SSL - dejanu/linux GitHub Wiki

• SSL(Secure Sockets Layer) - creates encrypted communication between web-browsers and web-servers, to create a secure connection an SSL Certificate is used

• TLS(Transport Layer Security) - evolved from now deprecated SSL, and it's a cryptographic protocol that encrypts data sent over the internet.

• PKI (Public Key Infrastructure) - framework for managing digital certificates and public-key encryption, and facilitates the secure transfer over the internet. CA is the third-party source of trust

• SCEP (Simple Certificate Enrollment Protocol) - a protocol designed to make the issuing of digital certs scalable

• CA (Certificate Authority) - entity responsible for issuing digital certificates, guarantees the validity and ownership and/or control of the domain name(s) associated with the certificate

• CSR (Certificate Signing Request)

• OpenSSL - open-source command-line tool, used to generate Private Keys, create CSR, install SSL/TLS certificate and identify certificate information. eg create PKCS12 bundle

• CN - Common Name Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name. Typically, it is composed of Host Domain Name and looks like, "www.symantec.com" /"symantec.com"

# Extensions:

PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
CER (.cer): Binary form. Contains certificate owner information and public and private keys.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Stores the private key with the public key.

• JKS (Java Key Store) - Java certstore aka container of certificates (.jks)

• KDB (Key Database File) - IBM MQ certstore (.kdb). Each encoded KDB has an associated STASH file (.sth) which holds encoded passwords that allow programs to access the KDB.

• PKCS12 (Public-Key Cryptography Standards) - archive file format for storing many cryptography objects as a single file ( eg: .p12 file which contains a bundle of Private Key + Intermediate CA Server certificate + Trust Chain + ROOT CA Certificate)

• .pem - container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs) or it may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR

• Cacerts - Java KeyStore

• Root - a certificate that belongs to the CA

• SelfSigned - not signed by a publicly trusted CA but instead by the developer/company that is responsible for the cert

• Intermediate - a certificate that acts as an intermediary between

• EndEntity

• The root certificate and the server certificate which is the certificate issued to a specific domain

1. cert request = .csr + .key

• Generate RSA private key and CSR (certificate signing request) using the following command:

#generated files `hostname`.key and `hostname.csr`
openssl req -new -newkey rsa:2048 -nodes -keyout <SERVER>.key -out server.csr   

openssl req -sha256 -new -newkey rsa:2048 -nodes –keyout <SERVER>.key -subj '<INSERT_SUBJECT>' > <FQDN>.csr

2. In http://openpki Upload the CSR (cat server.csr) into portal and download the .crt

3. .CRT doesn’t have the Private Key => package .crt + .key =>.p12

openssl pkcs12 -export -inkey <FQDN>.key -in <FQDN>.crt -out <FQDN>.p12 -passout pass: <STOREPASS>

4. convert .p12 into .jks

keytool -importkeystore -deststorepass <STOREPASS> -destkeypass <STOREPASS> -destkeystore <FQDN>.jks -srckeystore <FQDN>.p12 -srcstoretype PKCS12 -srcstorepass <STOREPASS>

5. Add trust chain to .jks

keytool -import -file <ROOT_CA> -alias RootCA -keystore <FQDN>.jks -storepass < STOREPASS>

keytool -import -file <SERVER_CA> -alias ServerCA -keystore <FQDN>.jks -storepass < STOREPASS>

# store types for -storetype jks -storetype pkcs12 

6. Convert from .pem to .p12

openssl pkcs12 -export -inkey `hostname`.key -in `hostname`.crt -<CHAIN_CERT>.pem -out `hostname`.p12 -passout pass: <STOREPASS>`

7. Convert PKCS#8 (-----BEGIN PRIVATE KEY-----) to PKCS#1 (RSA) format (-----BEGIN RSA PRIVATE KEY-----)

openssl rsa -in signing.key -out signing-rsa.key

This will open an SSL connection to pingfederate.example.com port 443 and print the ssl certificate used by the service. After connecting you can manually send http requests. This is similar to using telnet to connect to an http service and manually sending an http, i.e GET, request.

##Troubleshoot certificate error
openssl s_client -connect <URL or IP>:<port> -showcerts
openssl s_client -connect <URL or IP>:<port> -proxy <URL or IP>:<port>
openssl s_client -connect <URL or IP>:<port> -prexit

Since you trust the CA’s in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust

Check keystore for expired certificates eg: check expired certificates from certstore year 2021|2020|2019 year

keytool -list -v -keystore /path/to/keystore.jks (list content of java keystore)

keytool -list -v -keystore <KEYSTORE> -storepass <STOREPASS>

keytool -list -v -keystore <KEYSTORE> -storepass <STOREPASS>| grep -E "until:.*2021|2022"

Import certificate into keystore

keytool -import -alias "CERTIFICATE_ALIAS" -file <CERTIFICATE>.crt -keystore <KEYSTORE -noprompt -storepass <STOREPASS>

Encrypt suff

openssl smime -encrypt -binary -outform DER -in application-ina-credentials-p.yml -out application-ina-credentials-p.yml.pass C:/host/certs/publickey.pem

openssl smime -decrypt -binary -inform DER -inkey C:/host/certs/privatekey.pem -in application-ina-credentials-p.yml.pass -out application-ina-credentials-p.yml

Check certificates used by the server

openssl s_client -showcerts stackoverflow.com:443 2>/dev/null < /dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > t.pem  
keytool -printcert -file t.pem 

View the details of a digital certificate .cer or crt file

openssl x509 -in fullchain.cer -noout -text
openssl storeutl -noout -text ca.crt 

Most TLS certificates are in fact X.509 certificates. X.509 is a standard for certificate structure that defines which fields are included in the certificate. X.509 certificates can be stored in a variety of different file formats, which is the main cause of my confusion about which file types are used to store certificates.

• vanilla key steps:

# generate private key and public key
cosign generate-key-pair

# find the SHA256 hash of the image as it exists in the registry
docker inspect --format='{{index .RepoDigests 0}}' dejanualex/gohello:1.0

# use private key to create a digital signature of the image's digest
cosign sign --key cosign.key dejanualex/gohello@sha256:85f623e9f03ec1337c3

# use the public key to verify
cosign verify --key cosign.pub dejanualex/gohello@sha256:85f623e9f03ec1337c3

• key + cert PKI steps for Self-Signed CA

# Generate CA private key
openssl genrsa -out ca.key 4096

# Create CA certificate (valid for 10 years)
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=US/ST=State/L=City/O=MyOrg/OU=IT/CN=MyCA"
  
# generate a RSA PRIVATE KEY for signing
# it contains both the private exponent and enough info to derive the public key
openssl genrsa -out signing.key 4096

# to check  just extract public key from private key 
# which should be the same as import-cosign.pub
openssl rsa -in signing.key -pubout -out signing.pub

# import PEM-encoded RSA or EC private key and write to 
# import-cosign.key and import-cosign.pub
# diff -s import-cosign.pub signing.pub
cosign import-key-pair --key signing.key --yes
 
# Generate certificate signing request based on signing.key
# .csr + .key
openssl req -new -key signing.key -out signing.csr \
-subj "/C=US/ST=State/L=City/O=MyOrg/OU=Engineering/CN=ImageSigner"

# Sign the certificate with your CA (valid for 1 year)
openssl x509 -req -in signing.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out signing.crt -days 365
  
# Sign Your Image with Cosign Key + Certificate
cosign sign --key import-cosign.key --cert signing.crt dejanualex/gohello:1.0

## Verification

# Extract public key from the certificate
openssl x509 -pubkey -noout -in signing.crt > signing.pub

# Verify using the public key
cosign verify --key signing.pub dejanualex/gohello:1.0

• openssl cheatsheet
• pki cert mgmt
• using-openssl-to-get-the-certificate-from-a-server