Last active
February 2, 2021 21:27
-
-
Save jeffsmonteiro/0ab4c9ca90e5987c55117a0e321b1684 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# INSTALL OPENSSL | |
cd /usr/local/src/ | |
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz | |
tar -xf openssl-1.1.1g.tar.gz | |
cd openssl-1.1.1g | |
sudo ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' | |
sudo make | |
sudo make install | |
# CREATE CONF FOR OPENSSL | |
cd | |
mkdir local_ssl | |
cd local_ssl | |
touch localhost_ssl.conf | |
vim localhost_ssl.conf | |
# ADD CONTENT TO CONF FILE (you need to substitute comments by your infos) | |
[req] | |
distinguished_name = req_distinguished_name | |
x509_extensions = v3_req | |
prompt = no | |
[req_distinguished_name] | |
C = <--COUNTRY CODE - 2 Characters--> | |
ST = <--PROVINCE/ STATE--> | |
L = <--CITY--> | |
O = <--ORGANISATION--> | |
OU = <--DEPARTMENT--> | |
CN = <--CERTIFICATE ISSUER NAME - Can be anything--> | |
[v3_req] | |
keyUsage = keyEncipherment, dataEncipherment | |
extendedKeyUsage = serverAuth | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = localhost | |
DNS.2 = localhost | |
# GENERATE CERTIFICATE | |
openssl req -x509 -nodes -days 1024 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost_ssl.conf -extensions 'v3_req' | |
# CONFIGURING NGINX | |
sudo cp localhost.crt /etc/ssl/certs/localhost.crt | |
sudo cp localhost.key /etc/ssl/private/localhost.key | |
sudo vim /etc/nginx/sites-available/default | |
# CONTENT | |
server { | |
# Ports to listen on, uncomment one. | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
# Server name to listen for | |
server_name localhost; | |
# Path to document root | |
root /var/www/html; | |
#SSL | |
ssl_certificate /etc/ssl/certs/localhost.crt; | |
ssl_certificate_key /etc/ssl/private/localhost.key; | |
ssl_protocols TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
# File to be used as index | |
index index.html; | |
# Logs | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
} | |
# ADDING CERTIFICATE TO THE BROWSER | |
cd / | |
sudo apt-get update | |
sudo apt-get install libnss3-tools | |
cd /etc/ssl/certs/ | |
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt | |
# TEST AND RELOAD | |
sudo nginx -t | |
sudo service nginx reload | |
# HELP ======================== CERTUTILS COMMANDS | |
List all certificates | |
certutil -d sql:$HOME/.pki/nssdb -L | |
List details of a certificate | |
certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname> | |
Add a certificate | |
certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename> | |
The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags. | |
For example, to trust a root CA certificate for issuing SSL server certificates, use | |
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename> | |
To import an intermediate CA certificate, use | |
certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certificate filename> | |
Note: to trust a self-signed server certificate, we should use | |
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <certificate filename> | |
This should work now, because NSS bug 531160 is claimed to be fixed in a related bug report. If it doesn't work, then to work around the NSS bug, you have to trust it as a CA using the “C,,” trust flags. | |
Add a personal certificate and private key for SSL client authentication | |
Use the command: | |
pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 | |
to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to “u,u,u”. | |
Delete a certificate | |
certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment