SSL - dejanu/linux GitHub Wiki
-
SSL(Secure Sockets Layer) - creates encrypted communication between web-browsers and web-servers, to create a secure connection an SSL Certificate is used
-
TLS(Transport Layer Security) - evolved from now deprecated SSL, and it's a cryptographic protocol that encrypts data sent over the internet.
-
PKI (Public Key Infrastructure) - framework for managing digital certificates and public-key encryption, and facilitates the secure transfer over the internet. CA is the third-party source of trust
-
SCEP (Simple Certificate Enrollment Protocol) - a protocol designed to make the issuing of digital certs scalable
-
CA (Certificate Authority) - entity responsible for issuing digital certificates, guarantees the validity and ownership and/or control of the domain name(s) associated with the certificate
-
CSR (Certificate Signing Request)
-
OpenSSL - open-source command-line tool, used to generate Private Keys, create CSR, install SSL/TLS certificate and identify certificate information. eg create PKCS12 bundle
-
CN - Common Name Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name. Typically, it is composed of Host Domain Name and looks like, "www.symantec.com" /"symantec.com"
# Extensions:
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
CER (.cer): Binary form. Contains certificate owner information and public and private keys.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Stores the private key with the public key.-
JKS (Java Key Store) - Java certstore aka container of certificates (.jks)
-
KDB (Key Database File) - IBM MQ certstore (.kdb). Each encoded KDB has an associated STASH file (.sth) which holds encoded passwords that allow programs to access the KDB.
-
PKCS12 (Public-Key Cryptography Standards) - archive file format for storing many cryptography objects as a single file ( eg: .p12 file which contains a bundle of Private Key + Intermediate CA Server certificate + Trust Chain + ROOT CA Certificate)
-
.pem - container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs) or it may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR
-
Cacerts - Java KeyStore
-
Root - a certificate that belongs to the CA
-
SelfSigned - not signed by a publicly trusted CA but instead by the developer/company that is responsible for the cert
-
Intermediate - a certificate that acts as an intermediary between
-
EndEntity
-
The root certificate and the server certificate which is the certificate issued to a specific domain
cert request = .csr + .key
- Generate RSA private key and CSR (certificate signing request) using the following command:
#generated files `hostname`.key and `hostname.csr`
openssl req -new -newkey rsa:2048 -nodes -keyout <SERVER>.key -out server.csr
openssl req -sha256 -new -newkey rsa:2048 -nodes –keyout <SERVER>.key -subj '<INSERT_SUBJECT>' > <FQDN>.csr
-
In http://openpki Upload the CSR (
cat server.csr) into portal and download the.crt -
.CRT doesn’t have the Private Key => package .crt + .key =>.p12
openssl pkcs12 -export -inkey <FQDN>.key -in <FQDN>.crt -out <FQDN>.p12 -passout pass: <STOREPASS>
- convert
.p12into.jks
keytool -importkeystore -deststorepass <STOREPASS> -destkeypass <STOREPASS> -destkeystore <FQDN>.jks -srckeystore <FQDN>.p12 -srcstoretype PKCS12 -srcstorepass <STOREPASS>
- Add trust chain to
.jks
keytool -import -file <ROOT_CA> -alias RootCA -keystore <FQDN>.jks -storepass < STOREPASS>
keytool -import -file <SERVER_CA> -alias ServerCA -keystore <FQDN>.jks -storepass < STOREPASS>
# store types for -storetype jks -storetype pkcs12
- Convert from
.pemto.p12
openssl pkcs12 -export -inkey `hostname`.key -in `hostname`.crt -<CHAIN_CERT>.pem -out `hostname`.p12 -passout pass: <STOREPASS>`This will open an SSL connection to pingfederate.example.com port 443 and print the ssl certificate used by the service. After connecting you can manually send http requests. This is similar to using telnet to connect to an http service and manually sending an http, i.e GET, request.
Testing HTTPS Services Using "openssl s_client -connect" Command. The following command can be used to test connectivity to an https service.
##Troubleshoot certificate error
openssl s_client -connect <URL or IP>:<port> -showcerts
openssl s_client -connect <URL or IP>:<port> -proxy <URL or IP>:<port>
openssl s_client -connect <URL or IP>:<port> -prexitSince you trust the CA’s in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust
Check keystore for expired certificates eg: check expired certificates from certstore year 2021|2020|2019 year
keytool -list -v -keystore /path/to/keystore.jks (list content of java keystore)
keytool -list -v -keystore <KEYSTORE> -storepass <STOREPASS>
keytool -list -v -keystore <KEYSTORE> -storepass <STOREPASS>| grep -E "until:.*2021|2022"Import certificate into keystore
keytool -import -alias "CERTIFICATE_ALIAS" -file <CERTIFICATE>.crt -keystore <KEYSTORE -noprompt -storepass <STOREPASS>
Encrypt suff
openssl smime -encrypt -binary -outform DER -in application-ina-credentials-p.yml -out application-ina-credentials-p.yml.pass C:/host/certs/publickey.pem
openssl smime -decrypt -binary -inform DER -inkey C:/host/certs/privatekey.pem -in application-ina-credentials-p.yml.pass -out application-ina-credentials-p.ymlCheck certificates used by the server
openssl s_client -showcerts stackoverflow.com:443 2>/dev/null < /dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > t.pem
keytool -printcert -file t.pem
View the details of a digital certificate .cer or crt file
openssl x509 -in fullchain.cer -noout -text
openssl storeutl -noout -text ca.crt Most TLS certificates are in fact X.509 certificates. X.509 is a standard for certificate structure that defines which fields are included in the certificate. X.509 certificates can be stored in a variety of different file formats, which is the main cause of my confusion about which file types are used to store certificates.