Radek Antoniuk warden IT Tech Entrepreneur personal notepad

Useful DEVOPS Technology, Tools and Know-How

Monitoring

Dashboards

Infrastructure Testing

ElasticSearch:

Development

Java

Cloud Resources

Testing

  • [Appium is an open source test automation framework for use with native, hybrid and mobile web apps](http://appium.io/_

Security

Platform Tools

Kubernetes

Order of certificates in the bundle (.pem) file

Per RFC4346 the certs should placed in the chain file:

  • starting with the issued cert
  • any intermediate certificates in the signing order
  • rootCA at the end of file.

certificate_list This is a sequence (chain) of X.509v3 certificates. The sender’s certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

Display all certificates in bundle (.pem) file

$ openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout

Split certificates from bundle to separate files

awk '
  split_after == 1 {n++;split_after=0}
  /-----END CERTIFICATE-----/ {split_after=1}
  {print > "cert" n ".pem"}' < chain.pem

Show certificate expiration date with s_client

echo | openssl s_client -connect <HOST>:<PORT> 2>/dev/null | openssl x509 -noout -dates

One-Stop-Shop: Generating root CA cert and signing a cert with openssl

root CA without password:

openssl req -new -newkey rsa:4096 -days 3650 -x509 -nodes -subj "/C=PL/O=Lab CA Org/CN=Lab CA" -keyout CA.key -out CA.crt

root CA with password:

openssl req -new -newkey rsa:4096 -days 3650 -x509 -subj "/C=PL/O=Lab CA Org/CN=Lab CA" -keyout CA.key -out CA.crt

Generating KEY and CSR (without passphrase for Apache/Nginx):

openssl req -new -newkey rsa:4096 -nodes -subj "/C=PL/O=Client Org/CN=server-cert" -keyout server.key -out server.csr

Sign for TLS Server usage, valid for 1 year:

openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -CAserial serial.txt -out server.crt -days 365 -extfile ext-tls-server

Sign for TLS Client usage, valid for 1 year:

openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -CAserial serial.txt -out server.crt -days 365 -extfile ext-tls-client

Extension files:

ext-tls-client:

basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth 

ext-tls-server:

basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

email encryption:

basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection

Generating 4096 bits RSA key

$ openssl req \
    -new \
    -newkey rsa:4096 \
    -nodes \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout certificate.key \
    -out certificate.csr

Generating ECDSA key

$ openssl req \
    -new \
    -newkey ec \
    -pkeyopt ec_paramgen_curve:prime256v1 \
    -nodes \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout certificate.key \
    -out certificate.csr

Notes:

  • -nodes option means that the key will not be secured with a passphrase
  • -x509 option can be used if you wish to create a self-signed certificate

PKI / CA Tools

Project Management

JIRA

Web Development

Design resources

JavaScript

Checklists

Compliance

Good Practices