Skip to content

Instantly share code, notes, and snippets.

@gipi
Last active April 28, 2016 19:11
Show Gist options
  • Save gipi/10022718 to your computer and use it in GitHub Desktop.
Save gipi/10022718 to your computer and use it in GitHub Desktop.
#rsa #certificate

Create a new key and certificate request

$ openssl req -new -newkey rsa:2048 -keyout example.com -nodes -out example.com.csr

or create a certificate request with a given key

$ openssl req -new -key example.com -out example.com.csr

finally self sign the certificate

$ openssl x509 -req -days 365 -in example.com.csr -signkey example.com -out example.com.crt

Visualize info about cert

$ openssl x509 -in /tmp/certificate-117692.crt -text -noout

converto DER -> PEM

$ openssl x509 -inform DER -in cert.crt -outform PEM -out cert.pem

The protocol used by the client is ACME (stands for Automatic Certificate Management Environment);

# git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
# ./letsencrypt-auto
[... installing packages...]
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command
# ./letsencrypt-auto  --webroot-path /etc/letsencrypt/webrootauth --domain ohr.lol  -a webroot certonly

From this post we stole the configuration for nginx (to place in /etc/nginx/snippets/letsencryptauth.conf)

        location /.well-known/acme-challenge {
           alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
           location ~ /.well-known/acme-challenge/(.*) {
                add_header Content-Type application/jose+json;
           }
        }

and then use it into the appropriate server block of the default site (not tested yet)

``nginx server { include snippets/letsencryptauth.conf; }

Finally we have to create the authentication directory

# mkdir /etc/letsencrypt/webrootauth
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ohr.lol/fullchain.pem. Your cert will expire
   on 2016-03-03. To obtain a new version of the certificate in the
   future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The installer letsencrypt-auto create a virtualenv in your $HOME/.local/share/letsencrypt. letsencrypt-auto use it automatically, if you want to use letsencrypt directly you have to activate the virtualenv.

# letsencrypt --help

  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation

Choice of server plugins for obtaining and installing cert:

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)

OR use different servers to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, etc)


# letsencrypt -d ktln2.org -d www.ktln2.org --server https://acme-v01.api.letsencrypt.org/directory -a manual certonly
Make sure your web server displays the following content at
http://ktln2.org/.well-known/acme-challenge/FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es before continuing:

FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es.1VOzyvVEKwc29CjUYaMj1DS3WDyU3WN3UtQyJEF-vWA

Content-Type header MUST be set to text/plain.

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es.1VOzyvVEKwc29CjUYaMj1DS3WDyU3WN3UtQyJEF-vWA > .well-known/acme-challenge/FrGYdLamAysik1k84aoKNRgTrZxBkRHXLu6x3j6Y0es
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {'': 'text/plain'}; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
Press ENTER to continue
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ktln2.org/fullchain.pem. Your cert will
   expire on 2016-02-02. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

extract info from pubkey

$ openssl rsa -noout -text -inform PEM -in /tmp/pubkey.pem -pubin
Public-Key: (576 bit)
Modulus:
    00:c2:cb:b2:4f:db:f9:23:b6:12:68:e3:f1:1a:38:
    96:de:45:74:b3:ba:58:73:0c:bd:65:29:38:86:4e:
    22:23:ee:eb:70:4a:17:cf:d0:8d:16:b4:68:91:a6:
    14:74:75:99:39:c6:e4:9a:af:e7:f2:59:55:48:c7:
    4c:1d:7f:b8:d2:4c:d1:5c:b2:3b:4c:d0:a3
Exponent: 65537 (0x10001)

and to only obtain the modulus

$ openssl rsa -in pub.pem -pubin -text -modulus -noout

SSH

The OpenSSH uses a proprietary key format, btw you can use the following in order to parse the internal representation:

$ ssh-keygen -e -m PEM | openssl asn1parse
Enter file in which the key is (/Users/gianluca/.ssh/id_rsa): 
0:d=0  hl=4 l= 266 cons: SEQUENCE          
4:d=1  hl=4 l= 257 prim: INTEGER           :B6AD754D1F73B74FDF98C71E76D84AD4432ADD16E279137D9E83D56A03E37251C21DEA0A3D0E5A6317AA0D39EFCD5F70FD100D934ADD5C9ED72287EFDD9964B1FFE08CC8ED72BE7AF9847151B862460F29CAA1F8833C7FD20B8D3673DBE781B4504860694F727F6D8BCD3AF44C2EF7BA5A63E1A7E22382B9CCD78E7056EFCAAD2712B433E0B5E4A030800408EBC2AB7F0EF8AC5F30447BCE0EB3FFF5ACBE2395CB300348966B299EC5DE462BAE2B2609E5DB325FEDCE9BEA2FA5E2017CAFF14F3E6AFC622DBFE93424E070BC4C4A961AE3266EAAB82DD0637AA254115CA69A94138983C7DB4F923A817C8E4B23D17157CDDD4D0A59281DD1460B1AF874D83E93
265:d=1  hl=2 l=   3 prim: INTEGER           :010001

PEM

PEM is a format that contains a certificate encoded using base 64.

$ openssl asn1parse -in cert.pem
    0:d=0  hl=4 l=1107 cons: SEQUENCE          
4:d=1  hl=4 l= 827 cons: SEQUENCE          
8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
10:d=3  hl=2 l=   1 prim: INTEGER           :02
13:d=2  hl=2 l=   3 prim: INTEGER           :106270
18:d=2  hl=2 l=  13 cons: SEQUENCE          
20:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
31:d=3  hl=2 l=   0 prim: NULL              
33:d=2  hl=2 l= 109 cons: SEQUENCE          
35:d=3  hl=2 l=  11 cons: SET               
37:d=4  hl=2 l=   9 cons: SEQUENCE          
39:d=5  hl=2 l=   3 prim: OBJECT            :countryName
44:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT
48:d=3  hl=2 l=  30 cons: SET               
50:d=4  hl=2 l=  28 cons: SEQUENCE          
52:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
57:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :Agenzia AUAUA
80:d=3  hl=2 l=  27 cons: SET               
82:d=4  hl=2 l=  25 cons: SEQUENCE          
84:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
89:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :Servizi Telematici
109:d=3  hl=2 l=  33 cons: SET               
111:d=4  hl=2 l=  31 cons: SEQUENCE          
113:d=5  hl=2 l=   3 prim: OBJECT            :commonName
118:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :CA pinco pallo
144:d=2  hl=2 l=  30 cons: SEQUENCE          
146:d=3  hl=2 l=  13 prim: UTCTIME           :110531112758Z
161:d=3  hl=2 l=  13 prim: UTCTIME           :210531112611Z
176:d=2  hl=2 l= 109 cons: SEQUENCE          
178:d=3  hl=2 l=  11 cons: SET               
180:d=4  hl=2 l=   9 cons: SEQUENCE          
182:d=5  hl=2 l=   3 prim: OBJECT            :countryName
187:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT
191:d=3  hl=2 l=  30 cons: SET               
193:d=4  hl=2 l=  28 cons: SEQUENCE          
195:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
200:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :Agenzia fuffational
223:d=3  hl=2 l=  27 cons: SET               
225:d=4  hl=2 l=  25 cons: SEQUENCE          
227:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
232:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :Servizi Telematici
252:d=3  hl=2 l=  33 cons: SET               
254:d=4  hl=2 l=  31 cons: SEQUENCE          
256:d=5  hl=2 l=   3 prim: OBJECT            :commonName
261:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :CA AUAUA
287:d=2  hl=4 l= 290 cons: SEQUENCE          
291:d=3  hl=2 l=  13 cons: SEQUENCE          
293:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
304:d=4  hl=2 l=   0 prim: NULL              
306:d=3  hl=4 l= 271 prim: BIT STRING        
581:d=2  hl=3 l= 251 cons: cont [ 3 ]        
584:d=3  hl=3 l= 248 cons: SEQUENCE          
587:d=4  hl=2 l=  18 cons: SEQUENCE          
589:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
594:d=5  hl=2 l=   1 prim: BOOLEAN           :255
597:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
607:d=4  hl=3 l= 178 cons: SEQUENCE          
610:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
615:d=5  hl=3 l= 170 prim: OCTET STRING      [HEX DUMP]:3081A73081A4A081A1A0819E86819B6C6461703A2F2F636164732E656E74726174652E66696E616E7A652E69742F636E25336443412532304167656E7A696125323064656C6C65253230456E74726174652C6F7525336453657276697A6925323054656C656D61746963692C6F2533644167656E7A696125323064656C6C65253230456E74726174652C6325336469743F63657274696669636174655265766F636174696F6E4C697374
788:d=4  hl=2 l=  14 cons: SEQUENCE          
790:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
795:d=5  hl=2 l=   1 prim: BOOLEAN           :255
798:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020106
804:d=4  hl=2 l=  29 cons: SEQUENCE          
806:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
811:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414EA443F1F19E3373EABAA9482A59FEBFC16BA7FB5
835:d=1  hl=2 l=  13 cons: SEQUENCE          
837:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
848:d=2  hl=2 l=   0 prim: NULL              
850:d=1  hl=4 l= 257 prim: BIT STRING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment