Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Certificates

This one will show all of the certificate parts so you can copy/paste to AWS or F5 web UI

openssl pkcs12 -in some.pfx -nodes

This one will create a new key and csr

openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout new.privkey \
   -out new.csr -config /etc/ssl/openssl.cnf \
   -subj "/C=US/ST=California/L=Sacramento/O=Netlogix/OU=Marketing/CN=www.steveborba.com"

This one is how I sign user certificates with openssl

openssl ca -config openssl.int.conf -extensions usr_cert -days 1460 \
   -notext -md sha256 -in UserCert.csr -out UserCert.crt

This is how I created a CSR with SAN and must staple:

openssl req -new -sha256 -key new.privkey -subj "/CN=steveborba.com" \
   -reqexts SAN -config \
      <(cat /etc/ssl/openssl.cnf \
      <(printf "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05\n\
                [SAN]\n\
                subjectAltName=DNS=steveborba.com,DNS=www.steveborba.com\n" \
      )) -out steveborba.com.must-staple.csr.pem

This one has an alternative IP

openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout new.privkey \
   -out new.csr -subj "/CN=home.steveborba.com" -reqexts SAN \
   -config <(cat /etc/ssl/openssl.cnf\
   && printf "[SAN]\nsubjectAltName=DNS:home.steveborba.com\nIP=68.187.31.12\n")

This is how I sign server certificates with openssl

openssl ca -config openssl.int.conf -extensions server_cert -days 730 \
   -notext -md sha256 -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt

You have to match the SANs when you sign (there must be an easier way than this)

openssl ca -extensions server_cert -days 730 -notext -md sha256 \
   -in some.csr -out signed.crt \
   -config <(cat openssl.int.conf \
   && printf "subjectAltName=DNS:home.steveborba.com,IP:68.187.31.12\n")

This one will package a key, certificate and chain together

openssl pkcs12 -export -out bundle.pfx -inkey new.privkey \
   -in signed.crt -certfile chain.crt

This will convert a der formated file to a pem/base64 one:

openssl pkcs12 -out out.pem -in der.pfx

openssl base64 -in infile.pfx -out outfile.pem

but you need to prepend with “—–BEGIN PKCS12—–” and append “—–END PKCS12—–“

This is how I got the sha256 digest of a private key for hkpk

openssl rsa -in /etc/letsencrypt/live/steveborba.com/privkey.pem \
   -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
ASA Certificate import
Run these from somewhere you have openssl, base64 and the certs (ubuntu WSL for me)
openssl pkcs12 -export -in cert.pem -certfile intca.crt -out cert.p12
base64 cert.p12 > cert.p12.base64

<SSH to ASA, conf t>
crypto ca trustpoint <CERT NAME HERE>
  enrollment terminal
  exit
crypto ca import <CERT NAME HERE> pkcs12 <CERTPASSWORD>
-----BEGIN PKCS12-----
<PASTE CONTENT OF cert.p12.base64>
-----END PKCS12-----
quit
ssl trust-point <CERT NAME HERE> <OUTSIDE_IFNAME>

Java key store stuff

Delete
keytool -delete -alias tomcat -keystore ./conf/keystore_secure.jks

keytool -importkeystore -srckeystore ./certs/wildcard.pk12 -srcstoretype PKCS12 -destkeystore ./conf/keystore_secure.jks -deststoretype JKS

Import CA Certificate
keytool -keystore transport.p12 -import -alias transport_ca -file /etc/ssl/certs/Netlogix_Root_Certificate.pem 

rename/change alias
keytool -keystore http.p12 -changealias -alias 1 -dest http

copy from one to another:
keytool -importkeystore -srckeystore http.p12.orig -destkeystore http.p12 -srcalias http_ca -destalias http_ca

Find supported ciphers or protocols

nmap --script ssl-enum-ciphers -p 443 example.com

Or s_client:
openssl s_client -showcerts -connect www.steveborba.com:443

openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -ssl3 (does not exist in modern s_client)
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1_1
openssl s_client -connect <IP/Hostname>:443 [ -servername <SNI> ] -tls1_2

#!/bin/bash
#example SERVER=steveborba.com:443
SERVER=$1
DELAY=0.25
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
for cipher in ${ciphers[@]}; do
  echo -n Testing $cipher...
  result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN \($result\)
  fi
  sleep $DELAY
done
echo '-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIJAKYAi30njtbJMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhOZXRsb2dpeDER
MA8GA1UECwwIU2VjdXJpdHkxIjAgBgNVBAMMGU5ldGxvZ2l4IFJvb3QgQ2VydGlm
aWNhdGUwHhcNMTUxMTExMjIyNzIyWhcNMzUxMTA2MjIyNzIyWjBsMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwITmV0bG9naXgxETAP
BgNVBAsMCFNlY3VyaXR5MSIwIAYDVQQDDBlOZXRsb2dpeCBSb290IENlcnRpZmlj
YXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArPAMFwkxl0NlgWdQ
izcVf71V6BfMgJHqwUEuTy5rg1cyRbZecjaa0E14e2LKhwHrObIcjM9+3hGWv4hs
xb7eZLLeNObApjayG7e5bybvYzQvDa04B8Badp9PTJaf0HfdrFkCafHL8kVXj/+A
4n4fPyD+MHZVYmfwM5Hd9NMGU3Rr5D8DEO1GIuZEGTwpEXxzfhmhV4NFo0RdxZYN
UAB2SK82/QTk+Fge9CFsGHfKRoBD2mdt3CueuD0xpl01A3kMW1iAtal3kmG9rRcS
WJVRF46ZJX/RvYGjJZZPd3f9mZiuuKWaMQXTHZNhpDHSOhZynzWscB4xbS6OpX2c
5CquYZKnN26V4W3gziGrXPYHlY/q7NLEHquvow9x3H/rOSMv+oLfDMhHxMih98k2
+f+OvXPdjODSEwmG6Z3xDBJgqKWj+GOOuLCYy+DntJkWu8JIZgklZiZXWIOGpK4R
qW5yJYqUpXMWUWRzmy+CmmWTRcL6uXTh/nrx0kHPdTYHoo1K/LR7CN8TEyk35i96
gx89LKOh+xwAem8ufoGoPo+JYx8iDT0OF/DE5c0q1YIoLGSwFja4vCKeOQ+4E7dj
2aLU9N/7/7ykOXoSnOUzvGmkIxVmeKi2/I36/2Ksmrj6RRGVyuMMKRie6zjfSobY
FxxyuIisV83/DwlHHSjqCLylcnkCAwEAAaNjMGEwHQYDVR0OBBYEFLKwqdZOUMGB
xMRkO53MyJ1IpZN2MB8GA1UdIwQYMBaAFLKwqdZOUMGBxMRkO53MyJ1IpZN2MA8G
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQCgnkLuWZwLu32pJ4fLf7fsUrtI9p87+sCWxbdU/z7UEZtLXfNpn4DwUp4EQmcu
PQKQRRzDcNdmoXOgqmxbTHxae28WPYLl9HglWGzr2WDAmIHPI4uvvO/0BQkwA5mN
oCC91Vvf+9BcG+NKSW8u2OLCNRRkaZhmyZXHv5d4+v+j/kDb5AoGF06Ym/18xLli
u40btrC6gsdErJZaZc1IsU4SqaDp3IHwqFSd/LJbS0f+6yia3hqdllhlNIXve33q
3qjcNQaYLD5MIRaXZX7EtEqdLkSWM6Z5U+BzIuyqQk5XNIcWd+pCDkQXL6i2bmlS
JmsXXCmrDfwNRyneLUi7hUN+TMl5z80Kmca/Xj9VP397ZrXqOaMQula7O8UYhbRk
13FUN/ebjNKNDvO2GD2GOzRUJfPWUU6CgJ2sCpKXSdXzEN83kMF9EDYKsNFJVCHb
P8kizemyQOHrxp1bzjzVXEMbMHMpMJePZdzYZne5lCiq4y8mZPVGiyySY80dSkCR
s3zfOFFqSrvbX12S4KK+dow3u0S/Za9A/w6H9jXnqdlrajl/2eyDhRVbPvdGfEiv
E4bIEyUMSTSkpXK0/r/a9iQVctymmi3s01lH8CGbRMzwvcEl0TQT1ObeH6dHs/YY
rxhPoDerm9ytbdR4NJIP90zcv2AfIWZDs4VKNLJ/HrD+ig==
-----END CERTIFICATE-----' | sudo tee /usr/local/share/ca-certificates/NetlogixRootCertificate.crt
sudo update-ca-certificates

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>