# ssl \ * [openssl](#openssl) * [ssl cert](#ssl-cert) * [create cert for server](#create-cert-for-server) * [ca (root cert)](#ca-root-cert) * [cert for server (csr)](#cert-for-server-csr) * [generate cert for client (cert) and singed by CA](#generate-cert-for-client-cert-and-singed-by-ca) * [Update the file perm](#update-the-file-perm) * [verify](#verify) * [certificate in Nginx](#certificate-in-nginx) * [get remote server certs](#get-remote-server-certs) * [keytool](#keytool) * [openssl](#openssl-1) * [bundle certs](#bundle-certs) * [generic usage](#generic-usage) * [get serial number](#get-serial-number) * [get issuer and subject](#get-issuer-and-subject) * [get issuers and subject in cert chain](#get-issuers-and-subject-in-cert-chain) * [get dates](#get-dates) * [services](#services) * [Kubernetes](#kubernetes) * [from Kubernetes secrets](#from-kubernetes-secrets) * [to Kubernetes secrets](#to-kubernetes-secrets) * [jenkins self-signed SSL](#jenkins-self-signed-ssl) * [artifactory https](#artifactory-https) > \[!TIP|label:see also] > > * [\* imarslo : kubernetes/certificates](https://github.com/marslo/ibook/blob/marslo/docs/virtualization/kubernetes/certificates.html#generate-new-certificate-csr) > * [\* iMarslo : artifactory/certificates](https://github.com/marslo/ibook/blob/marslo/docs/artifactory/nginx-cert.html) > * [\* k8s: Generate Certificates Manually](https://kubernetes.io/docs/tasks/administer-cluster/certificates/) > * [easyrsa](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#easyrsa) > * [openssl](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl) > * [cfssl](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) > * [\* 手动生成证书](https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/certificates/) > * [如何简单快速地申请ssl证书](https://jqtmviyu.github.io/post/applying_for_an_ssl_certificate/) {% hint style="info" %} > reference: > > * [Understanding X509 Certificate with Openssl Command](https://www.howtouselinux.com/post/understanding-x509-certificate-with-openssl-command) > * [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/) > * [generating SSL Certificates](https://github.com/nats-io/nats-operator/issues/119#issuecomment-462538507) > * [sethvargo/create-certs.sh](https://gist.github.com/sethvargo/81227d2316207b7bd110df328d83fad8) > * [How can I add a private key to my keychain?](https://apple.stackexchange.com/a/9011/254265) > * [Proactively Handling Certificate Expiration With ssl-cert-check](https://prefetch.net/articles/checkcertificate.html) > * [Matty9191/ssl-cert-check](https://github.com/Matty9191/ssl-cert-check) > * [Converting a Java Keystore into PEM Format](https://stackoverflow.com/a/656559/2940319) > * `*.jks` - keystore in java format. > * `*.p12` - keystore in PKCS#12 format. > * `*.pem` - all keys and certs from keystore, in PEM format. > * [Additional Keystore Formats (PKCS12)](https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs) > * [How to setup Microsoft Active Directory Certificate Services \[AD CS\]](https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/) > * [\* OpenSSL Command Reference Guide](https://www.pujan.net/posts/openssl-command-reference-guide/) | [OpenSSL Documentation](https://docs.openssl.org/3.0/man1/) 3.0 OpenSSL commands] > > ![ssl cert management](/files/WrQDNp2C2mhQRUT6RSZ4) > {% endhint %} ## openssl * check version ```bash $ openssl version OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) $ openssl version -a OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) built on: Tue Aug 1 13:36:55 2023 UTC platform: darwin64-x86_64-cc options: bn(64,64) compiler: clang -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/usr/local/etc/openssl@3" ENGINESDIR: "/usr/local/Cellar/openssl@3/3.1.2/lib/engines-3" MODULESDIR: "/usr/local/Cellar/openssl@3/3.1.2/lib/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x40000000029c67af $ openssl version -d OPENSSLDIR: "/usr/local/etc/openssl@3" ``` ## ssl cert ### create cert for server #### ca (root cert) $ openssl genrsa -aes256 -out ca.key 2048 $ openssl req -new\ -x509\ -sha256\ -days 365\ -key ca.key\ -out ca.crt\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com" $ openssl genrsa -aes256 -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................................+++ ...................................................+++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for ca.key:artifactory Verifying - Enter pass phrase for ca.key:artifactory $ openssl req -new\ -x509\ -sha256\ -days 365\ -key ca.key\ -out ca.crt\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=" Enter pass phrase for ca.key:artifactory #### cert for server (csr) $ openssl genrsa -out server.key 2048 $ openssl req -new\ -sha256\ -key server.key\ -out server.csr\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=" $ openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................+++ ............................................................................................................................................................................................................................+++ unable to write 'random state' e is 65537 (0x10001) $ openssl req -new\ -sha256\ -key server.key\ -out server.csr\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=" **sign the server cert with CA** $ echo subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 >> extfile.cnf $ echo extendedKeyUsage = serverAuth >> extfile.cnf $ openssl x509 -req\ -days 365\ -sha256\ -CAcreateserial\ -CA ca.crt\ -CAkey ca.key\ -in server.csr\ -out server.crt\ -extfile extfile.cnf $ echo subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 >> extfile.cnf $ echo extendedKeyUsage = serverAuth >> extfile.cnf $ openssl x509 -req\ -days 365\ -sha256\ -CAcreateserial\ -CA ca.crt\ -CAkey ca.key\ -in server.csr\ -out server.crt\ -extfile extfile.cnf Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress= Getting CA Private Key Enter pass phrase for ca.key:artifactory unable to write 'random state' $ ls extfile.cnf ca.key server.csr [www.srl](http://www.srl) ca.crt server.crt server.key #### generate cert for client (cert) and singed by CA $ openssl genrsa -out client.key $ openssl req -new\ -key client.key\ -out client.csr\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress=" $ echo extendedKeyUsage = clientAuth >> extfile.cnf $ openssl x509 -req\ -days 365\ -sha256\ -CAcreateserial\ -CA ca.crt\ -CAkey ca.key\ -in client.csr\ -out client.cert\ -extfile extfile.cnf $ openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus ................................................+++ .......................+++ unable to write 'random state' e is 65537 (0x10001) $ openssl req -new\ -subj "/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress="\ -key client.key\ -out client.csr $ echo extendedKeyUsage = clientAuth >> extfile.cnf $ cat extfile.cnf subjectAltName = DNS:sample.artifactory.com,IP:130.147.219.19 gxtendedKeyUsage = serverAuth extendedKeyUsage = clientAuth $ openssl x509 -req\ -days 365\ -sha256\ -CAcreateserial\ -CA ca.crt\ -CAkey ca.key\ -in client.csr\ -out client.cert\ -extfile extfile.cnf Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany/OU=CDI/CN=sample.artifactory.com/emailAddress= Getting CA Private Key Enter pass phrase for ca.key:artifactor unable to write 'random state' #### Update the file perm ```bash $ sudo chmod -v 0444 ca.crt server.crt client.cert $ sudo chmod -v 0400 ca.key client.key server.key ``` #### verify **crt** $ openssl x509 -noout\ -text\ -in server.crt $ openssl x509 -noout\ -text\ -in ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 15145698426239402702 (0xd23054792b3142ce) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress= Validity Not Before: Jan 2 11:35:31 2018 GMT Not After : Jan 2 11:35:31 2019 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:3f:b6:c5:e5:52:8d:c7:26:3f:e7:0a:7a:5f: c1:71:2a:9e:34:07:7e:10:4a:3d:c4:4f:f7:df:58: 93:0d:fa:00:e8:21:75:6d:d1:45:7d:bd:27:f2:c5: 08:13:8f:4f:be:91:9f:28:19:7e:c3:a7:42:1b:fc: b4:96:21:8a:33:59:79:27:a3:cf:13:3e:cd:92:0d: 7e:b9:9f:0d:01:bf:27:5f:e4:7a:7d:db:69:a3:78: 96:a8:c3:a9:2d:31:28:97:ba:6c:20:17:ab:eb:85: ce:2c:25:e8:3e:a0:8b:c0:0b:b2:a9:e1:ac:9f:e1: 57:35:bb:64:6a:99:2e:8f:27:f1:04:40:a7:16:32: 31:4e:ad:18:5e:9e:0b:dd:42:17:af:8a:58:c6:1a: e9:00:52:97:7b:7a:24:cc:b1:81:8d:b9:20:60:e4: 96:d5:77:82:07:4e:df:9c:3a:26:95:d5:ed:aa:a1: 24:94:64:0e:93:9a:9e:9b:d4:78:6b:46:50:69:05: 19:6a:ff:7b:1d:1b:0f:ce:6b:30:33:c7:99:9d:6a: 30:0c:fc:f8:74:00:df:65:6f:fa:1b:24:0a:73:77: 4d:94:45:27:9b:93:a6:81:37:57:57:6f:e9:ae:e4: 5e:a8:b8:be:31:0f:73:4b:9e:1b:ed:78:5c:48:ec: 0b:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: IP Address:130.147.219.19 X509v3 Subject Key Identifier: 23:32:BC:61:9E:51:8E:94:22:30:5B:AE:68:8A:7E:8E:53:D2:45:7C X509v3 Authority Key Identifier: keyid:23:32:BC:61:9E:51:8E:94:22:30:5B:AE:68:8A:7E:8E:53:D2:45:7C ``` X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 69:a3:fe:35:63:a5:e8:4e:e6:3e:4f:9d:f6:82:3d:73:f2:a7: 22:c1:46:e5:09:5e:61:81:b7:70:3c:62:ba:43:7d:bd:ac:67: d0:41:ea:a7:b8:41:47:04:bc:41:9a:46:35:31:3f:62:10:7a: 58:73:45:3a:59:3b:41:6b:2b:1e:62:42:b7:7e:c1:6b:92:25: 2a:df:3f:69:b5:26:8e:c7:5d:c6:24:a0:65:21:b7:63:74:60: 7f:3b:0e:9a:80:a4:4f:a2:79:20:19:92:64:60:b7:53:5c:09: 6e:46:6e:7a:d7:ee:ef:f4:2e:27:7a:1a:0e:da:5b:8b:7a:bf: 40:56:9f:16:63:6b:89:ab:48:65:07:45:e0:a0:21:7c:0f:6d: 9c:2a:ab:ca:d0:02:06:8a:39:7a:ea:65:b9:04:13:0f:6b:cd: ea:e5:9f:59:c5:d2:06:b2:e4:c3:cb:ab:59:69:aa:11:e6:08: 49:12:cc:d4:29:21:2b:59:c1:dc:bb:e6:a9:7d:96:68:a4:7b: 61:76:8a:21:a9:69:a5:83:d5:8b:f6:08:4e:c0:34:64:6b:65: 96:ac:ed:cd:c1:0b:54:7d:a9:57:07:77:0c:6a:43:9e:4f:c0: 6c:12:88:e8:cf:34:08:67:af:1c:2f:bb:49:54:1b:17:95:89: b3:2d:c9:5f ``` $ openssl x509 -noout\ -text\ -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 12625600037876864867 (0xaf37245755cf1763) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress= Validity Not Before: Jan 2 11:39:47 2018 GMT Not After : Jan 2 11:39:47 2019 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:af:45:ba:6d:99:42:34:09:c5:ef:da:be:a6: c4:ff:09:9a:bf:7c:89:51:a8:c6:df:c8:ba:b3:a6: 42:24:36:d5:5d:ff:f3:ab:df:de:6e:05:8b:81:4a: ec:4c:58:16:ca:0c:56:9e:a7:0e:2d:ba:93:68:e1: 0d:f9:f6:82:ce:98:9b:65:53:8f:ba:27:c9:0c:f8: f1:4c:14:11:67:ef:97:5c:bb:15:16:ae:c4:eb:16: e2:22:29:7a:36:fd:aa:19:f3:ad:93:9a:a3:5c:0c: 92:77:d3:cc:75:b1:29:b4:8d:cd:74:57:18:5c:d2: c2:00:7a:d4:b2:54:81:0a:44:e7:b8:ef:44:36:86: 4f:04:ab:21:0c:fe:79:9c:93:31:f5:44:46:9d:d8: 36:79:4b:c0:dd:5b:8e:6f:dc:0c:8a:0a:a4:d7:4d: 5a:5c:b0:c0:af:4d:38:45:30:79:3f:a1:69:8a:5b: 19:49:25:bd:5f:19:d8:4f:e0:03:9a:43:fb:ad:6d: 2b:cc:7c:eb:c5:7c:64:fc:9b:bf:83:91:50:ac:21: a1:b6:3f:70:23:cb:d6:af:eb:48:71:cf:f4:da:41: 4e:97:84:64:0c:b4:4d:5f:cb:30:f5:47:a6:35:3d: 02:99:6f:3f:e9:e9:56:42:a0:58:54:21:04:87:f9: 7a:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:sample.artifactory.com, IP Address:130.147.219.19 X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption 3d:e8:81:f2:ab:89:47:e2:2c:8c:5a:54:31:c2:2a:11:37:e6: ab:89:ff:d1:c2:8c:8e:3a:7d:d2:1d:28:3e:9e:5f:9e:89:08: 78:2e:16:32:52:e7:35:ab:66:09:a4:83:85:42:55:d6:7c:4f: 37:cf:8d:37:bd:57:d0:00:f2:9c:67:68:a2:ed:49:c6:eb:0f: b7:49:ba:ae:12:35:82:a6:a5:b6:5e:f7:68:08:f7:3f:a1:73: d2:94:3e:7a:d9:5c:e1:e2:ab:12:46:66:9d:59:3a:e1:2d:aa: a6:53:97:40:ac:a3:ca:80:6d:5b:75:dc:c4:ee:10:48:55:2c: 10:00:43:07:e6:c4:16:09:fb:04:5d:78:8e:85:21:21:75:01: a5:af:c0:c0:d1:fd:33:6e:5b:24:8b:f8:e6:1c:df:b7:f1:e5: 38:02:d4:a8:e1:09:93:2e:8d:19:ea:e2:11:3f:c1:fe:75:bb: ef:03:6e:c3:50:77:a5:54:7d:7e:e0:cd:85:20:08:41:38:b2: 86:65:aa:58:51:1b:7b:ed:6a:07:0f:cc:ab:49:d8:34:ec:5d: fd:0d:75:48:81:3c:a5:bc:ce:c0:95:8c:8e:d3:8c:0f:0d:a3: a7:73:70:bc:59:89:7c:42:25:0b:cb:2f:b0:86:4a:46:56:f2: e9:d9:63:f1 **csr** $ openssl req -noout\ -text\ -in server.csr $ openssl req -noout\ -text\ -in server.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany, OU=CDI, CN=sample.artifactory.com/emailAddress= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:af:45:ba:6d:99:42:34:09:c5:ef:da:be:a6: c4:ff:09:9a:bf:7c:89:51:a8:c6:df:c8:ba:b3:a6: 42:24:36:d5:5d:ff:f3:ab:df:de:6e:05:8b:81:4a: ec:4c:58:16:ca:0c:56:9e:a7:0e:2d:ba:93:68:e1: 0d:f9:f6:82:ce:98:9b:65:53:8f:ba:27:c9:0c:f8: f1:4c:14:11:67:ef:97:5c:bb:15:16:ae:c4:eb:16: e2:22:29:7a:36:fd:aa:19:f3:ad:93:9a:a3:5c:0c: 92:77:d3:cc:75:b1:29:b4:8d:cd:74:57:18:5c:d2: c2:00:7a:d4:b2:54:81:0a:44:e7:b8:ef:44:36:86: 4f:04:ab:21:0c:fe:79:9c:93:31:f5:44:46:9d:d8: 36:79:4b:c0:dd:5b:8e:6f:dc:0c:8a:0a:a4:d7:4d: 5a:5c:b0:c0:af:4d:38:45:30:79:3f:a1:69:8a:5b: 19:49:25:bd:5f:19:d8:4f:e0:03:9a:43:fb:ad:6d: 2b:cc:7c:eb:c5:7c:64:fc:9b:bf:83:91:50:ac:21: a1:b6:3f:70:23:cb:d6:af:eb:48:71:cf:f4:da:41: 4e:97:84:64:0c:b4:4d:5f:cb:30:f5:47:a6:35:3d: 02:99:6f:3f:e9:e9:56:42:a0:58:54:21:04:87:f9: 7a:a5 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 74:99:e5:36:44:b4:48:a9:50:83:eb:61:02:37:6c:8a:46:45: 0e:58:04:40:66:55:56:fc:fd:cf:15:a0:31:be:de:3a:16:4f: 9a:46:1d:17:33:7f:38:dd:36:a9:76:e5:92:b2:48:29:60:e7: af:c0:f6:76:0d:9a:a6:40:43:a8:98:75:90:c3:c1:2a:7d:51: 1d:df:1b:50:8b:69:ce:7c:74:cf:03:9d:69:6b:41:7f:ed:bc: f1:6c:c0:93:22:36:5e:f7:8c:d0:f7:f5:0f:dc:51:93:1e:23: cc:12:cd:f3:0e:6c:1b:4e:b2:df:01:86:5b:d0:79:c8:6e:c8: 57:72:a8:dd:81:8a:af:c3:52:e2:ff:e8:f1:3d:6f:cb:e4:a9: 1c:51:58:b9:31:00:c0:88:5e:ca:63:59:f8:d7:82:d4:22:30: 0c:d8:bd:e6:01:11:d2:4a:68:64:d1:8e:d5:a1:19:0c:5a:99: 25:cd:c2:e5:ed:f3:48:e3:c0:7a:00:a3:a8:09:8e:d3:50:2a: 84:29:63:66:50:3e:42:af:43:ea:fa:5b:28:f9:f1:84:89:88: 2e:7f:8d:bf:44:29:83:fa:89:b3:b8:3c:13:98:20:76:6c:d3: 67:ce:03:9e:15:ea:3e:9d:4b:cb:c2:78:ab:57:1d:b7:e8:9e: 81:1b:b5:1f ### certificate in Nginx ```bash $ grep ssl_certificate /etc/nginx/sites-enabled/artifactoryv2.conf ssl_certificate /etc/nginx/certs/sample.artifactory.com/server.crt; ssl_certificate_key /etc/nginx/certs/sample.artifactory.com/server.key; ``` ### get remote server certs > \[!TIP] references: > > * [\* imarslo: get cert from domain](https://github.com/marslo/ibook/blob/marslo/docs/cheatsheet/ssl/keystore.html#get-cert-from-domain) > * [\* imarslo: get first matching pattern](https://github.com/marslo/ibook/blob/marslo/docs/cheatsheet/text-processing/text-processing.html#get-first-matching-pattern) > * [\* Checking A Remote Certificate Chain With OpenSSL](https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/) > * [Using openssl to get the certificate from a server](https://stackoverflow.com/a/7886248/2940319) > * [SSL Certificate Verification](https://curl.se/docs/sslcerts.html) #### keytool ```bash $ keytool -printcert -rfc -sslserver : > cacert.crt ``` * check ```bash # convert to pem $ openssl x509 -inform PEM -in cacert.crt -out outcert.pem -text # or $ openssl x509 -noout -text -in cacert.crt ``` #### openssl > \[!NOTE|label:see more] > > * [iMarslo : Artifactory SSL Certification](https://github.com/marslo/ibook/blob/marslo/docs/artifactory/artifactory.html#artifactory-ssl-certification) ```bash $ echo -n | openssl s_client -showcerts \ -servername \ -connect : 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \ > cacert.crt # or $ echo -n | openssl s_client \ -showcerts \ -connect : 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' | openssl x509 -text -noout | grep Not ``` * check ```bash $ keytool -printcert -v -file cacert.crt ``` ### bundle certs > \[!NOTE|label:references:] > > * [How to view all ssl certificates in a bundle?](https://serverfault.com/q/590870/129815) #### generic usage ```bash $ awk -v cmd='openssl x509 -noout -serial' \ '/BEGIN/{close(cmd)}; {print | cmd}' \ < /path/to/bundle.crt # or $ awk -v cmd="openssl x509 -text -noout" \ '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' \ < /path/to/bundle.crt # or $ awk < /path/to/bundle.crt -v cmd="openssl x509 -issuer -subject -dates -noout" \ '/^-----BEGIN/,/^-----END/ {print|cmd} /^-----END/ {close(cmd)}' # or $ cat /path/to/bundle.crt | awk '{ if ($0 == "-----BEGIN CERTIFICATE-----") cert="" else if ($0 == "-----END CERTIFICATE-----") print cert else cert=cert$0 }' | while read CERT; do echo "$CERT" | base64 -d | openssl x509 -inform DER -text -noout; done ``` #### get serial number ```bash $ awk -v cmd='openssl x509 -noout -serial' \ '/BEGIN/{close(cmd)}; {print | cmd}' \ < /path/to/bundle.crt | awk -F= '{print $2}' | sed 's/../&:/g;s/:$//' # or $ openssl storeutl -noout -text -certs | sed -n '/Serial Number:/{n;p;}' # i.e.: $ awk -v cmd='openssl x509 -noout -serial' \ '/BEGIN/{close(cmd)}; {print | cmd}' < google.crt | awk -F= '{print $2}' | sed 's/../&:/g;s/:$//' 71:8D:F8:A4:D1:48:8A:78:09:CC:ED:27:10:7D:81:84 7F:F0:05:A0:7C:4C:DE:D1:00:AD:9D:66:A5:10:7B:98 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D ## or $ openssl storeutl -noout -text -certs google.crt | sed -n '/Serial Number:/{n;p;}' 71:8d:f8:a4:d1:48:8a:78:09:cc:ed:27:10:7d:81:84 7f:f0:05:a0:7c:4c:de:d1:00:ad:9d:66:a5:10:7b:98 77:bd:0d:6c:db:36:f9:1a:ea:21:0f:c4:f0:58:d3:0d ``` #### [get issuer and subject](https://serverfault.com/a/755815/129815) ```bash $ awk -v cmd='openssl x509 -noout -subject -issuer' \ '/BEGIN/{close(cmd)}; {print | cmd}' \ < /path/to/bundle.crt # or $ openssl crl2pkcs7 -nocrl -certfile /path/to/bundle.crt | openssl pkcs7 -print_certs -noout ``` #### get issuers and subject in cert chain ``` $ openssl s_client -showcerts -connect google.com:443 /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' | awk -v cmd='openssl x509 -noout -subject -issuer -dates; echo ""' \ '/BEGIN/{close(cmd)}; {print | cmd}' subject=CN=github.com issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA notBefore=Feb 5 00:00:00 2025 GMT notAfter=Feb 5 23:59:59 2026 GMT subject=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA issuer=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority notBefore=Nov 2 00:00:00 2018 GMT notAfter=Dec 31 23:59:59 2030 GMT subject=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority issuer=C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services notBefore=Mar 12 00:00:00 2019 GMT notAfter=Dec 31 23:59:59 2028 GMT ``` ```bash # or with index $ openssl s_client -showcerts -connect github.com:443 /dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' | awk -v cmd='openssl x509 -noout -subject -issuer -dates;' ' /BEGIN CERTIFICATE/ { printf("\n-- %d --\n", idx++) } { print | cmd } /END CERTIFICATE/ { close(cmd) } ' -- 0 -- subject=CN=github.com issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA notBefore=Feb 5 00:00:00 2025 GMT notAfter=Feb 5 23:59:59 2026 GMT -- 1 -- subject=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA issuer=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority notBefore=Nov 2 00:00:00 2018 GMT notAfter=Dec 31 23:59:59 2030 GMT -- 2 -- subject=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority issuer=C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services notBefore=Mar 12 00:00:00 2019 GMT notAfter=Dec 31 23:59:59 2028 GMT ``` ```bash # or save in local $ openssl s_client -showcerts -connect google.com:443 /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > google.crt $ awk -v cmd='openssl x509 -noout -subject -issuer -dates; echo ""' \ '/BEGIN/{close(cmd)}; {print | cmd}' \ < google.crt subject=CN = *.google.com issuer=C = US, O = Google Trust Services, CN = WR2 notBefore=Jul 30 12:32:53 2024 GMT notAfter=Oct 22 12:32:52 2024 GMT subject=C = US, O = Google Trust Services, CN = WR2 issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R1 notBefore=Dec 13 09:00:00 2023 GMT notAfter=Feb 20 14:00:00 2029 GMT subject=C = US, O = Google Trust Services LLC, CN = GTS Root R1 issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA notBefore=Jun 19 00:00:42 2020 GMT notAfter=Jan 28 00:00:42 2028 GMT ``` ```bash # or with awk only $ openssl s_client -connect github.com:443 -showcerts /dev/null | awk ' BEGIN { idx = 0 } /BEGIN CERTIFICATE/ { inside = 1 cert = $0 "\n" next } /END CERTIFICATE/ { cert = cert $0 "\n" printf("\n-- %d --\n", idx) print cert | "openssl x509 -noout -subject -issuer -dates" close("openssl x509 -noout -subject -issuer -dates") idx++ inside = 0 next } { if (inside) cert = cert $0 "\n" } ' ``` #### [get dates](https://serverfault.com/a/1079893/129815) ```bash # local $ openssl storeutl -noout -text -certs /path/to/bundle.crt | grep 'Not' ## or $ awk -v cmd='openssl x509 -noout -dates' \ '/BEGIN/{close(cmd)}; {print | cmd}' \ < /path/to/bundle.crt ## remote $ echo -n | openssl s_client -showcerts -connect : 2>/dev/null | grep 'Not' # i.e.: ## local $ awk -v cmd='openssl x509 -noout -dates' '/BEGIN/{close(cmd)}; {print | cmd}' < google.crt notBefore=Jul 30 12:32:53 2024 GMT notAfter=Oct 22 12:32:52 2024 GMT notBefore=Dec 13 09:00:00 2023 GMT notAfter=Feb 20 14:00:00 2029 GMT notBefore=Jun 19 00:00:42 2020 GMT notAfter=Jan 28 00:00:42 2028 GMT ## remote $ echo -n | openssl s_client -showcerts -connect google.com:443 2>/dev/null | command grep 'Not' v:NotBefore: Jul 30 12:32:53 2024 GMT; NotAfter: Oct 22 12:32:52 2024 GMT v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT ``` ## services ### Kubernetes > \[!NOTE|label:references:] > > * [Kubernetes Authentication and Authorization with X509 client certificates](https://medium.com/@sureshpalemoni/kubernetes-authentication-and-authorization-with-x509-client-certificates-edbc3517c10) #### from Kubernetes secrets * key ```bash $ kubectl -n kube-system get secrets -o yaml -o jsonpath="{.data.tls\.key}" | base64 -d > server.key ``` * crt ```bash $ kubectl -n kube-system get secrets sample-tls -o yaml -o jsonpath="{.data.tls\.crt}" | base64 -d > server.crt ``` #### to Kubernetes secrets * key ```bash $ cat server.key | base64 -w0 ``` * crt ```bash $ cat server.crt | base64 -w0 ``` * advanced usage ```bash $ kubectl -n kube-system get secrets -o yaml | sed -r -e "s/(\s*tls.crt:)(.*)$/\1 $(cat server.crt | base64 -w0)/g" \ -e "s/(\s*tls.key:)(.*)$/\1 $(cat server.key | base64 -w0)/g" | kubectl apply -f - ``` ### jenkins self-signed SSL > \[!NOTE|label:references:] > > * [\* iMarslo: keystore](https://github.com/marslo/ibook/blob/marslo/docs/cheatsheet/ssl/keystore.html) > * [Configuring inbound agents using self-signed certificates](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-setup-guide/configure-ports-jnlp-agents#_configuring_inbound_agents_using_self_signed_certificates) * create a truststore ```bash $ keytool -import -v -trustcacerts -alias jenkins.domain.com \ -file certificate.pem \ -keystore cacerts.jks \ -storepass changeit ``` * remove alias ```bash # get alias $ $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep # or $ $JAVA_HOME/bin/keytool -list -cacerts | grep # or $ keytool -list -v -keystore /path/to/cacerts.jks | grep 'Alias name:' | grep -i # delete alias $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -cacerts -delete -alias # or $ $JAVA_HOME/bin/keytool -noprompt -trustcacerts -keystore /path/to/cacerts.jks -delete -alias ``` * add into JVM options ```bash -Djavax.net.ssl.trustStore=/var/jenkins_home/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit ``` * use the truststore when connection from the agent ```bash $ java -Djavax.net.ssl.trustStore=/var/jenkins_home/cacerts.jks \ -Djavax.net.ssl.trustStorePassword=changeit \ -jar agent.jar \ -jnlpURL https://jenkins.domain.com/cjoc/jnlpSharedSlaves/sharedagent/slave-agent.jnlp \ -secret xxx ``` ### artifactory https $ sudo openssl genrsa -des3 -out artifactory.key 2048 $ sudo openssl req -new -key artifactory.key -out artifactorycsr $ sudo cp artifactory.key{,.org} $ sudo openssl rsa -in artifactory.key.org -out artifactory.key $ sudo openssl x509 -req -days 365 -in artifactorycsr -signkey artifactory.key -out artifactory.crt $ sudo openssl genrsa -des3 -out artifactory.key 2048 Generating RSA private key, 2048 bit long modulus .........................+++ ........................................................................+++ e is 65537 (0x10001) Enter pass phrase for artifactory.key: artifactory Verifying - Enter pass phrase for artifactory.key: artifactory $ sudo openssl req -new -key artifactory.key -out artifactorycsr Enter pass phrase for artifactory.key: artifactory You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. *** Country Name (2 letter code) \[AU]:CN State or Province Name (full name) \[Some-State]:Sichuan Locality Name (eg, city) \[]:Chengdu Organization Name (eg, company) \[Internet Widgits Pty Ltd]:mycompany Ltd Organizational Unit Name (eg, section) \[]:. Common Name (e.g. server FQDN or YOUR name) \[]:192.168.1.102 Email Address \[]:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[]:. An optional company name \[]:. $ sudo cp artifactory.key{,.org} $ sudo openssl rsa -in artifactory.key.org -out artifactory.key Enter pass phrase for artifactory.key.org: artifactory writing RSA key $ sudo openssl x509 -req\ -days 365\ -in artifactorycsr\ -signkey artifactory.key\ -out artifactory.crt Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany Ltd/CN=192.168.1.102 Getting Private key $ openssl x509 -text\ -noout\ -in ssl\_ip/artifactory.crt Certificate: Data: Version: 1 (0x0) Serial Number: 9804858425156156035 (0x8811daca106dba83) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, CN=192.168.1.102 Validity Not Before: Dec 26 16:23:15 2017 GMT Not After : Dec 26 16:23:15 2018 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, CN=192.168.1.102 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:32:26:35:8a:8f:09:82:ff:59:61:14:14:1b: 9c:da:02:74:09:48:2a:d5:05:1d:ad:8a:d0:e0:70: 1f:9b:44:b4:df:4d:c5:4c:5a:1b:8a:52:7b:2a:69: a2:77:d3:cf:c7:fb:a6:ef:34:d1:bb:23:8d:d0:78: e6:48:3f:8c:12:3c:69:d5:62:2d:74:24:b8:49:a8: 59:c7:36:5f:64:97:5a:d1:8f:9a:5b:2f:aa:a8:65: 6c:75:28:60:55:b9:2a:5b:41:71:a4:fa:eb:10:7e: 84:4b:fb:c3:57:9c:55:8e:e8:2a:4a:c1:45:74:54: 58:d5:09:0d:59:d4:14:94:db:5b:67:91:9c:23:24: c4:07:10:d1:f1:28:fa:97:38:01:da:81:c4:f3:63: d7:84:24:dc:3c:ff:04:64:b2:3e:41:f0:d8:08:66: 06:cc:7c:05:3c:90:97:0b:02:b6:b5:2f:03:28:b7: 4c:38:aa:84:23:3e:9e:d4:b0:3a:58:4c:f3:74:df: 36:63:f2:18:ac:d1:0d:ef:05:6b:f3:dc:b6:d3:c7: f0:91:7b:b8:69:4f:ae:19:da:34:b7:38:1e:e2:9a: 10:2e:a9:a0:54:f6:61:b9:da:e6:98:c8:9b:76:83: d6:59:77:d9:18:c6:57:8c:cf:af:a4:89:5a:87:99: c4:15 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 5a:06:ad:9b:d0:07:d7:9b:92:2a:77:71:ff:80:6e:c1:39:bd: 81:e8:0f:21:39:bd:80:3e:96:a9:6b:7a:73:f1:80:70:4e:b1: d4:b7:1e:54:be:62:dc:35:c0:b9:d8:8c:d1:24:75:8a:42:ec: a9:dd:9b:9a:f2:4b:ad:6e:38:d7:a2:fa:7a:70:be:7b:8c:37: 63:71:10:fe:73:18:de:e5:9c:c5:6e:1a:4e:cb:7b:51:26:56: 68:56:fb:4f:71:d7:7b:94:b6:55:b9:f8:9b:31:a8:26:a5:e5: 32:36:33:65:7b:1d:9f:27:7d:f1:b0:d2:06:7c:75:d7:39:bb: 7a:44:92:e1:b8:fc:2b:fd:3c:43:93:d6:47:19:f6:ad:d3:cc: 82:dd:15:bd:d3:a0:e2:2d:92:fd:65:44:60:44:21:b9:1f:31: fd:91:c2:78:86:d9:aa:77:fd:54:ae:2f:4c:ae:5d:5e:c7:a3: 43:0d:6b:32:23:d9:61:b6:a7:c4:47:eb:bc:c2:79:6c:06:f0: a6:af:e8:45:c6:02:d5:1c:09:26:8a:a7:b0:ff:74:50:85:82: 1d:88:b2:2c:eb:20:3e:bf:3b:4e:9b:ab:b7:4f:e8:14:a8:1a: 33:50:e9:a8:24:3e:5e:2a:68:ea:fa:f3:12:30:94:8e:0f:0d: da:6c:17:60 $ sudo openssl genrsa -des3 -out artifactory.key 2048 Generating RSA private key, 2048 bit long modulus ........................+++ .......................................+++ e is 65537 (0x10001) Enter pass phrase for artifactory.key: artifactory Verifying - Enter pass phrase for artifactory.key: artifactory $ sudo openssl req\ -new\ -key artifactory.key\ -out artifactorycsr Enter pass phrase for artifactory.key: artifactory You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. *** Country Name (2 letter code) \[AU]:CN State or Province Name (full name) \[Some-State]:Sichuan Locality Name (eg, city) \[]:Chengdu Organization Name (eg, company) \[Internet Widgits Pty Ltd]:mycompany Ltd Organizational Unit Name (eg, section) \[]:mycompany CDI Common Name (e.g. server FQDN or YOUR name) \[]:docker-1.artifactory Email Address \[]:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[]:. An optional company name \[]:. $ sudo cp artifactory.key{,.org} $ sudo openssl rsa\ -in artifactory.key.org\ -out artifactory.key Enter pass phrase for artifactory.key.org: artifactory writing RSA key $ sudo openssl x509 -req\ -days 365\ -in artifactorycsr\ -signkey artifactory.key\ -out artifactory.crt Signature ok subject=/C=CN/ST=Sichuan/L=Chengdu/O=mycompany Ltd/OU=mycompany CDI/CN=docker-1.artifactory Getting Private key $ openssl x509 -text -noout -in ssl/artifactory.crt Certificate: Data: Version: 1 (0x0) Serial Number: 15006671364169185053 (0xd0426818d254b71d) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, OU=mycompany CDI, CN=docker-1.artifactory Validity Not Before: Dec 26 16:02:10 2017 GMT Not After : Dec 26 16:02:10 2018 GMT Subject: C=CN, ST=Sichuan, L=Chengdu, O=mycompany Ltd, OU=mycompany CDI, CN=docker-1.artifactory Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dc:30:6b:83:56:92:fb:f3:fb:bc:da:3e:a9:5c: 67:c3:19:42:9a:8f:8f:30:e6:27:fa:a9:9d:c9:3e: 9c:31:3d:aa:d8:9f:ae:9b:64:b0:75:2a:01:51:ad: 04:c4:00:5d:f4:f8:b4:af:bb:20:f3:77:45:65:28: d8:38:28:b2:03:46:d0:67:d1:91:8e:7b:65:66:a0: 7e:a5:e2:fe:80:00:5e:54:95:50:52:9c:44:2a:aa: dc:a2:80:be:16:07:79:b4:13:1d:f5:8a:ca:c3:ab: 1c:76:de:f3:b8:23:9b:54:17:28:be:ac:e5:68:5c: f3:83:49:61:55:d2:e1:ea:0c:e7:72:75:6e:90:5a: 90:a8:85:01:c6:cc:69:94:5b:c4:f9:14:6d:70:0a: 8e:45:e0:b9:28:aa:99:3a:22:12:db:0b:d7:d9:6e: aa:35:36:5e:e6:00:eb:99:ab:46:6d:7b:e5:12:b1: f9:0c:5c:d3:c0:47:7b:b3:e4:03:15:fa:8d:42:f8: a1:c1:ce:dc:42:d2:81:88:18:0d:26:28:7e:90:cf: e8:05:84:75:94:e9:ac:20:47:95:c7:50:1c:d8:42: c3:d7:8b:90:f9:a9:48:cc:a5:8d:88:3b:54:a9:ef: 20:ce:ee:4c:6d:04:65:eb:6c:f7:22:9d:c8:13:33: b1:6d Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption c3:c7:c8:0d:19:d1:0b:05:ac:11:e3:e4:af:25:0e:95:f5:f5: 31:ed:90:4e:7f:1a:2b:a2:2f:4d:a3:d9:57:40:a2:f6:af:55: 90:53:bf:72:39:81:5d:53:41:85:e0:1d:26:9f:9e:33:05:46: 9c:fc:51:99:19:5c:7d:ef:aa:cc:50:61:0b:f4:11:69:bd:9e: 2a:34:48:e9:9d:7c:d0:e0:80:a5:42:67:ac:8e:0c:d6:84:19: 8e:cb:05:97:9f:21:c5:e0:78:8f:97:f6:53:fa:f2:ec:49:3f: fb:11:68:ed:ea:c0:8c:c5:be:08:61:e4:bd:4e:05:5f:89:99: f6:47:6f:b3:1e:5f:49:62:ff:37:dc:f0:c4:4b:bb:a4:15:06: b1:80:4d:24:ef:bb:25:d6:a5:60:13:34:57:73:ba:b4:b0:8b: 42:0f:18:ef:0e:17:60:83:4d:61:bd:ef:55:b9:52:6a:47:ab: c3:ee:b3:11:27:86:aa:87:18:d5:60:b8:b4:34:c2:fa:75:48: 0e:f1:f4:30:b3:fa:b3:ad:a9:8a:6e:e6:62:71:02:5a:72:bd: 5c:45:a0:23:ea:1d:84:16:24:3d:88:a0:12:20:61:7a:f8:bd: dc:0f:fb:26:c0:f3:2f:1f:66:7e:64:35:b6:45:05:c4:00:43: 2d:18:da:a1 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://imarslo.gitbook.io/handbook/good/ssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.