ssl

• openssl

• ssl cert

  • create cert for server

    • ca (root cert)

    • cert for server (csr)

    • generate cert for client (cert) and singed by CA

    • Update the file perm

    • verify

  • certificate in Nginx

  • get remote server certs

    • keytool

    • openssl

  • bundle certs

    • generic usage

    • get serial number

    • get issuer and subject

    • get dates

• cheatsheet

  • generate private key and csr

  • generate a self-signed certificate

  • check ssl certificate

  • get issuer

  • get subject

  • get expiration date

  • get serial number

  • show multiple information

  • show fingerprint

  • extract from the ssl certificate (decoded)

  • show the ssl certificate

  • verifying the keys match

  • check remote certificate chain

• services

  • Kubernetes

    • from Kubernetes secrets

    • to Kubernetes secrets

  • jenkins self-signed SSL

  • artifactory https

[!TIP|label:see also]

• * imarslo : kubernetes/certificates
• * iMarslo : artifactory/certificates
• * k8s: Generate Certificates Manually

  • easyrsa
  • openssl
  • cfssl
• * 手动生成证书
• 如何简单快速地申请ssl证书

reference:

• * cheatsheet: Check SSL Certificate with OpenSSL
• * cheatsheet: Check SSL Certificate Chain with OpenSSL Examples
• Understanding X509 Certificate with Openssl Command
• Protect the Docker daemon socket
• generating SSL Certificates
• sethvargo/create-certs.sh
• How can I add a private key to my keychain?
• Proactively Handling Certificate Expiration With ssl-cert-check

  • Matty9191/ssl-cert-check
• Converting a Java Keystore into PEM Format

  • *.jks - keystore in java format.

  • *.p12 - keystore in PKCS#12 format.

  • *.pem - all keys and certs from keystore, in PEM format.

• Additional Keystore Formats (PKCS12)
• How to setup Microsoft Active Directory Certificate Services [AD CS]
• * OpenSSL Command Reference Guide | OpenSSL Documentation 3.0 OpenSSL commands]

  

  ssl cert management

openssl

• check version

  $ openssl version
  OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
  
  $ openssl version -a
  OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
  built on: Tue Aug  1 13:36:55 2023 UTC
  platform: darwin64-x86_64-cc
  options:  bn(64,64)
  compiler: clang -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
  OPENSSLDIR: "/usr/local/etc/openssl@3"
  ENGINESDIR: "/usr/local/Cellar/openssl@3/3.1.2/lib/engines-3"
  MODULESDIR: "/usr/local/Cellar/openssl@3/3.1.2/lib/ossl-modules"
  Seeding source: os-specific
  CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x40000000029c67af
  
  $ openssl version -d
  OPENSSLDIR: "/usr/local/etc/openssl@3"

ssl cert

create cert for server

ca (root cert)

$ openssl genrsa -aes256 -out ca.key 2048 $ openssl req -new -x509 -sha256 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com"

$ openssl genrsa -aes256 -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................................+++ ...................................................+++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for ca.key:artifactory Verifying - Enter pass phrase for ca.key:artifactory $ openssl req -new -x509 -sha256 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com" Enter pass phrase for ca.key:artifactory

cert for server (csr)

$ openssl genrsa -out server.key 2048 $ openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com"

$ openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................+++ ............................................................................................................................................................................................................................+++ unable to write 'random state' e is 65537 (0x10001) $ openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com"

sign the server cert with CA

$ echo subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 >> extfile.cnf $ echo extendedKeyUsage = serverAuth >> extfile.cnf

$ openssl x509 -req -days 365 -sha256 -CAcreateserial -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extfile extfile.cnf

$ echo subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 >> extfile.cnf $ echo extendedKeyUsage = serverAuth >> extfile.cnf

$ openssl x509 -req -days 365 -sha256 -CAcreateserial -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extfile extfile.cnf Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Getting CA Private Key Enter pass phrase for ca.key:artifactory unable to write 'random state'

$ ls extfile.cnf ca.key server.csr www.srl ca.crt server.crt server.key

generate cert for client (cert) and singed by CA

$ openssl genrsa -out client.key $ openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com"

$ echo extendedKeyUsage = clientAuth >> extfile.cnf $ openssl x509 -req -days 365 -sha256 -CAcreateserial -CA ca.crt -CAkey ca.key -in client.csr -out client.cert -extfile extfile.cnf

$ openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus ................................................+++ .......................+++ unable to write 'random state' e is 65537 (0x10001)

$ openssl req -new -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com" -key client.key -out client.csr

$ echo extendedKeyUsage = clientAuth >> extfile.cnf $ cat extfile.cnf subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 gxtendedKeyUsage = serverAuth extendedKeyUsage = clientAuth

$ openssl x509 -req -days 365 -sha256 -CAcreateserial -CA ca.crt -CAkey ca.key -in client.csr -out client.cert -extfile extfile.cnf Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Getting CA Private Key Enter pass phrase for ca.key:artifactor unable to write 'random state'

Update the file perm

$ sudo chmod -v 0444 ca.crt server.crt client.cert
$ sudo chmod -v 0400 ca.key client.key server.key

verify

crt

$ openssl x509 -noout -text -in server.crt

$ openssl x509 -noout -text -in ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 15145698426239402702 (0xd23054792b3142ce) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Validity Not Before: Jan 2 11:35:31 2018 GMT Not After : Jan 2 11:35:31 2019 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:3f:b6:c5:e5:52:8d:c7:26:3f:e7:0a:7a:5f: c1:71:2a:9e:34:07:7e:10:4a:3d:c4:4f:f7:df:58: 93:0d:fa:00:e8:21:75:6d:d1:45:7d:bd:27:f2:c5: 08:13:8f:4f:be:91:9f:28:19:7e:c3:a7:42:1b:fc: b4:96:21:8a:33:59:79:27:a3:cf:13:3e:cd:92:0d: 7e:b9:9f:0d:01:bf:27:5f:e4:7a:7d:db:69:a3:78: 96:a8:c3:a9:2d:31:28:97:ba:6c:20:17:ab:eb:85: ce:2c:25:e8:3e:a0:8b:c0:0b:b2:a9:e1:ac:9f:e1: 57:35:bb:64:6a:99:2e:8f:27:f1:04:40:a7:16:32: 31:4e:ad:18:5e:9e:0b:dd:42:17:af:8a:58:c6:1a: e9:00:52:97:7b:7a:24:cc:b1:81:8d:b9:20:60:e4: 96:d5:77:82:07:4e:df:9c:3a:26:95:d5:ed:aa:a1: 24:94:64:0e:93:9a:9e:9b:d4:78:6b:46:50:69:05: 19:6a:ff:7b:1d:1b:0f:ce:6b:30:33:c7:99:9d:6a: 30:0c:fc:f8:74:00:df:65:6f:fa:1b:24:0a:73:77: 4d:94:45:27:9b:93:a6:81:37:57:57:6f:e9:ae:e4: 5e:a8:b8:be:31:0f:73:4b:9e:1b:ed:78:5c:48:ec: 0b:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: IP Address:130.147.219.19 X509v3 Subject Key Identifier: 23:32:BC:61:9E:51:8E:94:22:30:5B:AE:68:8A:7E:8E:53:D2:45:7C X509v3 Authority Key Identifier: keyid:23:32:BC:61:9E:51:8E:94:22:30:5B:AE:68:8A:7E:8E:53:D2:45:7C

        X509v3 Basic Constraints:
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     69:a3:fe:35:63:a5:e8:4e:e6:3e:4f:9d:f6:82:3d:73:f2:a7:
     22:c1:46:e5:09:5e:61:81:b7:70:3c:62:ba:43:7d:bd:ac:67:
     d0:41:ea:a7:b8:41:47:04:bc:41:9a:46:35:31:3f:62:10:7a:
     58:73:45:3a:59:3b:41:6b:2b:1e:62:42:b7:7e:c1:6b:92:25:
     2a:df:3f:69:b5:26:8e:c7:5d:c6:24:a0:65:21:b7:63:74:60:
     7f:3b:0e:9a:80:a4:4f:a2:79:20:19:92:64:60:b7:53:5c:09:
     6e:46:6e:7a:d7:ee:ef:f4:2e:27:7a:1a:0e:da:5b:8b:7a:bf:
     40:56:9f:16:63:6b:89:ab:48:65:07:45:e0:a0:21:7c:0f:6d:
     9c:2a:ab:ca:d0:02:06:8a:39:7a:ea:65:b9:04:13:0f:6b:cd:
     ea:e5:9f:59:c5:d2:06:b2:e4:c3:cb:ab:59:69:aa:11:e6:08:
     49:12:cc:d4:29:21:2b:59:c1:dc:bb:e6:a9:7d:96:68:a4:7b:
     61:76:8a:21:a9:69:a5:83:d5:8b:f6:08:4e:c0:34:64:6b:65:
     96:ac:ed:cd:c1:0b:54:7d:a9:57:07:77:0c:6a:43:9e:4f:c0:
     6c:12:88:e8:cf:34:08:67:af:1c:2f:bb:49:54:1b:17:95:89:
     b3:2d:c9:5f

$ openssl x509 -noout -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 12625600037876864867 (0xaf37245755cf1763) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Validity Not Before: Jan 2 11:39:47 2018 GMT Not After : Jan 2 11:39:47 2019 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:af:45:ba:6d:99:42:34:09:c5:ef:da:be:a6: c4:ff:09:9a:bf:7c:89:51:a8:c6:df:c8:ba:b3:a6: 42:24:36:d5:5d:ff:f3🆎df:de:6e:05:8b:81:4a: ec:4c:58:16:ca:0c:56:9e:a7:0e:2d:ba:93:68:e1: 0d:f9:f6:82:ce:98:9b:65:53:8f:ba:27:c9:0c:f8: f1:4c:14:11:67:ef:97:5c:bb:15:16:ae:c4:eb:16: e2:22:29:7a:36:fd:aa:19:f3:ad:93:9a:a3:5c:0c: 92:77:d3:cc:75:b1:29:b4:8d💿74:57:18:5c:d2: c2:00:7a:d4:b2:54:81:0a:44:e7:b8:ef:44:36:86: 4f:04:ab:21:0c:fe:79:9c:93:31:f5:44:46:9d:d8: 36:79:4b:c0:dd:5b:8e:6f:dc:0c:8a:0a:a4:d7:4d: 5a:5c:b0:c0:af:4d:38:45:30:79:3f:a1:69:8a:5b: 19:49:25:bd:5f:19:d8:4f:e0:03:9a:43:fb:ad:6d: 2b:cc:7c:eb:c5:7c:64:fc:9b:bf:83:91:50:ac:21: a1:b6:3f:70:23:cb:d6:af:eb:48:71:cf:f4:da:41: 4e:97:84:64:0c:b4:4d:5f:cb:30:f5:47:a6:35:3d: 02:99:6f:3f:e9:e9:56:42:a0:58:54:21:04:87:f9: 7a:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:sample.artifactory.com, IP Address:130.147.219.19 X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption 3d:e8:81:f2:ab:89:47:e2:2c:8c:5a:54:31:c2:2a:11:37:e6: ab:89:ff:d1:c2:8c:8e:3a:7d:d2:1d:28:3e:9e:5f:9e:89:08: 78:2e:16:32:52:e7:35🆎66:09:a4:83:85:42:55:d6:7c:4f: 37:cf:8d:37:bd:57:d0:00:f2:9c:67:68:a2:ed:49:c6:eb:0f: b7:49:ba:ae:12:35:82:a6:a5:b6:5e:f7:68:08:f7:3f:a1:73: d2:94:3e:7a:d9:5c:e1:e2:ab:12:46:66:9d:59:3a:e1:2d:aa: a6:53:97:40:ac:a3:ca:80:6d:5b:75:dc:c4:ee:10:48:55:2c: 10:00:43:07:e6:c4:16:09:fb:04:5d:78:8e:85:21:21:75:01: a5:af:c0:c0:d1:fd:33:6e:5b:24:8b:f8:e6:1c:df:b7:f1:e5: 38:02:d4:a8:e1:09:93:2e:8d:19:ea:e2:11:3f:c1:fe:75:bb: ef:03:6e:c3:50:77:a5:54:7d:7e:e0💿85:20:08:41:38:b2: 86:65:aa:58:51:1b:7b:ed:6a:07:0f:cc:ab:49:d8:34:ec:5d: fd:0d:75:48:81:3c:a5:bc:ce:c0:95:8c:8e:d3:8c:0f:0d:a3: a7:73:70:bc:59:89:7c:42:25:0b:cb:2f:b0:86:4a:46:56:f2: e9:d9:63:f1

csr

$ openssl req -noout -text -in server.csr

$ openssl req -noout -text -in server.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress=marslo.jiao@mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:af:45:ba:6d:99:42:34:09:c5:ef:da:be:a6: c4:ff:09:9a:bf:7c:89:51:a8:c6:df:c8:ba:b3:a6: 42:24:36:d5:5d:ff:f3🆎df:de:6e:05:8b:81:4a: ec:4c:58:16:ca:0c:56:9e:a7:0e:2d:ba:93:68:e1: 0d:f9:f6:82:ce:98:9b:65:53:8f:ba:27:c9:0c:f8: f1:4c:14:11:67:ef:97:5c:bb:15:16:ae:c4:eb:16: e2:22:29:7a:36:fd:aa:19:f3:ad:93:9a:a3:5c:0c: 92:77:d3:cc:75:b1:29:b4:8d💿74:57:18:5c:d2: c2:00:7a:d4:b2:54:81:0a:44:e7:b8:ef:44:36:86: 4f:04:ab:21:0c:fe:79:9c:93:31:f5:44:46:9d:d8: 36:79:4b:c0:dd:5b:8e:6f:dc:0c:8a:0a:a4:d7:4d: 5a:5c:b0:c0:af:4d:38:45:30:79:3f:a1:69:8a:5b: 19:49:25:bd:5f:19:d8:4f:e0:03:9a:43:fb:ad:6d: 2b:cc:7c:eb:c5:7c:64:fc:9b:bf:83:91:50:ac:21: a1:b6:3f:70:23:cb:d6:af:eb:48:71:cf:f4:da:41: 4e:97:84:64:0c:b4:4d:5f:cb:30:f5:47:a6:35:3d: 02:99:6f:3f:e9:e9:56:42:a0:58:54:21:04:87:f9: 7a:a5 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 74:99:e5:36:44:b4:48:a9:50:83:eb:61:02:37:6c:8a:46:45: 0e:58:04:40:66:55:56:fc:fd:cf:15:a0:31:be:de:3a:16:4f: 9a:46:1d:17:33:7f:38:dd:36:a9:76:e5:92:b2:48:29:60:e7: af:c0:f6:76:0d:9a:a6:40:43:a8:98:75:90:c3:c1:2a:7d:51: 1d:df:1b:50:8b:69:ce:7c:74:cf:03:9d:69:6b:41:7f:ed:bc: f1:6c:c0:93:22:36:5e:f7:8c:d0:f7:f5:0f:dc:51:93:1e:23: cc:12:cd:f3:0e:6c:1b:4e:b2:df:01:86:5b:d0:79:c8:6e:c8: 57:72:a8:dd:81:8a:af:c3:52:e2:ff:e8:f1:3d:6f:cb:e4:a9: 1c:51:58:b9:31:00:c0:88:5e:ca:63:59:f8:d7:82:d4:22:30: 0c:d8:bd:e6:01:11:d2:4a:68:64:d1:8e:d5:a1:19:0c:5a:99: 25💿c2:e5:ed:f3:48:e3:c0:7a:00:a3:a8:09:8e:d3:50:2a: 84:29:63:66:50:3e:42:af:43:ea:fa:5b:28:f9:f1:84:89:88: 2e:7f:8d:bf:44:29:83:fa:89:b3:b8:3c:13:98:20:76:6c:d3: 67:ce:03:9e:15:ea:3e:9d:4b:cb:c2:78:ab:57:1d:b7:e8:9e: 81:1b:b5:1f

certificate in Nginx

$ grep ssl_certificate /etc/nginx/sites-enabled/artifactoryv2.conf
ssl_certificate       /etc/nginx/certs/sample.artifactory.com/server.crt;
ssl_certificate_key   /etc/nginx/certs/sample.artifactory.com/server.key;

get remote server certs

[!TIP] references:

• * imarslo: get cert from domain
• * imarslo: get first matching pattern
• * Checking A Remote Certificate Chain With OpenSSL
• Using openssl to get the certificate from a server
• SSL Certificate Verification

keytool

$ keytool -printcert -rfc -sslserver <domain.com>:<port> > cacert.crt

• check

  # convert to pem
  $ openssl x509 -inform PEM -in cacert.crt -out outcert.pem -text
  
  # or
  $ openssl x509 -noout -text -in cacert.crt

openssl

[!NOTE|label:see more]

• iMarslo : Artifactory SSL Certification

$ echo -n |
  openssl s_client -showcerts \
                   -servername <domain.com> \
                   -connect <domain.com>:<port> 2>/dev/null |
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  > cacert.crt

# or
$ echo -n | openssl s_client \
                 -showcerts \
                 -connect <domain.com>:<port> 2>/dev/null |
         sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' |
         openssl x509 -text -noout |
         grep Not

• check

  $ keytool -printcert -v -file cacert.crt

bundle certs

[!NOTE|label:references:]

• How to view all ssl certificates in a bundle?

generic usage

$ awk -v cmd='openssl x509 -noout -serial' \
             '/BEGIN/{close(cmd)}; {print | cmd}' \
       < /path/to/bundle.crt

# or
$ awk -v cmd="openssl x509 -text -noout" \
             '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' \
      < /path/to/bundle.crt

# or
$ awk < /path/to/bundle.crt -v cmd="openssl x509 -issuer -subject -dates -noout" \
        '/^-----BEGIN/,/^-----END/ {print|cmd} /^-----END/ {close(cmd)}'

# or
$ cat /path/to/bundle.crt |
  awk '{
    if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
    else if ($0 == "-----END CERTIFICATE-----") print cert
    else cert=cert$0
  }' |
  while read CERT; do echo "$CERT" | base64 -d | openssl x509 -inform DER -text -noout; done

get serial number

$ awk -v cmd='openssl x509 -noout -serial' \
             '/BEGIN/{close(cmd)}; {print | cmd}' \
       < /path/to/bundle.crt |
       awk -F= '{print $2}' |
       sed 's/../&:/g;s/:$//'
# or
$ openssl storeutl -noout -text -certs </path/to/file.crt> | sed -n '/Serial Number:/{n;p;}'

# i.e.:
$ awk -v cmd='openssl x509 -noout -serial' \
             '/BEGIN/{close(cmd)}; {print | cmd}' < google.crt |
      awk -F= '{print $2}' |
      sed 's/../&:/g;s/:$//'
71:8D:F8:A4:D1:48:8A:78:09:CC:ED:27:10:7D:81:84
7F:F0:05:A0:7C:4C:DE:D1:00:AD:9D:66:A5:10:7B:98
77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D
## or
$ openssl storeutl -noout -text -certs google.crt | sed -n '/Serial Number:/{n;p;}'
            71:8d:f8:a4:d1:48:8a:78:09:cc:ed:27:10:7d:81:84
            7f:f0:05:a0:7c:4c:de:d1:00:ad:9d:66:a5:10:7b:98
            77:bd:0d:6c:db:36:f9:1a:ea:21:0f:c4:f0:58:d3:0d

get issuer and subject

$ awk -v cmd='openssl x509 -noout -subject -issuer' \
             '/BEGIN/{close(cmd)}; {print | cmd}' \
      < /path/to/bundle.crt
# or
$ openssl crl2pkcs7 -nocrl -certfile /path/to/bundle.crt | openssl pkcs7 -print_certs -noout

# i.e.:
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
          sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' |
          awk -v cmd='openssl x509 -noout -subject -issuer -dates; echo ""' \
                     '/BEGIN/{close(cmd)}; {print | cmd}'

# or
$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null |
          sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.crt
$:wa awk -v cmd='openssl x509 -noout -subject -issuer -dates; echo ""' \
             '/BEGIN/{close(cmd)}; {print | cmd}' \
      < google.crt
subject=CN = *.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
notBefore=Jul 30 12:32:53 2024 GMT
notAfter=Oct 22 12:32:52 2024 GMT

subject=C = US, O = Google Trust Services, CN = WR2
issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R1
notBefore=Dec 13 09:00:00 2023 GMT
notAfter=Feb 20 14:00:00 2029 GMT

subject=C = US, O = Google Trust Services LLC, CN = GTS Root R1
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
notBefore=Jun 19 00:00:42 2020 GMT
notAfter=Jan 28 00:00:42 2028 GMT

get dates

# local
$ openssl storeutl -noout -text -certs /path/to/bundle.crt | grep 'Not'
## or
$ awk -v cmd='openssl x509 -noout -dates' \
             '/BEGIN/{close(cmd)}; {print | cmd}' \
      < /path/to/bundle.crt
## remote
$ echo -n | openssl s_client -showcerts -connect <domain.com>:<port> 2>/dev/null | grep 'Not'

# i.e.:
## local
$ awk -v cmd='openssl x509 -noout -dates' '/BEGIN/{close(cmd)}; {print | cmd}' < google.crt
notBefore=Jul 30 12:32:53 2024 GMT
notAfter=Oct 22 12:32:52 2024 GMT
notBefore=Dec 13 09:00:00 2023 GMT
notAfter=Feb 20 14:00:00 2029 GMT
notBefore=Jun 19 00:00:42 2020 GMT
notAfter=Jan 28 00:00:42 2028 GMT
## remote
$ echo -n | openssl s_client -showcerts -connect google.com:443 2>/dev/null | command grep 'Not'
   v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT

cheatsheet

generate private key and csr

$ openssl genrsa -out privateKey.key 2048
$ openssl req -new -key privateKey.key -out CSR.csr

# or
$ openssl req -out CSR.csr \
              -new -newkey rsa:2048 \
              -nodes \
              -keyout privateKey.key \
              -subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

need to input the following info to generate CSR :

• Country Name: 2-digit country code where our organization is legally located.

• State/Province: Write the full name of the state where the organization is legally located.

• City: Write the full name of the city where our organization is legally located.

• Organization Name: Write the legal name of our organization.

• Organization Unit: Name of the department

• Common Name: Fully Qualified Domain Name

generate a self-signed certificate

$ openssl req -x509 \
              -sha256 \
              -nodes \
              -days 365 \
              -newkey rsa:2048 \
              -keyout privateKey.key \
              -out certificate.crt

check ssl certificate

• check private key info

  $ openssl rsa -noout -text -in privateKey.key

• check csr info

  $ openssl req -text -noout -in CSR.csr

• view ssl certificate info

  $ openssl x509 -text -noout -in certificate.crt

get issuer

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -issuer

get subject

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -subject

get expiration date

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates

# or
$ openssl x509 -enddate -noout -in /path/to/name.pem

# i.e.:
$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates
notBefore=Sep  8 00:00:00 2021 GMT
notAfter=Aug 18 23:59:59 2022 GMT

get serial number

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -serial
serial=038**************************9CE

$ openssl x509 -noout -serial -in server.crt
serial=038**************************9CE

show multiple information

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -dates -subject -issuer

show fingerprint

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -fingerprint

extract from the ssl certificate (decoded)

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509 -noout -text

show the ssl certificate

$ echo -n |
       openssl s_client \
               [-servername <domain.com>] \
               -connect <domain.com>:<port> 2>/dev/null |
       openssl x509
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

verifying the keys match

$ openssl pkey -pubout -in privateKey.key | openssl sha256
# or
$ openssl req -pubkey -in CSR.csr -noout | openssl sha256
# or
$ openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

check remote certificate chain

[!NOTE|label:see also:]

• * iMarslo: get lines between 2 patterns

$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       awk '/Certificate chain/,/---/'
# or
$ echo -n |
       openssl s_client -connect <domain.com>:<port> 2>/dev/null |
       sed -n '/Certificate chain/,/---/p'

# i.e.:
$ echo -n |
       openssl s_client -connect google.com:443 2>/dev/null |
       awk '/Certificate chain/,/---/'
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

services

Kubernetes

[!NOTE|label:references:]

• Kubernetes Authentication and Authorization with X509 client certificates

from Kubernetes secrets

• key

  $ kubectl -n kube-system get secrets <SECRET_NAME> -o yaml -o jsonpath="{.data.tls\.key}" | base64 -d > server.key

• crt

  $ kubectl -n kube-system get secrets sample-tls -o yaml -o jsonpath="{.data.tls\.crt}" | base64 -d > server.crt

to Kubernetes secrets

• key

  $ cat server.key | base64 -w0

• crt

  $ cat server.crt | base64 -w0

• advanced usage

  $ kubectl -n kube-system get secrets <SECRET_NAME> -o yaml |
      sed -r -e "s/(\s*tls.crt:)(.*)$/\1 $(cat server.crt | base64 -w0)/g" \
             -e "s/(\s*tls.key:)(.*)$/\1 $(cat server.key | base64 -w0)/g" |
    kubectl apply -f -

jenkins self-signed SSL

[!NOTE|label:references:]

• * iMarslo: keystore
• Configuring inbound agents using self-signed certificates

• create a truststore

  $ keytool -import -v -trustcacerts -alias jenkins.domain.com \
            -file certificate.pem \
            -keystore cacerts.jks \
            -storepass changeit

• remove alias

  # get alias
  $ $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep <alias.name>
  # or
  $ $JAVA_HOME/bin/keytool -list -cacerts | grep <alias.name>
  # or
  $ keytool -list -v -keystore /path/to/cacerts.jks | grep 'Alias name:' | grep -i <alias.name>
  
  # delete alias
  $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -cacerts -delete -alias <the-alias-name>
  # or
  $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -keystore /path/to/cacerts.jks -delete -alias <the-alias-name>

• add into JVM options

  -Djavax.net.ssl.trustStore=/var/jenkins_home/cacerts.jks
  -Djavax.net.ssl.trustStorePassword=changeit

• use the truststore when connection from the agent

  $ java -Djavax.net.ssl.trustStore=/var/jenkins_home/cacerts.jks \
         -Djavax.net.ssl.trustStorePassword=changeit \
         -jar agent.jar \
         -jnlpURL https://jenkins.domain.com/cjoc/jnlpSharedSlaves/sharedagent/slave-agent.jnlp \
         -secret xxx

artifactory https

$ sudo openssl genrsa -des3 -out artifactory.key 2048 $ sudo openssl req -new -key artifactory.key -out artifactorycsr $ sudo cp artifactory.key{,.org} $ sudo openssl rsa -in artifactory.key.org -out artifactory.key $ sudo openssl x509 -req -days 365 -in artifactorycsr -signkey artifactory.key -out artifactory.crt

$ sudo openssl genrsa -des3 -out artifactory.key 2048 Generating RSA private key, 2048 bit long modulus .........................+++ ........................................................................+++ e is 65537 (0x10001) Enter pass phrase for artifactory.key: artifactory Verifying - Enter pass phrase for artifactory.key: artifactory

$ sudo openssl req -new -key artifactory.key -out artifactorycsr Enter pass phrase for artifactory.key: artifactory You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Sichuan Locality Name (eg, city) []:Chengdu Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany Ltd Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:192.168.1.102 Email Address []:.

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.

$ sudo cp artifactory.key{,.org}

$ sudo openssl rsa -in artifactory.key.org -out artifactory.key Enter pass phrase for artifactory.key.org: artifactory writing RSA key

$ sudo openssl x509 -req -days 365 -in artifactorycsr -signkey artifactory.key -out artifactory.crt Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany Ltd/CN=192.168.1.102 Getting Private key

$ openssl x509 -text -noout -in ssl_ip/artifactory.crt Certificate: Data: Version: 1 (0x0) Serial Number: 9804858425156156035 (0x8811daca106dba83) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, CN=192.168.1.102 Validity Not Before: Dec 26 16:23:15 2017 GMT Not After : Dec 26 16:23:15 2018 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, CN=192.168.1.102 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:32:26:35:8a:8f:09:82:ff:59:61:14:14:1b: 9c:da:02:74:09:48:2a:d5:05:1d:ad:8a:d0:e0:70: 1f:9b:44:b4:df:4d:c5:4c:5a:1b:8a:52:7b:2a:69: a2:77:d3:cf:c7:fb:a6:ef:34:d1:bb:23:8d:d0:78: e6:48:3f:8c:12:3c:69:d5:62:2d:74:24:b8:49:a8: 59:c7:36:5f:64:97:5a:d1:8f:9a:5b:2f:aa:a8:65: 6c:75:28:60:55:b9:2a:5b:41:71:a4:fa:eb:10:7e: 84:4b:fb:c3:57:9c:55:8e:e8:2a:4a:c1:45:74:54: 58:d5:09:0d:59:d4:14:94:db:5b:67:91:9c:23:24: c4:07:10:d1:f1:28:fa:97:38:01:da:81:c4:f3:63: d7:84:24:dc:3c:ff:04:64:b2:3e:41:f0:d8:08:66: 06:cc:7c:05:3c:90:97:0b:02:b6:b5:2f:03:28:b7: 4c:38:aa:84:23:3e:9e:d4:b0:3a:58:4c:f3:74:df: 36:63:f2:18:ac:d1:0d:ef:05:6b:f3:dc:b6:d3:c7: f0:91:7b:b8:69:4f:ae:19:da:34:b7:38:1e:e2:9a: 10:2e:a9:a0:54:f6:61:b9:da:e6:98:c8:9b:76:83: d6:59:77:d9:18:c6:57:8c:cf:af:a4:89:5a:87:99: c4:15 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 5a:06:ad:9b:d0:07:d7:9b:92:2a:77:71:ff:80:6e:c1:39:bd: 81:e8:0f:21:39:bd:80:3e:96:a9:6b:7a:73:f1:80:70:4e:b1: d4:b7:1e:54:be:62:dc:35:c0:b9:d8:8c:d1:24:75:8a:42:ec: a9:dd:9b:9a:f2:4b:ad:6e:38:d7:a2:fa:7a:70:be:7b:8c:37: 63:71:10:fe:73:18:de:e5:9c:c5:6e:1a:4e:cb:7b:51:26:56: 68:56:fb:4f:71:d7:7b:94:b6:55:b9:f8:9b:31:a8:26:a5:e5: 32:36:33:65:7b:1d:9f:27:7d:f1:b0:d2:06:7c:75:d7:39:bb: 7a:44:92:e1:b8:fc:2b:fd:3c:43:93:d6:47:19:f6:ad:d3:cc: 82:dd:15:bd:d3:a0:e2:2d:92:fd:65:44:60:44:21:b9:1f:31: fd:91:c2:78:86:d9:aa:77:fd:54:ae:2f:4c:ae:5d:5e:c7:a3: 43:0d:6b:32:23:d9:61:b6:a7:c4:47:eb:bc:c2:79:6c:06:f0: a6:af:e8:45:c6:02:d5:1c:09:26:8a:a7:b0:ff:74:50:85:82: 1d:88:b2:2c:eb:20:3e:bf:3b:4e:9b🆎b7:4f:e8:14:a8:1a: 33:50:e9:a8:24:3e:5e:2a:68:ea:fa:f3:12:30:94:8e:0f:0d: da:6c:17:60

$ sudo openssl genrsa -des3 -out artifactory.key 2048 Generating RSA private key, 2048 bit long modulus ........................+++ .......................................+++ e is 65537 (0x10001) Enter pass phrase for artifactory.key: artifactory Verifying - Enter pass phrase for artifactory.key: artifactory

$ sudo openssl req -new -key artifactory.key -out artifactorycsr Enter pass phrase for artifactory.key: artifactory You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Sichuan Locality Name (eg, city) []:Chengdu Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany Ltd Organizational Unit Name (eg, section) []:mycompany CDI Common Name (e.g. server FQDN or YOUR name) []:docker-1.artifactory Email Address []:.

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.

$ sudo cp artifactory.key{,.org} $ sudo openssl rsa -in artifactory.key.org -out artifactory.key Enter pass phrase for artifactory.key.org: artifactory writing RSA key

$ sudo openssl x509 -req -days 365 -in artifactorycsr -signkey artifactory.key -out artifactory.crt Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany Ltd/OU=mycompany CDI/CN=docker-1.artifactory Getting Private key

$ openssl x509 -text -noout -in ssl/artifactory.crt Certificate: Data: Version: 1 (0x0) Serial Number: 15006671364169185053 (0xd0426818d254b71d) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, OU=mycompany CDI, CN=docker-1.artifactory Validity Not Before: Dec 26 16:02:10 2017 GMT Not After : Dec 26 16:02:10 2018 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, OU=mycompany CDI, CN=docker-1.artifactory Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dc:30:6b:83:56:92:fb:f3:fb:bc:da:3e:a9:5c: 67:c3:19:42:9a:8f:8f:30:e6:27:fa:a9:9d:c9:3e: 9c:31:3d:aa:d8:9f:ae:9b:64:b0:75:2a:01:51:ad: 04:c4:00:5d:f4:f8:b4:af:bb:20:f3:77:45:65:28: d8:38:28:b2:03:46:d0:67:d1:91:8e:7b:65:66:a0: 7e:a5:e2:fe:80:00:5e:54:95:50:52:9c:44:2a:aa: dc:a2:80:be:16:07:79:b4:13:1d:f5:8a:ca:c3:ab: 1c:76:de:f3:b8:23:9b:54:17:28:be:ac:e5:68:5c: f3:83:49:61:55:d2:e1:ea:0c:e7:72:75:6e:90:5a: 90:a8:85:01:c6:cc:69:94:5b:c4:f9:14:6d:70:0a: 8e:45:e0:b9:28:aa:99:3a:22:12:db:0b:d7:d9:6e: aa:35:36:5e:e6:00:eb:99:ab:46:6d:7b:e5:12:b1: f9:0c:5c:d3:c0:47:7b:b3:e4:03:15:fa:8d:42:f8: a1:c1:ce:dc:42:d2:81:88:18:0d:26:28:7e:90:cf: e8:05:84:75:94:e9:ac:20:47:95:c7:50:1c:d8:42: c3:d7:8b:90:f9:a9:48:cc:a5:8d:88:3b:54:a9:ef: 20:ce:ee:4c:6d:04:65:eb:6c:f7:22:9d:c8:13:33: b1:6d Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption c3:c7:c8:0d:19:d1:0b:05:ac:11:e3:e4:af:25:0e:95:f5:f5: 31:ed:90:4e:7f:1a:2b:a2:2f:4d:a3:d9:57:40:a2:f6:af:55: 90:53:bf:72:39:81:5d:53:41:85:e0:1d:26:9f:9e:33:05:46: 9c:fc:51:99:19:5c:7d:ef:aa:cc:50:61:0b:f4:11:69:bd:9e: 2a:34:48:e9:9d:7c:d0:e0:80:a5:42:67:ac:8e:0c:d6:84:19: 8e:cb:05:97:9f:21:c5:e0:78:8f:97:f6:53:fa:f2:ec:49:3f: fb:11:68:ed:ea:c0:8c:c5:be:08:61:e4:bd:4e:05:5f:89:99: f6:47:6f:b3:1e:5f:49:62:ff:37:dc:f0:c4:4b:bb:a4:15:06: b1:80:4d:24:ef:bb:25:d6:a5:60:13:34:57:73:ba:b4:b0:8b: 42:0f:18:ef:0e:17:60:83:4d:61:bd:ef:55:b9:52:6a:47🆎 c3:ee:b3:11:27:86:aa:87:18:d5:60:b8:b4:34:c2:fa:75:48: 0e:f1:f4:30:b3:fa:b3:ad:a9:8a:6e:e6:62:71:02:5a:72:bd: 5c:45:a0:23:ea:1d:84:16:24:3d:88:a0:12:20:61:7a:f8:bd: dc:0f:fb:26:c0:f3:2f:1f:66:7e:64:35:b6:45:05:c4:00:43: 2d:18:da:a1