{"id":206,"date":"2014-10-15T18:08:21","date_gmt":"2014-10-15T18:08:21","guid":{"rendered":"http:\/\/adrhc.go.ro\/wordpress\/?p=206"},"modified":"2016-12-19T01:10:29","modified_gmt":"2016-12-18T23:10:29","slug":"how-to-create-a-certificate","status":"publish","type":"post","link":"https:\/\/adrhc.go.ro\/blog\/how-to-create-a-certificate\/","title":{"rendered":"How to create a certificate"},"content":{"rendered":"
\r\n# see https:\/\/www.openssl.org\/docs\/manmaster\/apps\/req.html\r\n# Create a certificate\r\ndel adr-*.pem\r\nopenssl req -newkey rsa:2048 -x509 -days 3660 -out adr-pub.pem -keyout adr-key.pem\r\n#bug: openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-bitvise-pub.pem -keyout adr-bitvise-key.pem\r\n#bug: openssl req -new -x509 -days 3660 -out adr-bitvise.pem -keyout adr-bitvise.pem\r\nopenssl rsa -in adr-key.pem -out adr-key-no-pwd.pem -> stergere parola\r\n#openssl rsa -des3 -in adr-key.pem -out adr-key-new-pwd.pem -> setare parola\r\nopenssl dhparam 2048 >> adr-pub.pem (dhparam -> versiunea noua pt. vechiul param gendh)\r\nopenssl dhparam 2048 >> adr-key-no-pwd.pem\r\nopenssl pkcs12 -export -in adr-pub.pem -inkey adr-key-no-pwd.pem -name \"adr\" -out adr-pwd.p12\r\n#Pune adr-pub.pem in \/home\/root\/.ssh\/ (backup keys folder).\r\ncat adr-pub.pem >> \/home\/root\/.ssh\/authorized_keys (ssh server)\r\n#cat adr-pub.pem >> \/ffp\/var\/lib\/stunnel\/authorized_keys.pem (stunnel)\r\n#cat adr-pub.pem >> \/etc\/service_conf\/authorized_keys.crt (NSA310 web console)\r\n\r\n# Certificat pt. invitati:\r\nopenssl req -newkey rsa:2048 -x509 -days 3660 -out gigi-pub.pem -keyout gigi-key.pem\r\nopenssl rsa -in gigi-key.pem -out gigi-key-no-pwd.pem\r\nopenssl dhparam 2048 >> gigi-pub.pem\r\nopenssl dhparam 2048 >> gigi-key.pem\r\nopenssl dhparam 2048 >> gigi-key-no-pwd.pem\r\nopenssl pkcs12 -export -in gigi-pub.pem -inkey gigi-key-no-pwd.pem -name \"gigi\" -out gigi-pwd.p12\r\ncat gigi-pub.pem >> \/home\/root\/.ssh\/authorized_keys\r\n\r\n# Encrypt a private key using triple DES (from https:\/\/www.openssl.org\/docs\/manmaster\/apps\/rsa.html):\r\n# Key generation for bitvise:\r\nopenssl rsa -des3 -in adr-key.pem -out adr-key.pem.des3.bitvise -> requested by \"User keypair manager\"\r\n\r\n# see http:\/\/sysmic.org\/dotclear\/index.php?post\/2010\/03\/24\/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL\r\n# Extract the public key to openssh format:\r\nssh-keygen -y -f adr-key.pem > adr-pub.openssh\r\ncat adr-pub.openssh >> \/home\/root\/.ssh\/authorized_keys\r\n\r\n# convert p12 to pem\r\nopenssl pkcs12 -in xxx.p12 -nocerts -out xxx_key.pem\r\nopenssl pkcs12 -in xxx.p12 -clcerts -nokeys -out xxx_pub.pem\r\n\r\n# debug ssl connection\r\nopenssl s_client -cert xxx_pub.pem -key xxx_key.pem -connect 192.168.1.10:443 -debug\r\n\r\n# request protected https resource\r\nwget --certificate=xxx_pub.pem --private-key=xxx_key.pem https:\/\/192.168.1.10\/zzz\r\nERROR\r\n\tERROR: certificate common name \u2018svn-ubuntu\u2019 doesn't match requested host name \u2018192.168.1.10\u2019.\r\n\tTo connect to 192.168.1.10 insecurely, use `--no-check-certificate'.\r\nHOW TO DETERMINE IT\r\n\twget --no-hsts --certificate=xxx_pub.pem --private-key=xxx_key.pem https:\/\/192.168.1.10\/zzz\r\n\t--no-hsts\r\n\t     Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by default.  Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a\r\n\t     consequence, Wget would ignore all the \"Strict-Transport-Security\" headers, and would not enforce any existing HSTS policy.\r\nSOLUTION\r\n\tThis might not work:\r\n\twget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https:\/\/192.168.1.10\/zzz\r\n\tThis should work:\r\n\tAppend 192.168.1.10 svn-ubuntu to \/etc\/hosts.\r\n\twget --no-hsts --no-check-certificate --certificate=xxx_pub.pem --private-key=xxx_key.pem https:\/\/svn-ubuntu\/zzz\r\n\r\n# DER format\r\n# https:\/\/www.openssl.org\/docs\/manmaster\/man1\/x509.html\r\nView the complete certificate information (private + public key also):\r\nopenssl x509 -inform der -in temp\/jetty-certificate.der -text -noout\r\nopenssl x509 -in CA.cer -noout -text\r\nopenssl x509 -in adr-pub.pem -noout -text | grep -P \"Issuer|Subject\"\r\nSaves the public key only:\r\nopenssl x509 -inform der -in temp\/jetty-certificate.der -pubkey -noout > temp\/jetty-certificate.pub.pem\r\nConverts the certificate to pem:\r\nopenssl x509 -inform der -outform PEM -in temp\/jetty-certificate.der -out temp\/jetty-certificate.pem\r\nDisplays the certificate in PEM format and also it's alias:\r\nopenssl x509 -inform der -outform PEM -in temp\/jetty-certificate.der -alias\r\nOutput the complete certificate information (valid only PEM with -----BEGIN CERTIFICATE----- content):\r\nopenssl x509 -inform PEM -in temp\/jetty-certificate.pem -text -noout\r\n\r\n# JAVA\r\n# see jre\\lib\\security\\java.security for keystore.type (default jks)\r\n# jre\\lib\\security\\cacerts -> JDK trusted certificates from a variety of Certificate Authorities (CA's)\r\n# jre\\lib\\security\\cacerts -> default password is changeit\r\n# listing a keystore\r\nkeytool -v -list -storetype JKS -keystore jetty_keystore.jks\r\nkeytool -v -list -storetype JKS -keystore jetty_keystore.jks | grep \"Alias name:\"\r\nkeytool -v -list -storetype PKCS12 -keystore jetty.p12\r\n\r\nERROR\r\n\tjava.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded\r\nSOLUTION\r\n\tIt might be the case of a p12 file with the \"Export Password\" empty while you try to import it in a jks keystore.\r\n\tImport the p12 using -srcstorepass \"\" option:\r\n\tkeytool -importkeystore -srckeystore $PKCS12_FILE -destkeystore \"$KEYSTORE_FILE_NAME\" -srcstoretype PKCS12 -deststoretype JKS -srcstorepass \"\"\r\n\r\n# show a certificate from url\r\nopenssl s_client -connect adrhc.go.ro:443 -showcerts <\/dev\/null 2>\/dev\/null\r\nopenssl s_client -connect adrhc.go.ro:443 -showcerts <\/dev\/null 2>\/dev\/null | openssl x509 -outform PEM\r\n\r\n# see also https:\/\/support.ssl.com\/Knowledgebase\/Article\/View\/19\/0\/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them\r\n# key pair generation with multiple formats\r\nopenssl req -newkey rsa:2048 -x509 -days 3660 -out adr1-pub.pem -keyout adr1-key.pem\r\nopenssl rsa -des3 -in adr1-key.pem -out adr1-key.pem.des3.bitvise\r\nssh-keygen -y -f adr1-key.pem > adr1-pub.openssh\r\nopenssl rsa -in adr1-key.pem -out adr1-key-no-pwd.rsa.pem\r\nopenssl pkcs12 -info -nokeys -export -in adr1-pub.pem -name \"adr1-pub\" -out adr1-pub.p12\r\nopenssl pkcs12 -info -export -in adr1-pub.pem -inkey adr1-key.pem -name \"adr1 private key and public key\" -out adr1.p12\r\ncat adr1-pub.openssh > \/********\/.ssh\/authorized_keys\r\n# putty-tools ubuntu package (command-line tools for SSH, SCP, and SFTP)\r\n# To convert a key from another format (puttygen will automatically detect the input key type):\r\nputtygen adr1-key.pem.des3.bitvise -C 'adr1-key.pem.des3.bitvise' -o adr1-key.putty.ppk\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
# see https:\/\/www.openssl.org\/docs\/manmaster\/apps\/req.html # Create a certificate del adr-*.pem openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-pub.pem -keyout adr-key.pem #bug: openssl req -newkey rsa:2048 -x509 -days 3660 -out adr-bitvise-pub.pem -keyout adr-bitvise-key.pem #bug: openssl req -new -x509 -days 3660 -out […]<\/p>\n
Continue reading ➞ How to create a certificate<\/span><\/a><\/div>","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-howto"],"_links":{"self":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":0,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"wp:attachment":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}