-
-
Save cecil/9665237 to your computer and use it in GitHub Desktop.
| function opensslinfo { | |
| # openssl x509 -text -in $i -issuer -subject -dates | |
| FILENAME="$1" | |
| echo openssl x509 -noout -in ${FILENAME} -issuer -subject -dates -serial | |
| echo ${FILENAME} is valid for the following: | |
| openssl x509 -noout -in ${FILENAME} -issuer -subject -dates -serial | |
| } | |
| function opensslsiteinfo-serial { | |
| SITENAME="$1" | |
| echo "assuming port 443" | |
| echo "echo -n | openssl s_client -connect "${SITENAME}":443 2>&1|openssl x509 -noout -serial" | |
| echo -n | openssl s_client -connect ${SITENAME}:443 2>&1|openssl x509 -noout -serial | |
| } | |
| function opensslinfo-full { | |
| # openssl x509 -text -in $i -issuer -subject -dates | |
| FILENAME="$1" | |
| echo openssl x509 -text -in ${FILENAME} -issuer -subject -dates -serial | |
| openssl x509 -text -in ${FILENAME} -noout -issuer -subject -dates -serial | |
| } | |
| function opensslsiteinfo-full { | |
| SITENAME="$1" | |
| echo "assuming port 443" | |
| echo "echo -n | openssl s_client -connect "${SITENAME}":443 2>&1|openssl x509 -noout -serial" | |
| echo -n | openssl s_client -connect ${SITENAME}:443 2>&1|openssl x509 -noout -issuer -subject -dates -serial | |
| } | |
| function opensslpfxtopem { | |
| # openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes | |
| FILENAME="$1" | |
| MYCERT=${FILENAME%.*} | |
| echo openssl pkcs12 -in ${FILENAME} -out ${MYCERT}.pem -nodes | |
| openssl pkcs12 -in ${FILENAME} -out ${MYCERT}.pem -nodes | |
| } |
note : All of the ssh host key tutorials I've seen say to use -n to set the hostname associated with the key but it appears to be -Z on Centos 6.5. Not sure if the flags are different on Cent or if they've changed since the docs were written... or I'm doing something completely wrong.
- https://blog.habets.se/2011/07/OpenSSH-certificates
- https://ef.gy/hardening-ssh
- https://ef.gy/public-keys
- http://www.lorier.net/docs/ssh-ca
- http://blog.hintcafe.com/post/79631156123/ssh-host-identification-and-verification
- https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu
-o option
Can be used to give options in the format used in the
configuration file. This is useful for specifying options for
which there is no separate command-line flag. For full details
of the options listed below, and their possible values, see
ssh_config(5).
-q Quiet mode. Causes all warning and diagnostic messages to be suppressed.
-B -oBatchMode If set to ``yes'', passphrase/password querying will be disabled.
-oConnectTimeout=3
-oPasswordAuthentication=no
disable ssh host key checking DON'T DO THIS :
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@server1.example.com
ssh -o UserKnownHostsFile=/dev/null,StrictHostKeyChecking=no user@server1.example.com
- openssl cheat sheet
-
verify a private key matches a certificate
-
http://rackerhacker.com/2007/09/14/check-the-modulus-of-an-ssl-certificate-and-key-with-openssl/
-
https://kb.wisc.edu/middleware/page.php?id=4064
openssl s_client -connect
${TARGETHOST}:443 openssl x509 -noout -modulus -in $ {TARGETHOST}.crt3.pem
-
-
openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
-
A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:
openssl s_client -showcerts -connect ${HOSTNAME}:${PORT} </dev/null 2>/dev/null|openssl x509 -outform PEM >
${HOSTNAME}.{PORT}.pem echo -n | openssl s_client -connect $ {HOSTNAME}:${PORT} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./${HOSTNAME}.cert openssl x509 -noout -modulus -in ${HOSTNAME}.cert | openssl md5
UDATE=`date +%s`
function saydate {
DATESUFFIX=`date +%s`
echo ${DATESUFFIX}
}
function datebak {
#cp $i $i.txt.`date --rfc-3339=date`.bak
# user@server:~$ touch foob ; cpbak foob ; ls foob*
# foob foob.2012-02-23.bak
FILENAME="$1"
cp "${FILENAME}" "${FILENAME}".`date --rfc-3339=date`.bak
}