TLS

From Vague Hope Wiki
Revision as of 01:29, 17 June 2016 by Haku (Talk | contribs) (CMS)

Jump to: navigation, search

Examine

openssl x509 -text -in client.pem
openssl rsa -text -in client.pem
openssl crl -text -in cacrl.pem
openssl pkcs12 -nodes -in client.p12  | openssl x509 -noout -subject -enddate
openssl x509 -text -in thing.der -inform der

Mangle

Change .p12 password:

openssl pkcs12 -in original.p12 -nodes -clcerts -out temp.pem
openssl pkcs12 -export -in temp.pem -out new.p12

Remove RSA pem password:

openssl rsa -in rsa_key.pem -out rsa_key.clear.pem

Convert .pem to .p12

openssl pkcs12 -export -in client.pem -out client.p12

Split key:

openssl pkcs12 -nokeys -in original.p12 -out client.crt
openssl pkcs12 -nocerts -in original.p12 -out client.key

or without password:

openssl pkcs12 -nocerts -nodes -in original.p12 -out client.key

Merge cert.pem and key.pem to one pem:

openssl pkcs12 -inkey key.pem -in cert.pem -export -out both.p12
openssl pkcs12 -in both.p12 -nodes -clcerts -out both.pem

Re-wrap RSA key in new x509:

cert="./x509_cert.pem"
cert_key="./x509_cert_and_rsa_key.clear.pem"
tmp_key="./key.tmp.pem"
tmp_cert_key="./cert_key.tmp.p12"

ser="$(openssl x509 -in "$cert" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')"
ser="$(hextodec "$ser")"
subj="$(openssl x509 -in "$cert" -noout -subject | sed -n 's/^subject= *\(.*\)$/\1/p')"

openssl rsa -in "$cert_key" -out "$tmp_key"
openssl req -batch -x509 -nodes -days 90 -key "$tmp_key" -set_serial "$ser" -subj "$subj" -out "$cert" -new
openssl pkcs12 -inkey "$tmp_key" -in "$cert" -export -passout 'pass:' -out "$tmp_cert_key"
openssl pkcs12 -in "$tmp_cert_key" -passin 'pass:' -clcerts -nodes -out "$cert_key"

demoCA

/usr/lib/ssl/misc/CA.sh -newca
/usr/lib/ssl/misc/CA.sh -newreq
/usr/lib/ssl/misc/CA.sh -sign
openssl req -new -nodes -out client2.req.pem -keyout client2.key.pem -days 365
openssl ca -out client2.cert.pem -days 365 -infiles client2.req.pem
curl --insecure -E client2.cert.pem --key client2.key.pem https://localhost:8443
echo 01 > demoCA/crlnumber
openssl ca -revoke client.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out cacrl.pem -crldays 30

Fields

  • C=Country Name (2 letter code)
  • ST=State or Province Name (full name)
  • O=Organization Name (eg, company)
  • OU=
  • CN=

Java

Make self-signed server key.

/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA

List Trusted CA Certs.

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Export a certificate from a keystore

keytool -export -alias tomcat -file tomcat.crt -keystore keystore.jks

Import New CA into Trusted Certs

keytool -import -trustcacerts -file tomcat.crt -alias tomcat -keystore truststore

Export private key:

keytool -importkeystore \
 -noprompt \
 -srcstorepass 123456 \
 -storepass 123456 \
 -srckeystore keystore.jks \
 -srcalias tomcat \
 -destkeystore key.p12 \
 -deststoretype PKCS12

References:

jks to bks

keytool -importkeystore -srckeystore successwhale.jks -destkeystore successwhale.bks \
 -srcstoretype JKS -deststoretype BKS -srcstorepass 123456 -deststorepass 123456 \
 -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
 -providerpath ~/Downloads/bcprov-jdk15on-146.jar

References:


AES-NI

X509

CMS

Generate RSA key:

openssl genpkey -out private_rsa_key_4096.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096

Wrap RSA key to x509

openssl req -x509 -days 365 -new -key private_rsa_key_4096.pem -out public_key.pem

Encrypt file:

openssl cms -encrypt -binary \
 -aes256 -outform der \
 -in a.txt \
 -out a.txt.cms \
 public_key.pem

Decrypt file:

openssl cms -decrypt \
 -inform der \
 -in a.txt.cms \
 -recip public_key.pem \
 -inkey private_rsa_key_4096.pem

References

Remote cert to trust store

echo | openssl s_client -connect api.successwhale.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -out remote.crt
openssl x509 -text -in remote.crt
keytool -import -trustcacerts -file remote.crt -alias api.successwhale.com -keystore successwhale.jks

References: http://www.madboa.com/geek/openssl/

Remote cert to pem for Postfix

echo | openssl s_client -connect sub5.homie.mail.dreamhost.com:587 -starttls smtp | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -out remote.crt

Apache

Benchmark

openssl speed
openssl dhparam -out dhparam_4096.pem 4096