Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Manipulating ssl certificates

bgstack15

Comments

Overview

Last updated 2023-06-28

SSL certificates are used in almost every network application to encrypt traffic to increase the safety of communications.

Manipulating ssl certs

Converting .crt to .pem

A .crt file can be identical to a .pem: They are both a b64-encoded block.

openssl x509 < rapidssl.crt -out rapidssl.pem

A .crt is usually the public key, and a .key is usually the private key.

Converting .crt set to a .pfx for Windows

Run each step separately because you might need to enter an import or export password. Use a simple password for each one for ease.

openssl pkcs12 -export -in wildcard-2016.crt -inkey wildcard-2016.key -out wildcard-2016.p12 -name wildcard -CAfile rapidssl-2016.crt -caname root
openssl pkcs12 -in wildcard-2016.p12 -out wildcard-2016.pem -nodes clcerts
openssl x509 -in rapidssl-2016.crt -out rapidssl-2016.pem
cat wildcard-2016.pem rapidssl-2016.pem > wildcardchain-2016.pem
openssl pkcs12 -export -in wildcardchain-2016.pem -out wildcardchain-2016.pfx

Source: http://stackoverflow.com/questions/18787491/adding-certificate-chain- to-p12pfx-certificate/18830742#18830742.

Converting pkcs7 to pkcs12

openssl pkcs7 -print_certs -in crx.p7b | openssl pkcs12 -export -inkey crx.key -out crx.pfx -certfile crx.crt

Preparing hash file for ldap

Openldap can use ssl to encrypt its traffic, and the file needs to be rather specific. Around here, the /etc/openldap/ldap.conf file tends to have these directives:

URI ldaps://example.com
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

And in /etc/openldap/cacerts you might see these files:

4669ff29.0 -> authconfig.pem
authconfig.pem (the examplemicrosoft certs catted)
examplemicrosoftintermeidateca.crt
examplemicrosoftrootca.crt
examplenovellca.crt

Observe that there is a hashed file as a symlink to the real cert file. Openldap will look for the hashed filename, whether it is a real file or just a symlink. You can generate the hashed file by running c_rehash /etc/openldap/cacerts (or try cacertdir_rehash) from package openssl-perl or you can generate the symlink this way:

cd /etc/openldap/cacerts
ln -sf certs-example-2016.pem "$( openssl x509 -in certs-example-2016.pem -hash -noout ).0"

Reference: Weblink 2

Requesting a certificate signing

A CSR is for when you have a certificate you generated that you want signed by a certificate authority, whether that be the local CA or a public one. You need a private key to start with, so the genrsa command will generate one.

openssl genrsa -aes256 -out wwwexamplecom-2016.key 2048
openssl req -new -key wwwexamplecom-2016.key -out wwwexamplecom-2016.csr
Enter pass phrase for wwwexamplecom-2016.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: **US**
State or Province Name (full name) []: **Anystate**
Locality Name (eg, city) [Default City]: **Anytown**
Organization Name (eg, company) [Default Company Ltd]: **Example Company**
Organizational Unit Name (eg, section) []: **IT**
Common Name (eg, your name or your server's hostname) []: **www.example.com**
Email Address []: **linuxadmin@example.com**
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generally, don't use a passphrase. If you must, do a simple one like linksys.

Send the csr to someone. This uses the send.sh script from bgscripts package.
send.sh -hs "csr for www.example.com" wwwexamplecom-2016.csr usertwo@example.com

Removing passphrase from private key

Apache in particular struggles with a private key protected with a passphrase. Apparently admins just leave the passphrase blank when generating a cert. If you already applied one, and want to remove the passphrase, just use openssl.

openssl rsa -in old.key -out new.key

It will ask you for the passphrase, and then export the private key to the new file. Reference: https://www.mnxsolutions.com/apache/removing-a-passphrase- from-an-ssl-key.html

Adding AD certs to host trusted certificate store

Procure your AD root CA cert or download it from the certificate authority web portal, which could resemble https://ca2.example.com/certsrv/. Save as ca2.example.com.crt. Reference: Weblink 4 https://support.microsoft.com/en- us/help/555252

cp ca2.example.com.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

Reference: Weblink 5 https://stackoverflow.com/questions/29236078/how-to- ldap-bindauthenticate-using-python-ldap/30221592#30221592

Signing a certificate

Internal link 3 https://ca2.example.com/certsrv/ provides the certificate signing operations for Active Directory. For a self-signed one within openssl, make a new key and cert signed by itself:

openssl req -newkey rsa:2048 -nodes -keyout cert.key -x509 -days 365 -out cert.pem

Reference: https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Adding key to java keystore

You might need to add a certificate to a java-like keystore. It is interesting to note that many java keystore files are actually symlinks to /etc/pki/java/cacerts.

/usr/lib/jvm/java/jre/bin/keytool -import -trustcacerts -alias "myaliasname" -storetype jks -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -file ./comodo.cer -storepass changeit

Testing ssl cert from server

To find out if the https or other ssl-enabled service is serving the right certificate, you can use openssl as a client and pull down the ssl cert.

printf '\n' | openssl s_client -connect ipa.example.com:443

And observe the output for the certificate information. To test SNI, add the parameter -servername myurl.example.com. Reference: weblink 6 https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers- using-server-name-indication-sni/

Convert cer to pem format

openssl x509 -inform der -in certificate.cer -out certificate.pem

Reference: weblink 7 https://www.sslshopper.com/article-most-common-openssl- commands.html

Read info from pkcs12 file

openssl pkcs12 -in cert.pfx -passin pass:'' -nodes -clcerts | openssl x509 -noout -subject -issuer -startdate -enddate

Delineate certificates in chain being served by a web connection

certchain="$( mktemp )" ; echo '' | openssl s_client -showcerts -connect pypi.python.org:443 > ${certchain} ; certcount=$( grep -cE '^-----BEGIN CERT' ${certchain} 2>/dev/null ); cat ${certchain} | { x=0 ; while test $x -lt ${certcount} ; do openssl x509 -noout -subject -issuer -dates ; x=$(( x + 1 )) ; done ; }

Make certificate request with TemplateName for Microsoft CA

In the openssl.cnf file (or the one that you pass with -config ), you need to define a section for "oid_section"

# near the top:
oid_section = new_oids
# anywhere else
[ new_oids ]
certificateTemplateName = 1.3.6.1.4.1.311.20.2

[ req ]
req_extensions = req_ext

[ req_ext ]
certificateTemplateName = ASN1:PRINABLESTRING:ApplicationUser
You need to choose the template name and not the template display name.

Reference: link 9

Use Windows certreq to add template information

To use the Windows certreq.exe utility to submit the request and add the template, run:

certreq -submit -config "<hostname.fqdn>\<CA Name Here>" -attrib "CertificateTemplate:<Template Name>" "C:\temp\csr.txt" "C:\temp\output.cer"

Reference: link 10

Add cert to trust store for Chromium

certutil -A -i /mnt/public/www/example/certs/ca-ipa.example.com.crt -n 'ipa.example.com root' -t "TCu,Cuw,Tuw" -d ~/.pki/nssdb/

References

Weblinks

    1. Pkcs12 chained certificates demo: http://stackoverflow.com/questions/18787491/adding-certificate-chain-to-p12pfx-certificate/18830742#18830742
    2. How to get the cert file hash without the c_rehash tool http://www.linuxquestions.org/questions/linux-server-73/openldap-certificate-4175480164-print/
    3. Removing passphrase from ssl key https://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html
    4. AD get root CA certificate https://support.microsoft.com/en-us/help/555252
    5. https://stackoverflow.com/questions/29236078/how-to-ldap-bindauthenticate-using-python-ldap/30221592#30221592
    6. https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
    7. https://www.sslshopper.com/article-most-common-openssl-commands.html
    8. The Most Common Java Keytool Keystore Commands
    9. https://serverfault.com/questions/977445/generate-csr-including-certificate-template-information-with-openssl/977460#977460
    10. https://social.microsoft.com/Forums/en-US/8096a455-1b11-49b1-a8ad-d43238770bf8/certreq-submit-attrib-quottemplate-namequot-xxxxcsr-xxxxcer-error?forum=winserversecurity

Comments