SSL

From Dave-Wiki
Revision as of 17:37, 21 January 2025 by Dave (talk | contribs)

Summary

SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures the confidentiality, integrity, and authentication of data transferred between a client (e.g., web browser) and a server (e.g., website). SSL is commonly used in securing HTTP traffic, resulting in HTTPS (Hypertext Transfer Protocol Secure).

Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.

OpenSSL

Common Tasks

Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)

Make a file called ssl-ecdsa.conf. Here's an example: 

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
commonName                      = Common Name (e.g. server FQDN or YOUR name)

countryName_default             = US
stateOrProvinceName_default     = Florida
localityName_default            = Tallahassee
organizationName_default        = LambNet
organizationalUnitName_default  = DaveNet
commonName_default              = davenet.lambnet.us

[ req_ext ]
basicConstraints    = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
tlsfeature          = status_request
subjectAltName      = @alt_names

[alt_names]
# When using SANs, you must repeat the Common Name as a SAN
DNS.1   = davenet.lambnet.us

Then run: 

openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-ecdsa.conf

Verify CSR

openssl req -noout -text -in server.csr

Show Certificate Details (Exp date, etc.)

openssl x509 -noout -text -in server.cer

LetsEncrypt/Certbot

Latest instructions at https://certbot.eff.org/

Common Tasks

Get initial cert

Assumes your web server is nginx. 

sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx

Renew all domains that have been created via above

Remove --dry-run to execute for realsies. 

sudo /usr/local/bin/certbot-auto renew --dry-run

Configure cron to auto-renew

This will add an entry to /etc/crontab 

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

EasyRSA

If you're hosting your own CA (Certificate Authority), this section could come in handy.

Common Tasks

Build a new CA

mkdir ~/easy-rsa

cd easy-rsa

./easyrsa init-pki

EC

./easyrsa --use-algo=ec --use-curve=secp384r1 build-ca nopass

RSA

./easyrsa build-ca nopass

EasyRSA Import CSR

./easyrsa import-req /scratch/cert_mgmt-2023.csr cert_mgmt-2023

EasyRSA Sign CSR

./easyrsa --days=365 sign-req server cert_mgmt-2023

Convert x509 Certificate and Private Key to PKCS12 .pfx

openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.pfx

Convert x509 Certificate and Private Key to PKCS12 .p12

openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.p12

Convert PKCS12 to x509 Certificate and Private Key

openssl pkcs12 -in cert.p12 -out cert.crt -clcerts -nokeys

openssl pkcs12 -in cert.p12 -out private.key -nocerts -nodes

EasyRSA Create a CA with EC Private Key

./easyrsa --use-algo=ec build-ca nopass
Retrieved from "https://davehome.net/wiki/index.php?title=SSL&oldid=390"