Difference between revisions of "TLS"

From Vague Hope Wiki
Jump to: navigation, search
Line 81: Line 81:
 
References:
 
References:
 
http://www.madboa.com/geek/openssl/
 
http://www.madboa.com/geek/openssl/
 +
 +
== jks to bks ==
 +
 +
<pre>
 +
keytool -importkeystore -srckeystore successwhale.jks -destkeystore successwhale.bks -srcstoretype JKS -deststoretype BKS -srcstorepass 123456 -deststorepass 123456 -provider org.bouncycastle.jce.provider.BouncyCastleProvider
 +
</pre>
 +
 +
References:
 +
http://www.knowledgebit.appspot.com/zahangirbd/TopicView.action?id=180008
  
 
== Apache ==
 
== Apache ==
  
 
* http://www.akadia.com/services/ssh_test_certificate.html
 
* http://www.akadia.com/services/ssh_test_certificate.html

Revision as of 03:35, 17 March 2013

Examine

openssl x509 -text -in client.pem
openssl rsa -text -in client.pem
openssl crl -text -in cacrl.pem
openssl pkcs12 -info -noout -in client.p12

Mangle

Change .p12 password:

openssl pkcs12 -in original.p12 -nodes -clcerts -out temp.pem
openssl pkcs12 -export -in temp.pem -out new.p12

Convert .pem to .p12

openssl pkcs12 -export -in client.pem -out client.p12

demoCA

/usr/lib/ssl/misc/CA.sh -newca
/usr/lib/ssl/misc/CA.sh -newreq
/usr/lib/ssl/misc/CA.sh -sign
openssl req -new -nodes -out client2.req.pem -keyout client2.key.pem -days 365
openssl ca -out client2.cert.pem -days 365 -infiles client2.req.pem
curl --insecure -E client2.cert.pem --key client2.key.pem https://localhost:8443
echo 01 > demoCA/crlnumber
openssl ca -revoke client.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out cacrl.pem -crldays 30

Fields

  • C=Country Name (2 letter code)
  • ST=State or Province Name (full name)
  • O=Organization Name (eg, company)
  • OU=
  • CN=

Java

Make self-signed server key.

/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA

List Trusted CA Certs.

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Export a certificate from a keystore

keytool -export -alias tomcat -file tomcat.crt -keystore keystore.jks

Import New CA into Trusted Certs

keytool -import -trustcacerts -file tomcat.crt -alias tomcat -keystore truststore

References:

Remote cert to trust store

echo | openssl s_client -connect api.successwhale.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -out remote.crt
openssl x509 -text -in remote.crt
keytool -import -trustcacerts -file remote.crt -alias api.successwhale.com -keystore successwhale.jks

References: http://www.madboa.com/geek/openssl/

jks to bks

keytool -importkeystore -srckeystore successwhale.jks -destkeystore successwhale.bks -srcstoretype JKS -deststoretype BKS -srcstorepass 123456 -deststorepass 123456 -provider org.bouncycastle.jce.provider.BouncyCastleProvider

References: http://www.knowledgebit.appspot.com/zahangirbd/TopicView.action?id=180008

Apache