Linux: working with SSL certificates

By -
If you have to enable secure connections to your service(s), you will need to buy a certificate or generate a self signed certificate for it.
If you have to buy one, you have to generate a private certificate and a certificate request.
If you will use a self signed certificate, you will need to generate a private, a request and a public certificate.

You can do that by using the 'openssl' tool. First at all, you have to generate a password, I'm usually using 'apg':
smocanu@debian7:~$ apg -n1 -m8 -x8 -t
tiWiejTo (ti-Wiej-To)
After that we are ready to generate the private certificate, this one should be kept safely, no one else should have it. I'm generating a 512bits RSA certificate:
smocanu@debian7:~$ openssl genrsa -des3 -out ss.example.com.key 512
Generating RSA private key, 512 bit long modulus
........................++++++++++++
...................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for ss.example.com.key:
Verifying - Enter pass phrase for ss.example.com.key:
Next, you have to generate a certificate request for the private certificate generated before:
smocanu@debian7:~$ openssl req -new -key ss.example.com.key -out ss.example.com.csr
Generating a 2048 bit RSA private key
.........+++
...........................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:RO
State or Province Name (full name) [Some-State]:N/A
Locality Name (eg, city) []:Bucharest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:it@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
And the last thing, you have to generate the public certificate, for the certificate request and private keys generated before:
smocanu@debian7:~$ openssl x509 -req -days 365 -in ss.example.com.csr -signkey ss.example.com.key -out ss.example.com.crt
Signature ok
subject=/C=RO/ST=N/A/L=Bucharest/O=Example/OU=IT/CN=*.example.com/emailAddress=it@example.com
Getting Private key
Enter pass phrase for ss.example.com.key:
If you will install this certificate on a server that is not supporting password protected certificates, you have to remove the password from the private key:
smocanu@debian7:~$ openssl rsa -in ss.example.com.key -out ss.example.com.pem
Enter pass phrase for ss.example.com.key:
writing RSA key
If  you need to check your certificates, you can do that using openssl. Usually you will need to verify the public certificate and you can do that like this:
smocanu@debian7:~$ openssl x509 -in ss.example.com.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 14383028987686658916 (0xc79ac8a8e535a364)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RO, ST=N/A, L=Bucharest, O=Example, OU=IT, CN=*.example.com/emailAddress=it@example.com
        Validity
            Not Before: Jun  3 17:10:14 2014 GMT
            Not After : Jun  3 17:10:14 2015 GMT
        Subject: C=RO, ST=N/A, L=Bucharest, O=Example, OU=IT, CN=*.example.com/emailAddress=it@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:b6:84:83:ff:1c:33:a7:61:ba:71:31:98:9d:5b:
                    93:8d:72:78:0c:5d:89:86:aa:d6:ba:dd:36:0e:58:
                    ad:03:5c:24:27:93:01:34:04:07:b8:6f:48:41:49:
                    78:9d:4c:2e:64:e2:29:48:c7:9d:7c:b5:d1:fd:9d:
                    f9:69:3f:84:c7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         3e:6b:bd:c9:0f:79:c3:ec:70:d8:8d:6b:d4:dc:96:2c:71:4a:
         d0:3d:cc:46:c1:cf:f8:af:40:a3:43:f3:66:a3:7e:c8:eb:4e:
         2c:fc:8c:1b:e2:e2:06:ba:17:f2:b3:f4:30:ba:90:37:e4:9e:
         64:53:bc:bc:13:f1:74:c6:69:92
If you have to check the certificate request, you can do that also with openssl:
smocanu@debian7:~$ openssl req -in ss.example.com.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=RO, ST=N/A, L=Bucharest, O=Example, OU=IT, CN=*.example.com/emailAddress=it@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:b0:34:79:e3:a4:8f:1e:38:29:d8:31:8a:0f:
                    71:20:e3:24:09:b1:1c:f1:b6:e4:0f:10:a8:c8:38:
                    77:de:00:96:05:29:1c:ff:41:a8:a6:1c:14:96:7d:
                    d3:6b:85:2b:27:c3:57:52:95:fa:25:d4:d3:c2:00:
                    e3:aa:3d:69:7a:e0:4f:d2:fc:91:3c:fc:0e:cd:29:
                    6d:12:bc:0a:e0:4f:be:51:25:9d:38:7a:22:fc:24:
                    59:af:4e:69:f3:4c:01:92:d3:2f:ef:5f:d8:e4:3a:
                    09:76:a6:be:87:59:97:47:27:a1:2a:6f:c7:e0:be:
                    c8:ab:d9:0e:8e:d6:24:21:70:49:95:30:10:af:69:
                    63:71:65:9a:04:29:89:cf:8e:6f:4d:1b:b8:d7:3e:
                    98:1f:c2:d2:37:69:2e:40:bc:d4:f6:52:0d:7e:e4:
                    42:69:02:b2:7a:92:bf:a6:f9:a5:12:bc:d4:ca:9d:
                    dc:b1:b2:9f:49:b9:8e:be:7b:8b:7f:61:83:d9:55:
                    ee:19:c9:ef:4a:3a:0e:7a:15:07:8e:6b:76:d0:ed:
                    29:85:5e:f0:32:b0:14:b1:e0:41:9c:f3:48:77:cf:
                    ae:0b:59:d2:71:a5:a7:24:78:3a:92:fc:9d:3b:5b:
                    ec:3a:b4:66:cf:f4:34:ab:53:03:d8:de:a1:8f:ab:
                    0c:47
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         16:a0:17:35:e5:b9:80:2d:f0:e8:2c:69:98:06:0c:63:f7:97:
         35:e5:85:9f:4f:4a:82:75:52:2a:15:86:1f:cf:3f:71:40:9c:
         4e:ba:ba:22:08:a2:d3:14:86:15:97:53:d5:47:99:e1:0c:f6:
         95:dc:b6:70:13:27:54:37:c2:fa:2e:5a:db:e8:5b:d7:7a:aa:
         55:60:42:b9:28:8c:0e:53:64:48:09:26:fd:4a:56:55:20:41:
         e1:5c:67:c6:21:1f:28:ae:16:d0:35:bf:ef:39:27:be:71:a3:
         42:88:10:7f:b7:18:e8:3d:60:fc:50:eb:dd:30:8a:db:ca:5c:
         98:04:f1:62:68:69:04:a2:a0:91:e0:a1:f1:41:7a:f3:03:12:
         58:a6:b5:65:06:d0:c7:d9:d3:ad:5e:6e:cf:21:16:cd:da:48:
         d6:f5:dd:38:a2:85:2e:15:37:5c:43:9c:15:f4:0c:79:88:4c:
         3d:c8:65:0a:10:3a:dd:0b:c8:6e:85:e9:aa:ba:b4:01:80:35:
         97:8a:2d:37:08:a9:d1:ae:98:4e:f7:36:11:7d:27:44:dd:09:
         86:57:05:f1:e8:a7:88:df:ab:9b:43:e9:91:4f:85:1f:1b:69:
         28:8d:74:c1:74:30:ef:7a:d5:07:74:69:1d:93:dc:c5:7e:28:
         6a:18:30:7e
 The private certificate can also be verified using openssl:
smocanu@debian7:~$ openssl rsa -in ss.example.com.pem -text -noout
Private-Key: (512 bit)
modulus:
    00:b6:84:83:ff:1c:33:a7:61:ba:71:31:98:9d:5b:
    93:8d:72:78:0c:5d:89:86:aa:d6:ba:dd:36:0e:58:
    ad:03:5c:24:27:93:01:34:04:07:b8:6f:48:41:49:
    78:9d:4c:2e:64:e2:29:48:c7:9d:7c:b5:d1:fd:9d:
    f9:69:3f:84:c7
publicExponent: 65537 (0x10001)
privateExponent:
    23:66:4a:4f:a5:81:a3:3a:42:36:08:1f:88:8d:a5:
    6d:ae:c0:f7:ed:00:6a:7d:22:0e:b6:2e:f0:d3:64:
    23:1d:5d:0b:dc:64:5a:62:ba:b7:11:14:bf:5d:a7:
    73:9a:87:14:a1:c0:ce:e1:4f:cf:44:06:0d:80:ca:
    45:c1:f7:99
prime1:
    00:dc:91:b0:62:6a:9d:81:37:5f:39:aa:c1:88:d8:
    b8:5f:a5:dc:b4:5a:6e:a7:ab:fb:07:44:1a:72:aa:
    b1:7a:bb
prime2:
    00:d3:d6:10:0d:47:89:2f:33:81:ee:b7:ac:64:cb:
    e3:7c:e9:fb:bd:8b:13:29:3d:ca:93:44:be:b8:f1:
    43:3b:65
exponent1:
    00:d8:79:23:e3:73:3f:a1:d1:f6:63:62:73:0f:1b:
    a3:d8:3b:b0:a0:51:20:c8:ee:c1:30:20:66:d4:a3:
    32:0c:81
exponent2:
    00:b2:73:19:82:96:48:92:62:a9:8a:17:60:3a:69:
    27:72:0b:09:ee:5a:42:01:f3:f3:ba:ab:a6:9e:d5:
    5e:f5:a1
coefficient:
    00:ce:99:04:b6:ac:a4:63:a2:c1:a9:d2:ef:bd:3e:
    96:56:00:0a:78:19:dc:4a:fe:d9:e2:4e:c2:5e:9f:
    8b:5a:79

Comments

Post a Comment

Popular posts from this blog

JunOS - mount USB stick

By -
There are times when you have to use a USB stick to copy to or from it files to a Juniper router/switch. Fortunetly it will not be to very frequently, but there will be a time when you will need it. JunOS being a UNIX( FreeBSD ) based OS, you have to identify and mount the device attached. First, you have to check the device name, so you can identify it on /dev: smocanu@j2350> show log messages | match mass May 16 15:25:45  j2350 /kernel: umass0: Kingston DataTraveler SE9, rev 2.00/1.00, addr 2 May 16 15:25:46  j2350 /kernel: da0 at umass-sim0 bus 0 target 0 lun 0 Then you have to verify the partition number, usually it is the first one: smocanu@j2350> start shell % ls -las /dev/da0 /dev/da0 /dev/da0s1 Now you can mount your USB stick: % mkdir /var/tmp/usb % mount_msdosfs /dev/da0s1 /var/tmp/usb Once your USB stick is mounted, you can copy to/from it files, using /var/tmp/usb path. Do not forget that you have to umount the USB storage, before remov...
Read more

SSH: Generating and using SSH keys

By -
Image
One of the preferred method of authentication on network devices is using SSH with a SSH public key. In order to be able to authenticate yourself, you have to generate a SSH key pair. A SSH key is composed of two parts, one private key (which should remain "private" and also should be password protected ) and one public key which should be installed on the SSH server in order to authenticate you. SSH client on Linux: In order to generate a SSH key pair on Linux, you will need to use "ssh-keygen" tool, which is a part of the "openssh-client" package on Debian-like operating systems: smocanu@debian7:~$ dpkg -S $(which ssh-keygen) openssh-client: /usr/bin/ssh-keygen or a part of "openssh" package on RedHat-like operating systems: smocanu@centos6 ~$ rpm -qf $(which ssh-keygen) openssh-5.3p1-94.el6.x86_64 The generating process is quite simple, just run the "ssh-keygen" command, and it will ask you the location of the new key ...
Read more

JunOS - loging on secondary node of a cluster and copying file between nodes

By -
First at all you have to know that you should be able to login to a secondary node of a J/SRX cluster using OOB( out of band management interface - fxp0 ), but, if this is not possible you can do it from the primary node. In my case there is a cluster of SRX240H2. You have to login into the cluster and check the status of it: smocanu@srx240h2# run show chassis cluster status Cluster ID: 1 Node                  Priority          Status    Preempt  Manual failover Redundancy group: 0 , Failover count: 1     node0                   100         primary        no       no     node1     ...
Read more