Last updated 2016-11-09
SSL certificates are used in almost every network application to encrypt traffic to increase the safety of communications.
Manipulating ssl certs
Converting .crt to .pem
A .crt file can be identical to a .pem: They are both a b64-encoded block.
openssl x509 < rapidssl.crt -out rapidssl.pem
A .crt is usually the public key, and a .key is usually the private key.
Converting .crt set to a .pfx for Windows
Run each step separately because you might need to enter an import or export password. Use a simple password for each one for ease.
openssl pkcs12 -export -in wildcard-2016.crt -inkey wildcard-2016.key -out wildcard-2016.p12 -name wildcard -CAfile rapidssl-2016.crt -caname root openssl pkcs12 -in wildcard-2016.p12 -out wildcard-2016.pem -nodes –clcerts openssl x509 -in rapidssl-2016.crt -out rapidssl-2016.pem cat wildcard-2016.pem rapidssl-2016.pem > wildcardchain-2016.pem openssl pkcs12 -export -in wildcardchain-2016.pem -out wildcardchain-2016.pfx
Preparing hash file for ldap
Openldap can use ssl to encrypt its traffic, and the file needs to be rather specific. Around here, the /etc/openldap/ldap.conf file tends to have these directives:
URI ldaps://example.com BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts
And in /etc/openldap/cacerts you might see these files:
4669ff29.0 -> authconfig.pem authconfig.pem (the examplemicrosoft certs catted) examplemicrosoftintermeidateca.crt examplemicrosoftrootca.crt examplenovellca.crt
Observe that there is a hashed file as a symlink to the real cert file. Openldap will look for the hashed filename, whether it is a real file or just a symlink.
You can generate the hashed file by running c_rehash /etc/openldap/cacerts from package openssl-perl or you can generate the symlink this way:
cd /etc/openldap/cacerts ln -sf certs-example-2016.pem "$( openssl x509 -in certs-example-2016.pem -hash -noout ).0"
Reference: Weblink 2
Requesting a certificate signing
A CSR is for when you have a certificate you generated that you want signed by a certificate authority, whether that be the local CA or a public one.
You need a private key to start with, so the genrsa command will generate one.
openssl genrsa -aes256 -out wwwexamplecom-2016.key 2048
openssl req -new -key wwwexamplecom-2016.key -out wwwexamplecom-2016.csr
Enter pass phrase for wwwexamplecom-2016.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :Anystate
Locality Name (eg, city) [Default City]:Anytown
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) :IT
Common Name (eg, your name or your server's hostname) :http://www.example.com
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Generally, don’t use a passphrase. If you must, do a simple one like linksys.
Send the csr to someone. This uses the send.sh script from bgscripts package.
send.sh -hs "csr for http://www.example.com" wwwexamplecom-2016.csr email@example.com
Removing passphrase from private key
Apache in particular struggles with a private key protected with a passphrase. Apparently admins just leave the passphrase blank when generating a cert.
If you already applied one, and want to remove the passphrase, just use openssl.
openssl rsa -in old.key -out new.key
It will ask you for the passphrase, and then export the private key to the new file.
Signing a certificate
In this organization, Internal link 3 https://ca2.example.com/certsrv/ provides the certificate signing operations.
Adding key to java keystore
You might need to add a certificate to a java-like keystore. It is interesting to note that many java keystore files are actually symlinks to /etc/pki/java/cacerts.
/usr/lib/jvm/java/jre/bin/keytool -import -trustcacerts -alias "myaliasname" -storetype jks -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -file ./comodo.cer -storepass changeit
- Pkcs12 chained certificates demo: http://stackoverflow.com/questions/18787491/adding-certificate-chain-to-p12pfx-certificate/18830742#18830742
- How to get the cert file hash without the c_rehash tool http://www.linuxquestions.org/questions/linux-server-73/openldap-certificate-4175480164-print/
- Removing passphrase from ssl key https://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html