Difference between revisions of "SSL Certificate"

From RHS Wiki
Jump to navigation Jump to search
Line 40: Line 40:
 
  keyUsage = digitalSignature, keyEncipherment
 
  keyUsage = digitalSignature, keyEncipherment
  
 
 
 
    Can someone help me with the exact syntax?
 
 
Its a three step process, and it involves modifying openssl.cnf file. You might be able to do it with only command line options, but I don't do it that way.
 
 
Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf:
 
 
$ find /usr/lib -name openssl.cnf
 
/usr/lib/openssl.cnf
 
/usr/lib/openssh/openssl.cnf
 
/usr/lib/ssl/openssl.cnf
 
 
On my Debian system, /usr/lib/ssl/openssl.cnf is used by the built-in openssl program. On recent Debian systems it is located at /etc/ssl/openssl.cnf
 
 
You can determine which openssl.cnf is being used by adding a spurious XXX to the file and see if openssl chokes.
 
 
First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it.
 
 
[ alternate_names ]
 
 
DNS.1        = example.com
 
DNS.2        = www.example.com
 
DNS.3        = mail.example.com
 
DNS.4        = ftp.example.com
 
 
Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]:
 
 
subjectAltName      = @alternate_names
 
 
You might change keyUsage to the following under [ v3_ca ]:
 
 
keyUsage = digitalSignature, keyEncipherment
 
  
 
digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.
 
digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.

Revision as of 20:02, 11 February 2018

Lets Encrypt

Install

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx (for nginx)

Create new certificate

sudo certbot certonly --standalone
sudo certbot --nginx -d example.com -d www.example.com

Test certificate renewal

sudo certbot renew --dry-run

Renew certificates

certbot renew

Crontab renewal

$ sudo crontab -e

*  * 7,19 * * certbot -q renew

Docs

https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates


Fuente: www.akadia.com/services/ssh_test_certificate.html

SubjectAltName

Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf

First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it. 

[ alternate_names ]
DNS.1        = example.com
DNS.2        = www.example.com
DNS.3        = mail.example.com
DNS.4        = ftp.example.com

Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]: 

subjectAltName      = @alternate_names

You might change keyUsage to the following under [ v3_ca ]: 

keyUsage = digitalSignature, keyEncipherment


digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.

In the end, the IETF (RFC 5280), Browsers and CAs run fast and loose, so it probably does not matter what key usage you provide. Second, modify the signing parameters. Find this line under the CA_default section: 

# Extension copying option: use with caution.
# copy_extensions = copy

And change it to: 

# Extension copying option: use with caution.
copy_extensions = copy

Third, generate your self-signed: 

$ openssl genrsa -out private.key 3072
$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730

Finally, examine the certificate: 

$ openssl x509 -in certificate.pem -text -noout

Generate self signed certificate

  1. Generate a Private Key 
     openssl genrsa -des3 -out server.key 1024

     openssl genrsa -aes256 -out server.key 4096
    (better security)
  2. Generate a CSR (Certificate Signing Request) 
    openssl req -new -key server.key -out server.csr
    (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
  3. Remove passphrase from key 
    cp server.key server.key.org && openssl rsa -in server.key.org -out server.key
    -rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key
    -rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
  4. Generate Self-Signed Certificate 
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    will generate a temporary certificate which is good for 365 days

Create your own CA

  • Create the root key
openssl genrsa -out rootCA.key 4096
  • self-sign this certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
  • Generate a certificate for each service and sign it with your root CA
openssl genrsa -out flirt.key 4096
openssl req -new -key flirt.key -out flirt.csr
openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256

Generate self signed certificate one line

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Installing the Private Key and Certificate

    • Apache:
    1. Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt 
      cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
      

      cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private
      Apache mod_ssl installed required, path may differ depending on apache how apache was compiled
    2. Configure Configuring SSL Enabled Virtual Hosts 
      SSLEngine on
      

      SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
      

      SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
      

      SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
      

      CustomLog logs/ssl_request_log \
      

      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    3. Secure SSL 
      sudo nano /etc/apache2/mods-enable/ssl.conf
      

      SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
      

      SSLHonorCipherOrder on
      

      SSLProtocol TLSv1.2
      

      SSLCompression off
    4. Restart Apache and test
    • Django (Nginx-Gunicorn)
    1. TODO!

Nginx 

server {

listen   443;

ssl    on;
ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate_key    /etc/ssl/su_dominio_com.key;
add_header Strict-Transport-Security max-age=31536000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
server_name su.dominio.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root   /home/www/public_html/su.dominio.com/public/;
index  index.html;
}

}

TODO: gunicorn: Poner aqui init.d script
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

Self Signed option 1

#!/bin/bash
# TODO: key name as parameter
#KEY_NAME=

VALID_DAYS=3650
die () {
    echo >&2 "$@"
    exit 1
}

[ "$#" -eq 1 ] || die "1 argument required (filename), $# provided"
KEY_NAME=$1

##################   Generate key  ############################################
openssl genrsa -aes256 -out ${KEY_NAME}.key 4096
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure

#################   Remove password from key  #################################
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
openssl rsa -in ${KEY_NAME}.key.secure -out ${KEY_NAME}.key

#################   Generate CSR (Certificate Signing Request)  ###############
openssl req -new -key ${KEY_NAME}.key -out ${KEY_NAME}.csr

#################   Generate Self-Signed Certificate  #########################
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt

Self Signed Option 2

1. Copy your openssl.cnf.
 
  ```
  cp /etc/pki/tls/openssl.cnf ./
  ```

2. Modify the configuration file template at ./openssl.cnf and make the following changes:
  - In section [req]
  
  ```
  req_extensions = v3_req # The extensions to add to a certificate request
  ```
  
 - Insection [v3_req]
 
 ```
 subjectAltName = @alt_names
 ```
 - At the end of the configuraiton file
 
  ```
 [ alt_names ]
  DNS.1 = hostname.example.com
  ```

3. Generate your certificate key
 
  ```
  openssl genrsa -out hostname.example.com.key 2048
  ```

4. Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
  
  ```
  openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf
  ```
  
5. You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
  - Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
 
  ```
  [v3_req]
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = hostname.example.com
  ```
  
  - Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
 
  ```
  openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf
  ```
Retrieved from "https://wiki.herrerosolis.com/index.php?title=SSL_Certificate&oldid=1263"