SSL or TLS?
SSL is a Secure Sockets Layer, now deprecated. Transport Layer Security (TLS) is it’s successor, currently (2022) all SSL and TLS version lower than 1.2 are deprecated. TLS runs in the application level.
TLS session is stateful, client inititaties it and need to pass handshake to establish the session.
todo: mTLS
Cheat sheet
Generate self-signed certificate. -nodes option skips setting password for privatekey, -subj ‘/CN=localhost’ allows to skip prompts:
1
2
3
4
5
6
|
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=localhost'
Generating a RSA private key
..........++++
writing new private key to 'key.pem'
-----
|
Generate PKCS12 format keystore:
- You need to have your certificate and key in pem format. Key and certificate should be combined into single file:
1
|
cat key.pem cert.pem > keycert.pem
|
- Use openssl tool to export certificate as PKCS12 keystore. You will need to provide password for the keystore:
1
|
openssl pkcs12 -export -in keycert.pem -out keystore.pkcs12 -name myAlias -noiter -nomaciter
|
- Check that certificate has been added to the keystore:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
keytool -v -list -keystore keystore.pkcs12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: myalias
Creation date: Feb 21, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
|
Check certificate details for PEM certificate:
1
|
openssl x509 -text -in cert.pem
|
Check that private key is for the certificate in question:
- Generate md5 of a modulus for the certificate:
1
|
openssl x509 -noout -modulus -in cert.pem | openssl md5
|
- Generate md5 of a modulus for the key:
1
|
openssl rsa -noout -modulus -in key.pem | openssl md5
|
- Generate md5 of a modulus for the CSR:
1
|
openssl eq –noout –modulus –in <file>.csr | openssl md5
|
Get SSL cert chain (5 certs) from website:
1
|
openssl s_client -showcerts -verify 5 -connect xtenets.com:443 < /dev/null
|
Get SSL cert chain (5 certs) from website, split and save locally:
1
2
3
4
5
6
|
openssl s_client -showcerts -verify 5 -connect xtenets.com:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}"; mv "${cert}" "${newname}"
done
|
Links: