Latest revision as of 04:11, 22 January 2025

Summary

SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures the confidentiality, integrity, and authentication of data transferred between a client (e.g., web browser) and a server (e.g., website). SSL is commonly used in securing HTTP traffic, resulting in HTTPS (Hypertext Transfer Protocol Secure).

Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.

OpenSSL

Common Tasks

Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)

Make a file called ssl-csr.conf. Here's an example:

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
commonName                      = Common Name (e.g. server FQDN or YOUR name)

countryName_default             = US
stateOrProvinceName_default     = Florida
localityName_default            = Tallahassee
organizationName_default        = LambNet
organizationalUnitName_default  = DaveNet
commonName_default              = davenet.lambnet.us

[ req_ext ]
basicConstraints    = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
tlsfeature          = status_request
subjectAltName      = @alt_names

[alt_names]
# When using SANs, you must repeat the Common Name as a SAN
DNS.1   = davenet.lambnet.us

Then run:

openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-csr.conf

OR, if you must do RSA:

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config ssl-csr.conf

Verify CSR

openssl req -noout -text -in server.csr

Show Certificate Details (Exp date, etc.)

openssl x509 -noout -text -in server.cer

LetsEncrypt/Certbot

Latest instructions at https://certbot.eff.org/

Common Tasks

Get initial cert

Assumes your web server is nginx.

sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx

Renew all domains that have been created via above

Remove --dry-run to execute for realsies.

sudo /usr/local/bin/certbot-auto renew --dry-run

Configure cron to auto-renew

This will add an entry to /etc/crontab

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

EasyRSA

EasyRSA is a command-line utility used for managing a Public Key Infrastructure (PKI) to create, sign, and manage SSL/TLS certificates.

EasyRSA simplifies the process of generating Certificate Authority (CA) certificates, server certificates, client certificates, and revoking certificates, making it easier for users to manage their own PKI without needing to deal with complex configuration files and commands.

A Certificate Authority (CA) is a trusted organization or entity that issues digital certificates used to establish the identity of entities (such as individuals, websites, or devices) and to facilitate secure communication over networks. CAs play a key role in a Public Key Infrastructure (PKI) by verifying the identity of certificate holders and ensuring the integrity and authenticity of digital certificates.

If you're interested in hosting your own CA, this section could come in handy.

Common Tasks

Build a new CA

mkdir ~/easy-rsa

cd easy-rsa

./easyrsa init-pki

EC

./easyrsa --use-algo=ec --use-curve=secp384r1 build-ca nopass

RSA

./easyrsa build-ca nopass

EasyRSA Import CSR

./easyrsa import-req /scratch/cert_mgmt-2023.csr cert_mgmt-2023

EasyRSA Sign CSR

./easyrsa --days=365 sign-req server cert_mgmt-2023

Convert x509 Certificate and Private Key to PKCS12 .pfx

openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.pfx

Convert x509 Certificate and Private Key to PKCS12 .p12

openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.p12

Convert PKCS12 to x509 Certificate and Private Key

openssl pkcs12 -in cert.p12 -out cert.crt -clcerts -nokeys

openssl pkcs12 -in cert.p12 -out private.key -nocerts -nodes

EasyRSA Create a CA with EC Private Key

./easyrsa --use-algo=ec build-ca nopass

@@ Line 5: / Line 5: @@
 Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.
-==OpenSSL==
+=OpenSSL=
+==Common Tasks==
 ===Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)===
-Make a file called <code>ssl-ecdsa.conf</code>. Here's an example:
+Make a file called <code>ssl-csr.conf</code>. Here's an example:
   [ req ]
@@ Line 42: / Line 44: @@
 Then run:
-  openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-ecdsa.conf
+  openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-csr.conf
+OR, if you must do RSA:
+ openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config ssl-csr.conf
 ===Verify CSR===
-  openssl req -noout -text -in server.req
+  openssl req -noout -text -in server.csr
 ===Show Certificate Details (Exp date, etc.)===
   openssl x509 -noout -text -in server.cer
+=LetsEncrypt/Certbot=
+Latest instructions at https://certbot.eff.org/
+==Common Tasks==
+===Get initial cert===
+''Assumes your web server is nginx.''
+ sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx
+===Renew all domains that have been created via above===
+''Remove <code>--dry-run</code> to execute for realsies.''
+ sudo /usr/local/bin/certbot-auto renew --dry-run
+===Configure cron to auto-renew===
+This will add an entry to <code>/etc/crontab</code>
+ echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null
+=EasyRSA=
+EasyRSA is a command-line utility used for managing a Public Key Infrastructure (PKI) to create, sign, and manage SSL/TLS certificates.
+EasyRSA simplifies the process of generating Certificate Authority (CA) certificates, server certificates, client certificates, and revoking certificates, making it easier for users to manage their own PKI without needing to deal with complex configuration files and commands.
+A Certificate Authority (CA) is a trusted organization or entity that issues digital certificates used to establish the identity of entities (such as individuals, websites, or devices) and to facilitate secure communication over networks. CAs play a key role in a Public Key Infrastructure (PKI) by verifying the identity of certificate holders and ensuring the integrity and authenticity of digital certificates.
+If you're interested in hosting your own CA, this section could come in handy.
+==Common Tasks==
+===Build a new CA===
+ mkdir ~/easy-rsa
+ cd easy-rsa
+ ./easyrsa init-pki
+====EC====
+ ./easyrsa --use-algo=ec --use-curve=secp384r1 build-ca nopass
+====RSA====
+ ./easyrsa build-ca nopass
+===EasyRSA Import CSR===
+ ./easyrsa import-req /scratch/cert_mgmt-2023.csr cert_mgmt-2023
+===EasyRSA Sign CSR===
+ ./easyrsa --days=365 sign-req server cert_mgmt-2023
+===Convert x509 Certificate and Private Key to PKCS12 .pfx===
+ openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.pfx
+===Convert x509 Certificate and Private Key to PKCS12 .p12===
+ openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.p12
+===Convert PKCS12 to x509 Certificate and Private Key===
+ openssl pkcs12 -in cert.p12 -out cert.crt -clcerts -nokeys
+ openssl pkcs12 -in cert.p12 -out private.key -nocerts -nodes
+===EasyRSA Create a CA with EC Private Key===
+ ./easyrsa --use-algo=ec build-ca nopass