Difference between revisions of "SSL"
m (Added to Security category) |
(→LetsEncrypt) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
openssl req -new -sha256 -key www.mydomain.com.key -out www.mydomain.com.csr | openssl req -new -sha256 -key www.mydomain.com.key -out www.mydomain.com.csr | ||
| + | |||
| + | To non-interactively answer the questions, use the -subj parameter. | ||
| + | |||
| + | -subj "/C=GB/ST=Nottinghamshire/L=Nottingham/O=My Company Name/CN=www.mydomain.com" | ||
| + | |||
| + | As long as the subject is at least "/", you won't be asked any of the questions. Of course, just -subj "/" will result in a useless certificate, the minimum useful subject is probably "/CN=www.mydomain.com" | ||
| + | |||
| + | == Generate a self-signed CRT from existing CSR == | ||
| + | |||
| + | openssl x509 -signkey www.mydomain.com.key -in www.mydomain.com.csr -req -days 365 -out www.mydomain.com.crt | ||
| + | |||
| + | == Generate a self-signed CRT and key in one go == | ||
| + | |||
| + | Google Chrome won't complain quite as much about this as it'll be SHA256. You'll just get the 'net::ERR_CERT_AUTHORITY_INVALID' (unknown CA) error. | ||
| + | |||
| + | CN=localhost.localdomain | ||
| + | openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \ | ||
| + | -keyout /etc/pki/tls/private/$CN.key \ | ||
| + | -out /etc/pki/tls/certs/$CN.crt \ | ||
| + | -subj "/C=GB/O=Your Organisation/CN=$CN" | ||
== Checking if a key/csr/cert are related to each other == | == Checking if a key/csr/cert are related to each other == | ||
| Line 34: | Line 54: | ||
D9CD2019146DE7A2D264DC7FC8742E195A3A8E05EFB146C5C97FFE2815DB050E842EE8 | D9CD2019146DE7A2D264DC7FC8742E195A3A8E05EFB146C5C97FFE2815DB050E842EE8 | ||
1F1C9C52A5EC7362FFB8A14E97B199 | 1F1C9C52A5EC7362FFB8A14E97B199 | ||
| + | |||
| + | ==Convert pfx to OpenSSL key/cert pair== | ||
| + | |||
| + | Often if you're dealing with a Windows server, you end up with a .pfx file which is a pkcs12 format certificate. In order to use it with OpenSSL on a Linux server, you need to convert the binary .pfx into a pair of files - an RSA key and PEM certificate. | ||
| + | |||
| + | # openssl pkcs12 -in mydomain.pfx -nocerts -out encrypted-mydomain.key | ||
| + | Enter Import Password: | ||
| + | MAC verified OK | ||
| + | Enter PEM pass phrase: | ||
| + | Verifying - Enter PEM pass phrase: | ||
| + | |||
| + | The PEM certificate doesn't include any intermediate certificates so you may need to concatenate those onto the end of mydomain.crt depending on your configuration. | ||
| + | |||
| + | # openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.crt | ||
| + | |||
| + | ==Remove passphrase from a key== | ||
| + | |||
| + | If you followed the above instructions and entered a PEM passphrase, you can remove it so that it can be used with Apache or nginx | ||
| + | |||
| + | # openssl rsa -in encrypted-mydomain.key -out mydomain.key | ||
==LetsEncrypt== | ==LetsEncrypt== | ||
Latest revision as of 08:30, 1 October 2019
Contents
Generate a new key
openssl genrsa -out www.mydomain.com.key 2048
Generate a new CSR from a key
openssl req -new -sha256 -key www.mydomain.com.key -out www.mydomain.com.csr
To non-interactively answer the questions, use the -subj parameter.
-subj "/C=GB/ST=Nottinghamshire/L=Nottingham/O=My Company Name/CN=www.mydomain.com"
As long as the subject is at least "/", you won't be asked any of the questions. Of course, just -subj "/" will result in a useless certificate, the minimum useful subject is probably "/CN=www.mydomain.com"
Generate a self-signed CRT from existing CSR
openssl x509 -signkey www.mydomain.com.key -in www.mydomain.com.csr -req -days 365 -out www.mydomain.com.crt
Generate a self-signed CRT and key in one go
Google Chrome won't complain quite as much about this as it'll be SHA256. You'll just get the 'net::ERR_CERT_AUTHORITY_INVALID' (unknown CA) error.
CN=localhost.localdomain
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
-keyout /etc/pki/tls/private/$CN.key \
-out /etc/pki/tls/certs/$CN.crt \
-subj "/C=GB/O=Your Organisation/CN=$CN"
To compare a key, CSR or certificate to check they're related (e.g the CSR from key and the certificate is the signed CSR), generate the modulus for each item and they should all be the same.
For a certificate:
openssl x509 -noout -modulus -in file.crt
For a CSR:
openssl req -noout -modulus -in file.csr
For a key (assuming RSA):
openssl rsa -noout -modulus -in file.key
The output for each one is (wrapped at 70 characters, normally all on one line):
Modulus=958F0B0961CF7F99155050CFD5DD2F3776085D560C0E4CACBACCEC6A73C38A C3DA64FE26C747AB08555522D77EE0505C69B73F7DCA064155C7EC0FADF3CC11920136 DDC53C5F9BBE8B5A2866F955AFFEBFA116D8CDC6EE81CFF3F8D337FEE1E6658E507CA3 7EEFC4D9BD7F679FEF0844A81A94C7CB09A52A6C3785BF2D604E2A5750D131C0C0192C E6B843BA318F08D3D0AD63837F67A6E226D9EC3E187BAA4767FD988E63DF4ED16721CF E8BC17F2BD19E8DF006D770EA5C58E894E4FA0D0B714C6AFF11F6EB821B3FE99E91E5F D9CD2019146DE7A2D264DC7FC8742E195A3A8E05EFB146C5C97FFE2815DB050E842EE8 1F1C9C52A5EC7362FFB8A14E97B199
Convert pfx to OpenSSL key/cert pair
Often if you're dealing with a Windows server, you end up with a .pfx file which is a pkcs12 format certificate. In order to use it with OpenSSL on a Linux server, you need to convert the binary .pfx into a pair of files - an RSA key and PEM certificate.
# openssl pkcs12 -in mydomain.pfx -nocerts -out encrypted-mydomain.key Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
The PEM certificate doesn't include any intermediate certificates so you may need to concatenate those onto the end of mydomain.crt depending on your configuration.
# openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.crt
Remove passphrase from a key
If you followed the above instructions and entered a PEM passphrase, you can remove it so that it can be used with Apache or nginx
# openssl rsa -in encrypted-mydomain.key -out mydomain.key
LetsEncrypt
To use letsencrypt.org for your free SSL certificate on CentOS, without getting it to automatically change configs etc, you can use the certbot-auto script.
# git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # ./certbot-auto
Once it's updated itself and installed any dependencies, it can be used to generate the SSL certificates.
# ./certbot-auto certonly --webroot -d www.example.com -d example.com -w /var/www/html/example.com
The -d option needs to be repeated for all ServerName and ServerAlias directives used for the site you're trying to secure. -w specifies the webroot to use for the authentication process (a file is created in there which is then requested by LetsEncrypt)
If all goes well, you'll see a message like this:
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will expire on 2016-09-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
The other files are also in the /etc/letsencrypt/live/www.example.com/ directory and can be used as follows in your apache config. The SSLCipherSuite, SSLProtocol and SSLHonorCipherOrder lines result in an 'A' rating at SSL Labs server test
<VirtualHost 10.20.30.40:443> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/html/example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem </VirtualHost>
