Sysadmin Blog

How to remove Private Key Password from pkcs12 container?

info@cyberbyte.ch (Mike Rhyner) — Sun, 14 Apr 2024 10:25:46 GMT

- Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

- Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

- Remove temporary certificate

rm temp.pem

How do I verify that a private key matches a certificate?

info@cyberbyte.ch (Mike Rhyner) — Fri, 11 Feb 2022 11:47:56 GMT

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key:

openssl rsa -check -noout -in myserver.key
RSA Key is ok

If it doesn't say 'RSA key ok', it isn't OK!"

To view its modulus:

openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate:

openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key.

Check CRL for revoked certificates and valitity of CRL itself

info@cyberbyte.ch (Mike Rhyner) — Sat, 15 Jan 2022 13:23:16 GMT

To find out if a client certificate was rejected or if the Certificate Revocation List itself is still valid (not older than "Next Update" attribute defined):

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.

Turning SSLv3 off on Apache Server to mitigate "POODLE" attack (CVE-2014-3566)

info@cyberbyte.ch (Mike Rhyner) — Thu, 16 Oct 2014 08:22:12 GMT

Add the following to your SSL configuration section:


   # Disable SSLv2 & SSLv3 against POODLE issue (CVE-2014-3566)
    SSLProtocol All -SSLv2 -SSLv3

Note to insert this to all VirtualHost sections where SSL is enabled!

Check your config:

apachectl configtest

Then restart apache server:

sudo service apache2 restart

To check if SSLv3 is turned off:

openssl s_client -connect server.domain.tld:443 -ssl3

Then you shold see a message like this:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40

To disable SSLv3 within other services:
see this post

Check certificate on a server

info@cyberbyte.ch (Mike Rhyner) — Wed, 04 Jun 2014 16:26:16 GMT

Issue the following command:

openssl s_client -CApath /etc/ssl/certs/ -connect :993

For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:

openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect :25

There should be stated quite at end of command output:

    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:

Certificate chain
 0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

The last i(ssuer) is the root cert that most client will trust.

Create Private Key, Certificate Request and (optionally) self-signed cert using OpenSSL

info@cyberbyte.ch (Mike Rhyner) — Mon, 11 Feb 2013 19:00:06 GMT

First, set the common name (CN, ~FQDN) for the certificate:

CN=host.domain.tld

Change to the directory where you would like to store the data relevant for certificates, e.g.:

cd /etc/ssl

Then create a private key:

openssl genrsa -out private/${CN}.key 2048

Generate the signing Request, either:
a) interactively, you'll have to answer some questions...:

openssl req -new -key private/${CN}.key -out ${CN}.csr

b) using a customized openssl config file:

openssl req -new -config ${CN}-openssl.cnf -key private/${CN}.key -out ${CN}.csr

Now you may either:
a) send the certificate request to an (official or internal) Certificate Authority to sign the Certificate

b) for testing purposes only, you can also self-sign the certificate:

openssl x509 -req -days 1825 -in ${CN}.csr -signkey private/${CN}.key -out certs/${CN}.crt

When you have received signed (or self-signed) certificate, you can copy all the files to the appropriate location.

Probably you have to create a combined pkcs#12 (.p12, .pfx) file, containing private key and certificates:

openssl pkcs12 -export -in ${CN}.crt -certfile cafile.pem -inkey ${CN}.key -out ${CN}.pfx

(where cafile.pem is the ca certificate bundle of issuing certificate authority)

Clear the shell variable for the Common Name:

CN=

Simple SSL Certificate Authority

info@cyberbyte.ch (Mike Rhyner) — Sun, 21 Mar 2004 23:00:00 GMT

Sometimes, you need some SSL certificates for providing SSL encrypted pages.

You can obtain a server certificate from Verisign or Entrust but they're quite expensive.

Or you can make them yourself. Here are some tools to get there. I won't provide information about cryptology at all, neither you will find a professional PKI solution here.

Creating your "own CA" makes only sense for sites where encryption should be in place, without providing official trusted credentials. Every user connecting to your secured site get a warning message every time he connects to your site, until he manually accept your CA Certificate.

First you need OpenSSL, the code which deals with digital certificates.
For information on the command options of the OpenSSL tools look at the OpenSSL Documentation (from openssl.org)
Then get the SSL CA-Tools 0.2 (SSL CA-Tools 0.2). This is a version slightly modified so you can also renew certificates easily.
If you do prefer to use the original version, you can find it here: SSL CA-Tools)

The SSL CA-Tools are easy to use scripts which query the necessary information in a dialog and execute the appropriate openssl commands. Untar it somewhere, e.g. under your openssl directory, look at the README, and create a self-signed CA certificate, user- and server certificates and finally sign them with your CA key.