How to remove Private Key Password from pkcs12 container? 
Sunday, 14 April 2024, 12:25 - OpenSSL
Posted by Administrator
- Export to temporary pem file
openssl pkcs12 -in protected.p12 -nodes -out temp.pem
# -> Enter password


- Convert pem back to p12
openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password


- Remove temporary certificate
rm temp.pem


add comment ( 246 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 513 )
How do I verify that a private key matches a certificate? 
Friday, 11 February 2022, 12:47 - Technology, OpenSSL
Posted by Administrator
To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key:
openssl rsa -check -noout -in myserver.key
RSA Key is ok

If it doesn't say 'RSA key ok', it isn't OK!"

To view its modulus:
openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate:
openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key.
add comment ( 960 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 2.9 / 1330 )
Check CRL for revoked certificates and valitity of CRL itself 
Saturday, 15 January 2022, 14:23 - OpenSSL
Posted by Administrator
To find out if a client certificate was rejected or if the Certificate Revocation List itself is still valid (not older than "Next Update" attribute defined):
openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.
add comment ( 1056 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1318 )
i-mscp certbot fix 
Sunday, 12 December 2021, 14:14 - Software, i-mscp
Posted by Administrator
The current let's encrypt plugin won't work any more, it throws an error about expired certificate when verifing after issuance, and removes SSL/TLS encryption for the site. This is caused because one of the LE root certificates has been expired.

So I searched for a quick fix so that newly issued certificates will work again, and have written a small patch for the certbot client you can find here. This will remove the expired root CA cert within the certificate chain, resulting in verification done by i-mscp won't fail any more.
add comment ( 1072 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1193 )
SELinux Survival Guide 
Wednesday, 10 October 2018, 12:56 - Linux Stuff, RedHat Stuff
Posted by Administrator
On SELinux enabled systems (default on CentosOS/RHEL 6.x and higher), it may deny access when system utilities are called from a daemon's context used for automation or monitoring purposes.

You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.

So follow this procedure for simply allow things denied by SELinux policies:

Build SELinux Policy


1. Set concerning context to permissive (will still log whitn audit.log:
semanage permissive -a zabbix_agent_t
2. Allow logging even rules are set to dontaudit:
semodule -DB
3. Now let the programme or script do its intended job.

Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!

4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):
ausearch -r -m avc -ts today [HH:MM] | audit2allow -M zabbix_megacli

5. Import policy package:
semodule -i zabbix_megacli.pp

6. Disable permissive mode for context again:
semanage permissive -d zabbix_agent_t

7. Disable logging of rules defined as dontaudit:
semodule -B

8. Test if intended stuff works now!

Adjust policy


When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:

1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!

2. Compile module file:
checkmodule -M -m -o zabbix_megacli.mod zabbix_megacli.te
3. (Re-)create the module package from module file:
semodule_package -o zabbix_megacli.pp -m zabbix_megacli.mod

For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:
semodule -i zabbix_megacli.pp


Apply Policy to other hosts


1. Copy the policy package (<policy>.pp) to the host you want to apply policy

2. Run the following command on every machine to load the package:
semodule -i zabbix_megacli.pp

add comment ( 1602 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1490 )

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | Next> Last>>