${</span><span class="n">CURRENTNUM</span><span class="cp">}</span>" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: <span class="cp">${</span><span class="n">CERTREQ_CAHOST</span><span class="cp">}</span>" \ -H "Referer: <span class="cp">${</span><span class="n">CERTREQ_CA</span><span class="cp">}</span>/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' )" # CONVERT TO PEM echo "<span class="cp">${</span><span class="n">CURRENT_P7B</span><span class="cp">}</span>" | openssl pkcs7 -print_certs -out "<span class="cp">${</span><span class="n">CERTREQ_TEMPFILE</span><span class="cp">}</span>" </code></pre> <p>I like having the domain name in the filename, so this last part renames the cert chain.</p> <pre class="code literal-block"><span></span><code> # RENAME TO PROPER FILENAME # will read only the first cert, so get domain of issuer of it. CA_DOMAIN="$( openssl x509 -in "<span class="cp">${</span><span class="n">CERTREQ_TEMPFILE</span><span class="cp">}</span>" -noout -issuer 2&gt;<span class="err">&amp;</span>1 | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )" CHAIN_FILE="chain-<span class="cp">${</span><span class="n">CA_DOMAIN</span><span class="cp">}</span>.crt" mv -f "<span class="cp">${</span><span class="n">CERTREQ_TEMPFILE</span><span class="cp">}</span>" "<span class="cp">${</span><span class="n">CERTREQ_WORKDIR</span><span class="cp">}</span>/<span class="cp">${</span><span class="n">CHAIN_FILE</span><span class="cp">}</span>" 1&gt;/dev/null 2&gt;<span class="err">&amp;</span>1 </code></pre> <h3>The ansible role</h3> <p>I needed this task deployed to my whole environment, so I rolled it into an <a href="https://gitlab.com/bgstack15/certreq">ansible role saved to gitlab</a> and also added another feature, where it converts the generated cert files into a pcks12 (pfx) file for a specific application's need.</p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx">https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx</a></li> <li><a href="https://serverfault.com/questions/538270/how-to-submit-certificate-request-from-red-hat-to-windows-ca">https://serverfault.com/questions/538270/how-to-submit-certificate-request-from-red-hat-to-windows-ca</a></li> <li><a href="https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983">https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983</a></li> <li><a href="https://gitlab.com/bgstack15/certreq/blob/master/files/certreq.sh">https://gitlab.com/bgstack15/certreq/blob/master/files/certreq.sh</a></li> <li><a href="https://gitlab.com/bgstack15/certreq">https://gitlab.com/bgstack15/certreq</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2016/06/30/manipulating-ssl-certificates/">Manipulating ssl certificates</a></li> </ol>ansiblecertificateslinuxopensslscriptshttps://bgstack15.ddns.net/blog/posts/2017/12/27/automated-certreq-for-gnu-linux/Wed, 27 Dec 2017 14:13:12 GMT