Skip to content

Instantly share code, notes, and snippets.

@herpiko

herpiko/klas-pki-playground.md

Last active January 2, 2020 16:18
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save herpiko/aec10f7838486cb4d1faa201745786db to your computer and use it in GitHub Desktop.
Save herpiko/aec10f7838486cb4d1faa201745786db to your computer and use it in GitHub Desktop.
Download ZIP
💻 🔨 :neckbeard: PKI
Raw
klas-pki-playground.md

Membuat sertifikat self-signed

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem

Melihat isi sertifikat

openssl x509 -in cert.pem -text

PEM dan DER

openssl x509 –outform der –in cert.pem –out cert.der

openssl x509 –inform der –in cert.der –out cert.pem

Encrypt (PKCS7 EnvelopedData)

openssl smime -encrypt -in hai.txt -outform pem -out encrypted.p7 cert.pem

Decrypt (PKCS7 EnvelopedData)

openssl smime -decrypt -inform pem -in encrypted.p7 -inkey key.pem

Sign (PKCS7 SignedData)

openssl smime -sign -nodetach -in hai.txt -out signed.p7 -outform pem -inkey key.pem -signer cert.pem

Verify (PKCS7 SignedData)

openssl smime -verify -in signed.p7 -inform pem -noverify

Verify sertifikat terhadap CA

openssl verify -CAfile cacert.pem builder.pem

openssl verify -CAfile cacert.pem taskinit.pem

openssl verify -CAfile lets-encrypt-x3-cross-signed.pem panduanblankonlinuxorid.cert

Certificate Authority

Persiapan Root CA

  • mkdir /tmp/ca
  • cd /tmp/ca
  • mkdir certs crl newcerts private
  • touch index.txt
  • echo 1000 > serial
  • Unduh berkas konfigurasi untuk root CA, wget https://gist.githubusercontent.com/herpiko/e949a99864014759cb29e9d42aa15301/raw/a5d7365860d4cc8a400faad5d1da8c172a78e5e6/openssl.cnf. Letakkan berkas ini di /tmp/ca/openssl.cnf

Membuat sertifikat Root CA

  • cd /tmp/ca
  • Buat pasangan kunci, openssl genrsa -aes256 -out private/ca.key.pem 4096
  • Buat cert dari pasangan kunci, openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
  • Periksa, openssl x509 -noout -text -in certs/ca.cert.pem

Persiapan intermeadiate CA

  • mkdir /tmp/ca/intermediate
  • cd /tmp/ca/intermediate
  • mkdir certs crl csr newcerts private
  • touch index.txt
  • echo 1000 > serial
  • Unduh berkas konfigurasi untuk intermediate CA, wget https://gist.githubusercontent.com/herpiko/8064026087a87ed0a26fa26796d3059f/raw/c306ae6e985287ee9d1b37ef781c435dea562bf2/openssl.cnf. Letakkan berkas ini di /tmp/ca/intermediate/openssl.cnf

Membuat intermediate CA

  • cd /tmp/ca
  • Membuat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
  • Membuat CSR, openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
  • Tandatangani CSR dengan RootCA, openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
  • Periksa, openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem

Membuat rantai sertifikat (Certificate Chain)

  • cd /tmp/ca
  • cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

Membuat sertifikat untuk klas.or.id 🐧

  • cd /tmp/ca
  • Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/klas.or.id.key.pem 2048
  • Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/klas.or.id.key.pem -new -sha256 -out intermediate/csr/klas.or.id.csr.pem
  • Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/klas.or.id.csr.pem -out intermediate/certs/klas.or.id.cert.pem
  • openssl x509 -noout -text -in intermediate/certs/klas.or.id.cert.pem

Membuat sertifikat untuk ntb.linux.or.id 🐧

  • cd /tmp/ca
  • Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/ntb.linux.or.id.key.pem 2048
  • Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/ntb.linux.or.id.key.pem -new -sha256 -out intermediate/csr/ntb.linux.or.id.csr.pem
  • Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/ntb.linux.or.id.csr.pem -out intermediate/certs/ntb.linux.or.id.cert.pem
  • openssl x509 -noout -text -in intermediate/certs/ntb.linux.or.id.cert.pem

Kebutuhan deployment untuk HTTPS 🚀

  • Rantai sertifikat
  • Sertifikat
  • Kunci privat

Certificate Revocation List

  • cd /tmp/ca
  • Persiapan, echo 1000 > /tmp/ca/intermediate/crlnumber
  • Buat CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
  • Periksa CRL yang telah dibuat, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
  • Revoke sertifikatnya Kaipang 😟 , openssl ca -config intermediate/openssl.cnf -revoke intermediate/certs/ntb.linux.or.id.cert.pem
  • Generate ulang CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
  • Periksa lagi CRL yang telah dibuat 🔥, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text

Verifikasi terhadap CA dan CRL

  • cd /tmp/ca
  • cp intermediate/certs/ca-chain.cert.pem intermediate/certs/verify-chain.cert.pem
  • Menambahkan CRL ke rantai sertifikat untuk keperluan verify, cat intermediate/crl/intermediate.crl.pem >> intermediate/certs/verify-chain.cert.pem
  • Verifikasi sertifikat terhadap CA dan CRL sekaligus, openssl verify -crl_check -CAfile intermediate/certs/verify-chain.cert.pem intermediate/certs/ntb.linux.or.id.cert.pem
  • Pesan galat error 23 at 0 depth lookup:certificate revoked muncul menandakan sertifikat ntb.linux.or.id telah di-revoke.

Reference

@herpiko
Copy link
Author

herpiko commented Dec 8, 2019

Create P12 with OpenSSL

openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment