Last updated 2017-11-03
SSL certificates are used in almost every network application to encrypt traffic to increase the safety of communications.
Manipulating ssl certs
Converting .crt to .pem
A .crt file can be identical to a .pem: They are both a b64-encoded block.
openssl x509 < rapidssl.crt -out rapidssl.pem
A .crt is usually the public key, and a .key is usually the private key.
Converting .crt set to a .pfx for Windows
Run each step separately because you might need to enter an import or export password. Use a simple password for each one for ease.
openssl pkcs12 -export -in wildcard-2016.crt -inkey wildcard-2016.key -out wildcard-2016.p12 -name wildcard -CAfile rapidssl-2016.crt -caname root openssl pkcs12 -in wildcard-2016.p12 -out wildcard-2016.pem -nodes –clcerts openssl x509 -in rapidssl-2016.crt -out rapidssl-2016.pem cat wildcard-2016.pem rapidssl-2016.pem > wildcardchain-2016.pem openssl pkcs12 -export -in wildcardchain-2016.pem -out wildcardchain-2016.pfx
Converting pkcs7 to pkcs12
openssl pkcs7 -print_certs -in crx.p7b | openssl pkcs12 -export -inkey crx.key -out crx.pfx -certfile crx.crt
Preparing hash file for ldap
Openldap can use ssl to encrypt its traffic, and the file needs to be rather specific. Around here, the /etc/openldap/ldap.conf file tends to have these directives:
URI ldaps://example.com BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts
And in /etc/openldap/cacerts you might see these files:
4669ff29.0 -> authconfig.pem authconfig.pem (the examplemicrosoft certs catted) examplemicrosoftintermeidateca.crt examplemicrosoftrootca.crt examplenovellca.crt
Observe that there is a hashed file as a symlink to the real cert file. Openldap will look for the hashed filename, whether it is a real file or just a symlink.
You can generate the hashed file by running c_rehash /etc/openldap/cacerts (or try cacertdir_rehash) from package openssl-perl or you can generate the symlink this way:
cd /etc/openldap/cacerts ln -sf certs-example-2016.pem "$( openssl x509 -in certs-example-2016.pem -hash -noout ).0"
Reference: Weblink 2
Requesting a certificate signing
A CSR is for when you have a certificate you generated that you want signed by a certificate authority, whether that be the local CA or a public one.
You need a private key to start with, so the genrsa command will generate one.
openssl genrsa -aes256 -out wwwexamplecom-2016.key 2048 openssl req -new -key wwwexamplecom-2016.key -out wwwexamplecom-2016.csr Enter pass phrase for wwwexamplecom-2016.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :Anystate Locality Name (eg, city) [Default City]:Anytown Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :www.example.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Generally, don’t use a passphrase. If you must, do a simple one like linksys.
Send the csr to someone. This uses the send.sh script from bgscripts package. send.sh -hs "csr for www.example.com" wwwexamplecom-2016.csr firstname.lastname@example.org
Removing passphrase from private key
Apache in particular struggles with a private key protected with a passphrase. Apparently admins just leave the passphrase blank when generating a cert.
If you already applied one, and want to remove the passphrase, just use openssl.
openssl rsa -in old.key -out new.key
It will ask you for the passphrase, and then export the private key to the new file.
Adding AD certs to host trusted certificate store
Procure your AD root CA cert or download it from the certificate authority web portal, which could resemble https://ca2.example.com/certsrv/. Save as ca2.example.com.crt.
Reference: Weblink 4 https://support.microsoft.com/en-us/help/555252
cp ca2.example.com.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust
Signing a certificate
Internal link 3 https://ca2.example.com/certsrv/ provides the certificate signing operations for Active Directory.
Adding key to java keystore
You might need to add a certificate to a java-like keystore. It is interesting to note that many java keystore files are actually symlinks to /etc/pki/java/cacerts.
/usr/lib/jvm/java/jre/bin/keytool -import -trustcacerts -alias "myaliasname" -storetype jks -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -file ./comodo.cer -storepass changeit
Testing ssl cert from server
To find out if the https or other ssl-enabled service is serving the right certificate, you can use openssl as a client and pull down the ssl cert.
printf '\n' | openssl s_client -connect ipa.example.com:443
And observe the output for the certificate information.
To test SNI, add the parameter -servername myurl.example.com.
Reference: weblink 6 https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
- Pkcs12 chained certificates demo: http://stackoverflow.com/questions/18787491/adding-certificate-chain-to-p12pfx-certificate/18830742#18830742
- How to get the cert file hash without the c_rehash tool http://www.linuxquestions.org/questions/linux-server-73/openldap-certificate-4175480164-print/
- Removing passphrase from ssl key https://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html
- AD get root CA certificate https://support.microsoft.com/en-us/help/555252