How to create a certificate

# see https://www.openssl.org/docs/manmaster/apps/req.html
# Create a certificate
del adr-*.pem
openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-pub.pem -keyout adr-key.pem
#bug: openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-bitvise-pub.pem -keyout adr-bitvise-key.pem
#bug: openssl req -new -x509 -days 3660 -out adr-bitvise.pem -keyout adr-bitvise.pem
openssl rsa -in adr-key.pem -out adr-key-no-pwd.pem -> stergere parola
#openssl rsa -des3 -in adr-key.pem -out adr-key-new-pwd.pem -> setare parola
openssl dhparam 2048 >> adr-pub.pem (dhparam -> versiunea noua pt. vechiul param gendh)
openssl dhparam 2048 >> adr-key-no-pwd.pem
openssl pkcs12 -export -in adr-pub.pem -inkey adr-key-no-pwd.pem -name "adr" -out adr-pwd.p12
#Pune adr-pub.pem in /home/root/.ssh/ (backup keys folder).
cat adr-pub.pem >> /home/root/.ssh/authorized_keys (ssh server)
#cat adr-pub.pem >> /ffp/var/lib/stunnel/authorized_keys.pem (stunnel)
#cat adr-pub.pem >> /etc/service_conf/authorized_keys.crt (NSA310 web console)

# Certificat pt. invitati:
openssl req -newkey rsa:2048 -x509 -days 3660 -out gigi-pub.pem -keyout gigi-key.pem
openssl rsa -in gigi-key.pem -out gigi-key-no-pwd.pem
openssl dhparam 2048 >> gigi-pub.pem
openssl dhparam 2048 >> gigi-key.pem
openssl dhparam 2048 >> gigi-key-no-pwd.pem
openssl pkcs12 -export -in gigi-pub.pem -inkey gigi-key-no-pwd.pem -name "gigi" -out gigi-pwd.p12
cat gigi-pub.pem >> /home/root/.ssh/authorized_keys

# Encrypt a private key using triple DES (from https://www.openssl.org/docs/manmaster/apps/rsa.html):
# Key generation for bitvise:
openssl rsa -des3 -in adr-key.pem -out adr-key.pem.des3.bitvise -> requested by "User keypair manager"

# see http://sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL
# Extract the public key to openssh format:
ssh-keygen -y -f adr-key.pem > adr-pub.openssh
cat adr-pub.openssh >> /home/root/.ssh/authorized_keys

# convert p12 to pem
openssl pkcs12 -in xxx.p12 -nocerts -out xxx_key.pem
openssl pkcs12 -in xxx.p12 -clcerts -nokeys -out xxx_pub.pem

# debug ssl connection
openssl s_client -cert xxx_pub.pem -key xxx_key.pem -connect 192.168.1.10:443 -debug

# request protected https resource
wget --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz
ERROR
    ERROR: certificate common name ‘svn-ubuntu’ doesn't match requested host name ‘192.168.1.10’.
    To connect to 192.168.1.10 insecurely, use `--no-check-certificate'.
HOW TO DETERMINE IT
    wget --no-hsts --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz
    --no-hsts
         Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by default.  Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a
         consequence, Wget would ignore all the "Strict-Transport-Security" headers, and would not enforce any existing HSTS policy.
SOLUTION
    This might not work:
    wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https://192.168.1.10/zzz
    This should work:
    Append 192.168.1.10 svn-ubuntu to /etc/hosts.
    wget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https://svn-ubuntu/zzz

# DER format
# https://www.openssl.org/docs/manmaster/man1/x509.html
View the complete certificate information (private + public key also):
openssl x509 -inform der -in temp/jetty-certificate.der -text -noout
openssl x509 -in CA.cer -noout -text
openssl x509 -in adr-pub.pem -noout -text | grep -P "Issuer|Subject"
Saves the public key only:
openssl x509 -inform der -in temp/jetty-certificate.der -pubkey -noout > temp/jetty-certificate.pub.pem
Converts the certificate to pem:
openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -out temp/jetty-certificate.pem
Displays the certificate in PEM format and also it's alias:
openssl x509 -inform der -outform PEM -in temp/jetty-certificate.der -alias
Output the complete certificate information (valid only PEM with -----BEGIN CERTIFICATE----- content):
openssl x509 -inform PEM -in temp/jetty-certificate.pem -text -noout

# JAVA
# see jre\lib\security\java.security for keystore.type (default jks)
# jre\lib\security\cacerts -> JDK trusted certificates from a variety of Certificate Authorities (CA's)
# jre\lib\security\cacerts -> default password is changeit
# listing a keystore
keytool -v -list -storetype JKS -keystore jetty_keystore.jks
keytool -v -list -storetype JKS -keystore jetty_keystore.jks | grep "Alias name:"
keytool -v -list -storetype PKCS12 -keystore jetty.p12

ERROR
    java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
SOLUTION
    It might be the case of a p12 file with the "Export Password" empty while you try to import it in a jks keystore.
    Import the p12 using -srcstorepass "" option:
    keytool -importkeystore -srckeystore $PKCS12_FILE -destkeystore "$KEYSTORE_FILE_NAME" -srcstoretype PKCS12 -deststoretype JKS -srcstorepass ""

# show a certificate from url
openssl s_client -connect adrhc.go.ro:443 -showcerts /dev/null
openssl s_client -connect adrhc.go.ro:443 -showcerts /dev/null | openssl x509 -outform PEM

# see also https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
# key pair generation with multiple formats
openssl req -newkey rsa:2048 -x509 -days 3660 -out adr1-pub.pem -keyout adr1-key.pem
openssl rsa -des3 -in adr1-key.pem -out adr1-key.pem.des3.bitvise
ssh-keygen -y -f adr1-key.pem > adr1-pub.openssh
openssl rsa -in adr1-key.pem -out adr1-key-no-pwd.rsa.pem
openssl pkcs12 -info -nokeys -export -in adr1-pub.pem -name "adr1-pub" -out adr1-pub.p12
openssl pkcs12 -info -export -in adr1-pub.pem -inkey adr1-key.pem -name "adr1 private key and public key" -out adr1.p12
cat adr1-pub.openssh > /********/.ssh/authorized_keys
# putty-tools ubuntu package (command-line tools for SSH, SCP, and SFTP)
# To convert a key from another format (puttygen will automatically detect the input key type):
puttygen adr1-key.pem.des3.bitvise -C 'adr1-key.pem.des3.bitvise' -o adr1-key.putty.ppk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.