server

[!TIP|label:references:]
* iMarslo: Artifactory Nginx CSR
Frequently used OpenSSL Commands
The Most Common OpenSSL Commands | OpenSSL Commands

terminology

extensions

[!TIP|label:references:]
What is the difference between .CER and .CRT?
What are the differences between .pem, .csr, .key, .crt and other such file extensions?
Difference between pem, crt, key files

EXTENSION

NAME

DESCRIPTION

.ca

Certificate Authority

.key

Private Key

.csr .req .p10

Certificate Signing Request

.crt

Certificate

used for certificates, may be encoded as binary DER or as ASCII PEM, usually an certificate

.cer

Certificate

alternate form of .crt (Microsoft Convention), DER encoded or base64[PEM] encoded

.pem

indicates a base64 encoding with header and footer lines

.crl

Certificate Revocation List

defined within the certificate specifications, and this is usually DER encoded

.p8 .pkcs8

PKCS#8 Private Keys

PKCS#8 defines a way to encrypt private keys using

.p12 .pfx

defined key store

commonly password protected. It can contain trusted certificates, private key(s) and their certificate chain(s)

.p7b .p7c

message

it is often used as a way to handle the certificates which make up a 'chain' or 'bundle' as a single

jks

Java Key Store

Java Key Store (JKS) is a repository of security certificates, either authorization certificates or public key certificates, plus corresponding private keys, used for instance in SSL encryption.

algorithms

symmetric encryption

3DES
AES

asymmetric encryption

RSA
DSA
ECC
ECDSA
Hash Algorithms
MD5
SHA-1
SHA-2
SHA-3

certs

generate csr

[!NOTE|label:references:]
How to generate a private key and CSR from the command line
How to Generate a CSR for Nginx (OpenSSL)
GENERATE A CERTIFICATE SIGNING REQUEST (CSR) USING OPENSSL ON MICROSOFT WINDOWS SYSTEM
HOW TO GENERATE A CSR FOR SSL CERTIFICATES ON WINDOWS

# generate key
$ openssl genrsa -out dashboard.key 2048

# generate csr
$ openssl req -sha256 \
              -new \
              -key dashboard.key \
              -out dashboard.csr \
              -subj '/C=US/ST=California/L=Santa Clara/O=Company Name, Inc./CN=dashboard.kubernetes.com'

or generate key and csr in one command

$ openssl req -new -newkey rsa:2048 -nodes -keyout dashboard.key -out dashboard.csr -subj '/C=US/ST=California/L=Santa Clara/O=Company Name, Inc./CN=dashboard.kubernetes.com'

sign the csr

[!TIP|label:references:]
How do you sign a Certificate Signing Request with your Certification Authority?
openssl.cnf

$ echo subjectAltName = DNS: server.sample.com,IP: 10.110.136.104 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req \
               -days 365 \
               -sha256 \
               -CAcreateserial \
               -CA ca.crt \                            # the CA crt
               -CAkey ca.key \                         # the CA key
               -in server.csr \
               -out server.crt \
               -extfile extfile.cnf                    # the external file

Sign a certificate request using the CA certificate above and add user certificate extensions

$ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
          -CA cacert.pem -CAkey key.pem -CAcreateserial

# Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA"
$ openssl x509 -in cert.pem            -addtrust clientAuth -setalias "Steve's Class 1 CA" -out trust.pem
# or
$ openssl x509 -in steve.cer -trustout -addtrust clientAuth -setalias "Steve's Class 1 CA" -out steve.pem

or generate crt with key in one command

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt

nginx configure

[!NOTE|label:references:]
Configuring HTTPS servers
How to Redirect HTTP to HTTPS in Nginx
Module ngx_http_ssl_module
Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX

modify/create nginx configure

$ cat /etc/nginx/sites-enabled/server.sample.com
server {
    listen 80;
    listen 443 ssl;

    ssl_certificate     /etc/nginx/certs/server.pem;
    ssl_certificate_key /etc/nginx/certs/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    server_name server.sample.com;

    location / {
        proxy_pass http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

test and reload

$ nginx -t
$ nginx -s reload
$ sudo systemctl restart nginx.service

# more
$ which -a nginx
/usr/sbin/nginx
/sbin/nginx

usage

show content

certificate request ( csr )

# show content of a certificate request
#    csr: request
#          v
$ openssl req -in certificate.csr -noout -text

# subject name
$ openssl req -in certificate.csr -noout -subject

# verify
$ openssl req -in certificate.csr -noout -verify

certificate ( pem, crt, cer )

# show content of a certificate
#    x509: certificate
#          v
$ openssl x509 -in certificate.pem -noout -text

# show serial number of a certificate
$ openssl x509 -in certificate.pem -noout -serial

# show subject name
$ openssl x509 -in certificate.pem -noout -subject

# show subject name in RFC2253 format
$ openssl x509 -in certificate.pem -noout -subject -nameopt RFC2253

# show subject name in oneline support UTF8
$ openssl x509 -in certificate.pem -noout -subject -nameopt oneline,-esc_msb

# show SHA-1 fingerprint
$ openssl x509 -sha1 -in certificate.pem -noout -fingerprint

convert

[!NOTE|label:references:]
Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?
x509 options

frmo cer

to crt

# DER encoded ( binary )
$ openssl x509 -inform DER -in certificate.cer -out certificate.crt

# PEM encoded ( human readable )
$ openssl x509 -inform PEM -in certificate.cer -out certificate.crt

to pem

$ openssl x509 -inform DER -in certificate.cer -out certificate.pem -outform PEM
$ openssl x509 -inform PEM -in certificate.cer -out certificate.pem -outform PEM

from a pkcs#12 ( .pfx/.p12 )

[!NOTE|label:references:]
Convert pfx file to pem file

to pem

$ openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

## -nocerts
$ openssl pkcs12 -in filename.pfx -nocerts -out key.pem
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

## -clcerts
$ openssl pkcs12 -in filename.pfx -clcerts -nokeys -out certificate.pem

from crt

[!NOTE|label:references:]
Conversion of crt file to pem file

to pem

## PEM encoded
$ openssl x509 -in certificate.crt -out certificate.pem -outform PEM

## DER encoded
$ openssl x509 -in certificate.crt -out certificate.der -outform DER

## from DER encoded to PEM encoded
$ openssl x509 -in certificate.der -inform DER -out output.pem -outform PEM

remove password from extacted private key

$ openssl rsa -in key.pem -out key.pem

from certificate

to certificate request

$ openssl x509 -x509toreq -in certificate.crt -out certificate.csr -signkey privateKey.key
# or
$ openssl x509 -x509toreq -in certificate.pem -out req.pem -signkey key.pem

convert from windows `certmgr.msc`

win + r -> certmgr.msc
Certifacts - Current User -> Trusted Root Certification Authorities -> Certificates -> the wanted CA
right-click -> open or double-click
Details -> Copy to File...
Certificate Export Wizard -> Next
convert to crt

DER encoded binary X.509 (.CER)

$ openssl x509 -inform DER -in certificate.cer -out certificate.crt

Base-64 encoded X.509 (.CER)

$ openssl x509 -inform PEM -in certificate.cer -out certificate.crt

Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)

[!NOTE|label:references:]
jmervine/cert_convert.sh

$ openssl pkcs7 -inform DER -in certificate.p7b -out certificate.crt
# or
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

import to Linux

[!NOTE|label:references:]
Install a PEM-format certificate

$ sudo cp certificate.crt /usr/local/share/ca-certificates/
$ sudo chmod 755 /usr/local/share/ca-certificates/certificate.crt
$ sudo update-ca-certificates