This one will show all of the certificate parts so you can copy/paste to AWS or F5 web UI
openssl pkcs12 -in some.pfx -nodes
This one will create a new key and csr
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout new.privkey \
-out new.csr -config /etc/ssl/openssl.cnf \
-subj "/C=US/ST=California/L=Sacramento/O=Netlogix/OU=Marketing/CN=www.steveborba.com"
This one is how I sign user certificates with openssl
openssl ca -config openssl.int.conf -extensions usr_cert -days 1460 \
-notext -md sha256 -in UserCert.csr -out UserCert.crt
This is how I created a CSR with SAN and must staple:
openssl req -new -sha256 -key new.privkey -subj "/CN=steveborba.com" \
-reqexts SAN -config \
<(cat /etc/ssl/openssl.cnf \
<(printf "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05\n\
[SAN]\n\
subjectAltName=DNS=steveborba.com,DNS=www.steveborba.com\n" \
)) -out steveborba.com.must-staple.csr.pem
This one has an alternative IP
openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout new.privkey \
-out new.csr -subj "/CN=home.steveborba.com" -reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf\
&& printf "[SAN]\nsubjectAltName=DNS:home.steveborba.com\nIP=68.187.31.12\n")
This is how I sign server certificates with openssl
openssl ca -config openssl.int.conf -extensions server_cert -days 730 \
-notext -md sha256 -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt
You have to match the SANs when you sign (there must be an easier way than this)
openssl ca -extensions server_cert -days 730 -notext -md sha256 \
-in some.csr -out signed.crt \
-config <(cat openssl.int.conf \
&& printf "subjectAltName=DNS:home.steveborba.com,IP:68.187.31.12\n")
This one will package a key, certificate and chain together
openssl pkcs12 -export -out bundle.pfx -inkey new.privkey \
-in signed.crt -certfile chain.crt
This will convert a der formated file to a pem/base64 one:
openssl pkcs12 -out out.pem -in der.pfx
openssl base64 -in infile.pfx -out outfile.pem
but you need to prepend with “—–BEGIN PKCS12—–” and append “—–END PKCS12—–“
This is how I got the sha256 digest of a private key for hkpk
openssl rsa -in /etc/letsencrypt/live/steveborba.com/privkey.pem \
-outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
ASA Certificate import
Run these from somewhere you have openssl, base64 and the certs (ubuntu WSL for me)
openssl pkcs12 -export -in cert.pem -certfile intca.crt -out cert.p12
base64 cert.p12 > cert.p12.base64
<SSH to ASA, conf t>
crypto ca trustpoint <CERT NAME HERE>
enrollment terminal
exit
crypto ca import <CERT NAME HERE> pkcs12 <CERTPASSWORD>
-----BEGIN PKCS12-----
<PASTE CONTENT OF cert.p12.base64>
-----END PKCS12-----
quit
ssl trust-point <CERT NAME HERE> <OUTSIDE_IFNAME>
Java key store stuff
Delete
keytool -delete -alias tomcat -keystore ./conf/keystore_secure.jks
keytool -importkeystore -srckeystore ./certs/wildcard.pk12 -srcstoretype PKCS12 -destkeystore ./conf/keystore_secure.jks -deststoretype JKS
Import CA Certificate
keytool -keystore transport.p12 -import -alias transport_ca -file /etc/ssl/certs/Netlogix_Root_Certificate.pem
rename/change alias
keytool -keystore http.p12 -changealias -alias 1 -dest http
copy from one to another:
keytool -importkeystore -srckeystore http.p12.orig -destkeystore http.p12 -srcalias http_ca -destalias http_ca
Find supported ciphers or protocols
nmap --script ssl-enum-ciphers -p 443 example.com
Or s_client:
openssl s_client -showcerts -connect www.steveborba.com:443
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -ssl3 (does not exist in modern s_client)
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1_1
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1_2
#!/bin/bash
#example SERVER=steveborba.com:443
SERVER=$1
DELAY=0.25
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
for cipher in ${ciphers[@]}; do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN \($result\)
fi
sleep $DELAY
done
echo '-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIJAKYAi30njtbJMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhOZXRsb2dpeDER
MA8GA1UECwwIU2VjdXJpdHkxIjAgBgNVBAMMGU5ldGxvZ2l4IFJvb3QgQ2VydGlm
aWNhdGUwHhcNMTUxMTExMjIyNzIyWhcNMzUxMTA2MjIyNzIyWjBsMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwITmV0bG9naXgxETAP
BgNVBAsMCFNlY3VyaXR5MSIwIAYDVQQDDBlOZXRsb2dpeCBSb290IENlcnRpZmlj
YXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArPAMFwkxl0NlgWdQ
izcVf71V6BfMgJHqwUEuTy5rg1cyRbZecjaa0E14e2LKhwHrObIcjM9+3hGWv4hs
xb7eZLLeNObApjayG7e5bybvYzQvDa04B8Badp9PTJaf0HfdrFkCafHL8kVXj/+A
4n4fPyD+MHZVYmfwM5Hd9NMGU3Rr5D8DEO1GIuZEGTwpEXxzfhmhV4NFo0RdxZYN
UAB2SK82/QTk+Fge9CFsGHfKRoBD2mdt3CueuD0xpl01A3kMW1iAtal3kmG9rRcS
WJVRF46ZJX/RvYGjJZZPd3f9mZiuuKWaMQXTHZNhpDHSOhZynzWscB4xbS6OpX2c
5CquYZKnN26V4W3gziGrXPYHlY/q7NLEHquvow9x3H/rOSMv+oLfDMhHxMih98k2
+f+OvXPdjODSEwmG6Z3xDBJgqKWj+GOOuLCYy+DntJkWu8JIZgklZiZXWIOGpK4R
qW5yJYqUpXMWUWRzmy+CmmWTRcL6uXTh/nrx0kHPdTYHoo1K/LR7CN8TEyk35i96
gx89LKOh+xwAem8ufoGoPo+JYx8iDT0OF/DE5c0q1YIoLGSwFja4vCKeOQ+4E7dj
2aLU9N/7/7ykOXoSnOUzvGmkIxVmeKi2/I36/2Ksmrj6RRGVyuMMKRie6zjfSobY
FxxyuIisV83/DwlHHSjqCLylcnkCAwEAAaNjMGEwHQYDVR0OBBYEFLKwqdZOUMGB
xMRkO53MyJ1IpZN2MB8GA1UdIwQYMBaAFLKwqdZOUMGBxMRkO53MyJ1IpZN2MA8G
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQCgnkLuWZwLu32pJ4fLf7fsUrtI9p87+sCWxbdU/z7UEZtLXfNpn4DwUp4EQmcu
PQKQRRzDcNdmoXOgqmxbTHxae28WPYLl9HglWGzr2WDAmIHPI4uvvO/0BQkwA5mN
oCC91Vvf+9BcG+NKSW8u2OLCNRRkaZhmyZXHv5d4+v+j/kDb5AoGF06Ym/18xLli
u40btrC6gsdErJZaZc1IsU4SqaDp3IHwqFSd/LJbS0f+6yia3hqdllhlNIXve33q
3qjcNQaYLD5MIRaXZX7EtEqdLkSWM6Z5U+BzIuyqQk5XNIcWd+pCDkQXL6i2bmlS
JmsXXCmrDfwNRyneLUi7hUN+TMl5z80Kmca/Xj9VP397ZrXqOaMQula7O8UYhbRk
13FUN/ebjNKNDvO2GD2GOzRUJfPWUU6CgJ2sCpKXSdXzEN83kMF9EDYKsNFJVCHb
P8kizemyQOHrxp1bzjzVXEMbMHMpMJePZdzYZne5lCiq4y8mZPVGiyySY80dSkCR
s3zfOFFqSrvbX12S4KK+dow3u0S/Za9A/w6H9jXnqdlrajl/2eyDhRVbPvdGfEiv
E4bIEyUMSTSkpXK0/r/a9iQVctymmi3s01lH8CGbRMzwvcEl0TQT1ObeH6dHs/YY
rxhPoDerm9ytbdR4NJIP90zcv2AfIWZDs4VKNLJ/HrD+ig==
-----END CERTIFICATE-----' | sudo tee /usr/local/share/ca-certificates/NetlogixRootCertificate.crt
sudo update-ca-certificates