Revision as of 19:59, 11 February 2018

Lets Encrypt

Install

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx (for nginx)

Create new certificate

sudo certbot certonly --standalone
sudo certbot --nginx -d example.com -d www.example.com

Test certificate renewal

sudo certbot renew --dry-run

Renew certificates

certbot renew

Crontab renewal

$ sudo crontab -e

*  * 7,19 * * certbot -q renew

Docs

https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Fuente: www.akadia.com/services/ssh_test_certificate.html

SubjectAltName

Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf

First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it.

[ alternate_names ]
DNS.1        = example.com
DNS.2        = www.example.com
DNS.3        = mail.example.com
DNS.4        = ftp.example.com

Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]:

subjectAltName      = @alternate_names

You might change keyUsage to the following under [ v3_ca ]:

keyUsage = digitalSignature, keyEncipherment

   Can someone help me with the exact syntax?

Its a three step process, and it involves modifying openssl.cnf file. You might be able to do it with only command line options, but I don't do it that way.

Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf:

$ find /usr/lib -name openssl.cnf /usr/lib/openssl.cnf /usr/lib/openssh/openssl.cnf /usr/lib/ssl/openssl.cnf

On my Debian system, /usr/lib/ssl/openssl.cnf is used by the built-in openssl program. On recent Debian systems it is located at /etc/ssl/openssl.cnf

You can determine which openssl.cnf is being used by adding a spurious XXX to the file and see if openssl chokes.

First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it.

[ alternate_names ]

DNS.1 = example.com DNS.2 = www.example.com DNS.3 = mail.example.com DNS.4 = ftp.example.com

Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]:

subjectAltName = @alternate_names

You might change keyUsage to the following under [ v3_ca ]:

keyUsage = digitalSignature, keyEncipherment

digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.

In the end, the IETF (RFC 5280), Browsers and CAs run fast and loose, so it probably does not matter what key usage you provide. Second, modify the signing parameters. Find this line under the CA_default section:

# Extension copying option: use with caution.
# copy_extensions = copy

And change it to:

# Extension copying option: use with caution.
copy_extensions = copy

Third, generate your self-signed:

$ openssl genrsa -out private.key 3072
$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730

Finally, examine the certificate:

$ openssl x509 -in certificate.pem -text -noout

Generate self signed certificate

Generate a Private Key

 openssl genrsa -des3 -out server.key 1024

 openssl genrsa -aes256 -out server.key 4096

(better security)

Generate a CSR (Certificate Signing Request)
```
openssl req -new -key server.key -out server.csr
```
(YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
Remove passphrase from key
```
cp server.key server.key.org && openssl rsa -in server.key.org -out server.key
```
-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
Generate Self-Signed Certificate
```
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
```
will generate a temporary certificate which is good for 365 days

Create your own CA

Create the root key

openssl genrsa -out rootCA.key 4096

self-sign this certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Generate a certificate for each service and sign it with your root CA

openssl genrsa -out flirt.key 4096
openssl req -new -key flirt.key -out flirt.csr
openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256

Generate self signed certificate one line

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Installing the Private Key and Certificate

Apache:

Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
```
cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private 
```
Apache mod_ssl installed required, path may differ depending on apache how apache was compiled

Configure Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Secure SSL

sudo nano /etc/apache2/mods-enable/ssl.conf
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLCompression off

Restart Apache and test

Django (Nginx-Gunicorn)

TODO!

Nginx

server {

listen   443;

ssl    on;
ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate_key    /etc/ssl/su_dominio_com.key;
add_header Strict-Transport-Security max-age=31536000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
server_name su.dominio.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root   /home/www/public_html/su.dominio.com/public/;
index  index.html;
}

}

TODO: gunicorn: Poner aqui init.d script
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

Self Signed option 1

#!/bin/bash
# TODO: key name as parameter
#KEY_NAME=

VALID_DAYS=3650
die () {
    echo >&2 "$@"
    exit 1
}

[ "$#" -eq 1 ] || die "1 argument required (filename), $# provided"
KEY_NAME=$1

##################   Generate key  ############################################
openssl genrsa -aes256 -out ${KEY_NAME}.key 4096
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure

#################   Remove password from key  #################################
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
openssl rsa -in ${KEY_NAME}.key.secure -out ${KEY_NAME}.key

#################   Generate CSR (Certificate Signing Request)  ###############
openssl req -new -key ${KEY_NAME}.key -out ${KEY_NAME}.csr

#################   Generate Self-Signed Certificate  #########################
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt

Self Signed Option 2

1. Copy your openssl.cnf.
 
  ```
  cp /etc/pki/tls/openssl.cnf ./
  ```

2. Modify the configuration file template at ./openssl.cnf and make the following changes:
  - In section [req]
  
  ```
  req_extensions = v3_req # The extensions to add to a certificate request
  ```
  
 - Insection [v3_req]
 
 ```
 subjectAltName = @alt_names
 ```
 - At the end of the configuraiton file
 
  ```
 [ alt_names ]
  DNS.1 = hostname.example.com
  ```

3. Generate your certificate key
 
  ```
  openssl genrsa -out hostname.example.com.key 2048
  ```

4. Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
  
  ```
  openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf
  ```
  
5. You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
  - Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
 
  ```
  [v3_req]
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = hostname.example.com
  ```
  
  - Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
 
  ```
  openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf
  ```

Difference between revisions of "SSL Certificate"