server

• terminology

  • extensions

  • algorithms

    • symmetric encryption

    • asymmetric encryption

• certs

  • generate csr

  • sign the csr

  • nginx configure

• usage

  • show content

  • convert

    • frmo cer

    • from a pkcs#12 ( .pfx/.p12 )

    • from crt

    • remove password from extacted private key

    • from certificate

    • convert from windows certmgr.msc

  • Code Signing Certificates

[!TIP|label:references:]

• * iMarslo: Artifactory Nginx CSR
• Frequently used OpenSSL Commands
• The Most Common OpenSSL Commands | OpenSSL Commands

terminology

extensions

[!TIP|label:references:]

• What is the difference between .CER and .CRT?
• What are the differences between .pem, .csr, .key, .crt and other such file extensions?
• Difference between pem, crt, key files

EXTENSION	NAME	DESCRIPTION
.ca	Certificate Authority	-
.key	Private Key	-
.csr .req .p10	Certificate Signing Request	-
.crt	Certificate	used for certificates, may be encoded as binary DER or as ASCII PEM, usually an X509v3 certificate
.cer	Certificate	alternate form of .crt (Microsoft Convention), DER encoded or base64[PEM] encoded
.pem	Privacy Enhanced Mail	indicates a base64 encoding with header and footer lines
.crl	Certificate Revocation List	defined within the X.509v3 certificate specifications, and this is usually DER encoded
.p8 .pkcs8	PKCS#8 Private Keys	PKCS#8 defines a way to encrypt private keys using
.p12 .pfx	PKCS#12 defined key store	commonly password protected. It can contain trusted certificates, private key(s) and their certificate chain(s)
.p7b .p7c	PKCS#7/CMS message	it is often used as a way to handle the certificates which make up a 'chain' or 'bundle' as a single
jks	Java Key Store	Java Key Store (JKS) is a repository of security certificates, either authorization certificates or public key certificates, plus corresponding private keys, used for instance in SSL encryption.

algorithms

symmetric encryption

• 3DES

• AES

asymmetric encryption

• RSA

• DSA

• ECC

• ECDSA

• Hash Algorithms

• MD5

• SHA-1

• SHA-2

• SHA-3

certs

generate csr

[!NOTE|label:references:]

• How to generate a private key and CSR from the command line
• How to Generate a CSR for Nginx (OpenSSL)
• GENERATE A CERTIFICATE SIGNING REQUEST (CSR) USING OPENSSL ON MICROSOFT WINDOWS SYSTEM
• HOW TO GENERATE A CSR FOR SSL CERTIFICATES ON WINDOWS

# generate key
$ openssl genrsa -out dashboard.key 2048

# generate csr
$ openssl req -sha256 \
              -new \
              -key dashboard.key \
              -out dashboard.csr \
              -subj '/C=US/ST=California/L=Santa Clara/O=Company Name, Inc./CN=dashboard.kubernetes.com'

• or generate key and csr in one command

  $ openssl req -new -newkey rsa:2048 -nodes -keyout dashboard.key -out dashboard.csr -subj '/C=US/ST=California/L=Santa Clara/O=Company Name, Inc./CN=dashboard.kubernetes.com'

sign the csr

[!TIP|label:references:]

• How do you sign a Certificate Signing Request with your Certification Authority?
• openssl.cnf

$ echo subjectAltName = DNS: server.sample.com,IP: 10.110.136.104 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req \
               -days 365 \
               -sha256 \
               -CAcreateserial \
               -CA ca.crt \                            # the CA crt
               -CAkey ca.key \                         # the CA key
               -in server.csr \
               -out server.crt \
               -extfile extfile.cnf                    # the external file

• Sign a certificate request using the CA certificate above and add user certificate extensions

  $ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
            -CA cacert.pem -CAkey key.pem -CAcreateserial
  
  # Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA"
  $ openssl x509 -in cert.pem            -addtrust clientAuth -setalias "Steve's Class 1 CA" -out trust.pem
  # or
  $ openssl x509 -in steve.cer -trustout -addtrust clientAuth -setalias "Steve's Class 1 CA" -out steve.pem

• or generate crt with key in one command

  $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt

nginx configure

[!NOTE|label:references:]

• Configuring HTTPS servers
• How to Redirect HTTP to HTTPS in Nginx
• Module ngx_http_ssl_module
• Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX

• modify/create nginx configure

  $ cat /etc/nginx/sites-enabled/server.sample.com
  server {
      listen 80;
      listen 443 ssl;
  
      ssl_certificate     /etc/nginx/certs/server.pem;
      ssl_certificate_key /etc/nginx/certs/server.key;
      ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_ciphers         HIGH:!aNULL:!MD5;
  
      server_name server.sample.com;
  
      location / {
          proxy_pass http://localhost:8080;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection 'upgrade';
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
      }
  }

• test and reload

  $ nginx -t
  $ nginx -s reload
  $ sudo systemctl restart nginx.service
  
  # more
  $ which -a nginx
  /usr/sbin/nginx
  /sbin/nginx

usage

show content

• certificate request ( csr )

  # show content of a certificate request
  #    csr: request
  #          v
  $ openssl req -in certificate.csr -noout -text
  
  # subject name
  $ openssl req -in certificate.csr -noout -subject
  
  # verify
  $ openssl req -in certificate.csr -noout -verify

• certificate ( pem, crt, cer )

  # show content of a certificate
  #    x509: certificate
  #          v
  $ openssl x509 -in certificate.pem -noout -text
  
  # show serial number of a certificate
  $ openssl x509 -in certificate.pem -noout -serial
  
  # show subject name
  $ openssl x509 -in certificate.pem -noout -subject
  
  # show subject name in RFC2253 format
  $ openssl x509 -in certificate.pem -noout -subject -nameopt RFC2253
  
  # show subject name in oneline support UTF8
  $ openssl x509 -in certificate.pem -noout -subject -nameopt oneline,-esc_msb
  
  # show SHA-1 fingerprint
  $ openssl x509 -sha1 -in certificate.pem -noout -fingerprint

convert

[!NOTE|label:references:]

• Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?
• x509 options

frmo cer

• to crt

  # DER encoded ( binary )
  $ openssl x509 -inform DER -in certificate.cer -out certificate.crt
  
  # PEM encoded ( human readable )
  $ openssl x509 -inform PEM -in certificate.cer -out certificate.crt

• to pem

  $ openssl x509 -inform DER -in certificate.cer -out certificate.pem -outform PEM
  $ openssl x509 -inform PEM -in certificate.cer -out certificate.pem -outform PEM

from a pkcs#12 ( .pfx/.p12 )

[!NOTE|label:references:]

• Convert pfx file to pem file

• to pem

  $ openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
  
  ## -nocerts
  $ openssl pkcs12 -in filename.pfx -nocerts -out key.pem
  $ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  
  ## -clcerts
  $ openssl pkcs12 -in filename.pfx -clcerts -nokeys -out certificate.pem

from crt

[!NOTE|label:references:]

• Conversion of crt file to pem file

• to pem

  ## PEM encoded
  $ openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  
  ## DER encoded
  $ openssl x509 -in certificate.crt -out certificate.der -outform DER
  
  ## from DER encoded to PEM encoded
  $ openssl x509 -in certificate.der -inform DER -out output.pem -outform PEM

remove password from extacted private key

$ openssl rsa -in key.pem -out key.pem

from certificate

• to certificate request

  $ openssl x509 -x509toreq -in certificate.crt -out certificate.csr -signkey privateKey.key
  # or
  $ openssl x509 -x509toreq -in certificate.pem -out req.pem -signkey key.pem

convert from windows certmgr.msc

1. win + r -> certmgr.msc

2. Certifacts - Current User -> Trusted Root Certification Authorities -> Certificates -> the wanted CA

3. right-click -> open or double-click

   

   certmgr-1
4. Details -> Copy to File...

   

   certmgr-2
5. Certificate Export Wizard -> Next

   

   certmgr-3
6. convert to crt

• DER encoded binary X.509 (.CER)

  $ openssl x509 -inform DER -in certificate.cer -out certificate.crt

• Base-64 encoded X.509 (.CER)

  $ openssl x509 -inform PEM -in certificate.cer -out certificate.crt

• Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)

  [!NOTE|label:references:]

  • jmervine/cert_convert.sh

  $ openssl pkcs7 -inform DER -in certificate.p7b -out certificate.crt
  # or
  $ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

import to Linux

[!NOTE|label:references:]

• Install a PEM-format certificate

$ sudo cp certificate.crt /usr/local/share/ca-certificates/
$ sudo chmod 755 /usr/local/share/ca-certificates/certificate.crt
$ sudo update-ca-certificates

Code Signing Certificates