Skip to content

Instantly share code, notes, and snippets.

@toriaezunama

toriaezunama/TLS.md

Last active January 29, 2019 21:01
Show Gist options
  • Save toriaezunama/236e7a7a1c45bd7731ac992898ca28f7 to your computer and use it in GitHub Desktop.
Save toriaezunama/236e7a7a1c45bd7731ac992898ca28f7 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL, TLS, SSH, Certificates etc
Raw
config
# ~/.ssh/config
Host dev
HostName dev.example.com
Port 22000
User fooey
PreferredAuthentications publickey
AddKeysToAgent yes
IdentityFile ~/.ssh/github.key
# OSX specific
UseKeychain yes # prevent constant prompts for private key password
Host ssh-bitbucket
HostName bitbucket.org
User git
PreferredAuthentications publickey
IdentityFile /Users/x/.ssh/bitbucket
Raw
openssl.yaml
---
- desc: Setup ssh-agent
cmd: eval $(ssh-agent -s)
tags: ['cmd:ssh-agent']
- desc: List keys added to ssh-agent
cmd: ssh-add -l
tags: ['cmd:ssh-add']
- desc: Add <key> to ssh-agent
cmd: ssh-add -k ~/.ssh/<key>
notes: Will prompt you for the password for the private key. After adding you won't need to type the private key password again until the machine is reset
tags: ['cmd:ssh-add']
- desc: Generate a private key
cmd: openssl genrsa -aes128 -out fd.key 2048
options:
- AES-192: `-aes192`
- AES-256: `-aes256`
notes:
- Generate a RSA key of 2048 bits
- Encrypt key with AES-128 and a password (only important when private key not on a server)
- Result is stored in PEM format
tags:['cmd:openssl']
- desc: View a rsa <private>.key
cmd: openssl rsa -text -in <private>.key
notes:
- Needs you to input the password
tags:['cmd:openssl']
- desc: Create an rsa <public>.key from a <private>.key
cmd: openssl rsa -in <private>.key -pubout -out <public>.key
notes:
- Always generates the same key (even if you delete it or change the name)
tags:['cmd:openssl']
- desc: Create a certificate signing request (<request>.csr) with <private>.key
cmd: openssl req -new -key <private>.key -out <request>.csr
notes:
- Hitting Return uses the *default* value
- Use `.` to leave a field empty
- Ignore creating a challenge password
tags:['cmd:openssl']
- desc: View a CSR
cmd: openssl req -text -in <request>.csr -noout
tags:['cmd:openssl']
- desc: Sign a CSR with your private key
cmd: openssl x509 -req -days 365 -in <request>.csr -signkey <private>.key -out <signed>.crt
notes:
- If <private>.key is the same as the private key that signed the CSR then a *self signed certificate* is created
tags:['cmd:openssl', 'self signed certificate']
- desc: Create a self signed certificate in 1 step
cmd: openssl req -new -x509 -days 365 -key <private>.key -out <signed>.crt
options:
- Skip questions with `-subj` switch to provide the certificate subject information e.g. `-subj "/C=GB/L=London/O=TapDigital Canada/CN=www.feistyduck.com"`
notes:
- Self-signed certificates usually contain only the most basic certificate data. Certificates issued by public CAs contain a number of additional fields (via the X.509 extension mechanism).
The Basic Constraints extension is used to mark certificates as belonging to a CA, giving them
the ability to sign other certificates. Non-CA certificates will either have this extension omit-
ted or will have the value of CA set to FALSE . This extension is critical, which means that all
software-consuming certificates must understand its meaning.
X509v3 Basic Constraints: critical
CA:FALSE
tags:['cmd:openssl', 'self signed certificate']
- Create a certificate with multiple hostnames
cmd: openssl x509 -req -days 365 -in <request>.csr -signkey <private>.key -out <signed>.crt -extfile fd.ext
options:
- `-extfile` is a text file with a single line `subjectAltName = DNS:*.tapdigital.ca, DNS:tapdigital.ca`
tags:['cmd:openssl']
- desc: View a certificate
cmd: openssl x509 -text -in <signed>.crt -noout
tags:['cmd:openssl']
- desc: View a certificate chain
cmd: openssl crl2pkcs7 -nocrl -certfile /path/to/chain.pem | openssl pkcs7 -print_certs -text -noout
tags:['cmd:openssl']
Raw
TLS.md

Most of the following is taken from the OpenSSL cookbook

OpenSSL

Trust store

OpenSSL does not come with any trusted root certificates (also known as a trust store). DL Mozilla's truststore [here](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins... /certdata.txt). Note: It's in a custom format so needs conversion so use this tool.

Server certs

  1. generate a strong private key
  2. create a Certificate Signing Request (CSR) and send it to a CA
  3. install the CA-provided certificate in your web server

Self-signed certificates

Usually contain only the most basic certificate data. By comparison, certificates issued by public CAs contain a number of additional fields (via the X.509 extension mechanism).

The Basic Constraints extension is used to mark certificates as belonging to a CA, giving them the ability to sign other certificates. Non-CA certificates will either have this extension omitted or will have the value of CA set to FALSE . This extension is critical, which means that all software-consuming certificates must understand its meaning.

X509v3 Basic Constraints: critical
CA:FALSE

The Key Usage (KU) and Extended Key Usage (EKU) extensions restrict what a certificate can be used for. If these extensions are present, then only the listed uses are allowed. If the extensions are not present, there are no use restrictions.

X509v3 Key Usage: critical
  Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
  TLS Web Server Authentication, TLS Web Client Authentication

The CRL Distribution Points extension lists the addresses where the CA’s Certificate Revocation List (CRL) information can be found. This information is important in cases in which certificates need to be revoked. CRLs are CA-signed lists of revoked certificates, published at regular time intervals (e.g., seven days).

X509v3 CRL Distribution Points:
  Full Name:
    URI:http://crl.starfieldtech.com/sfs3-20.crl

The Certificate Policies extension is used to indicate the policy under which the certificate was issued. For example, this is where extended validation (EV) indicators can be found (as in the example that follows). The indicators are in the form of unique object identifiers (OIDs), and they are unique to the issuing CA. In addition, this extension often contains one or more Certificate Policy Statement (CPS) points, which are usually web pages or PDF documents.

X509v3 Certificate Policies:
  Policy: 2.16.840.1.114414.1.7.23.3
  CPS: http://certificates.starfieldtech.com/repository/

The Authority Information Access (AIA) extension usually contains two important pieces of information. First, it lists the address of the CA’s Online Certificate Status Protocol (OCSP) responder, which can be used to check for certificate revocation in real time. The extension may also contain a link to where the issuer’s certificate (the next certificate in the chain) can be found. These days, server certificates are rarely signed directly by trusted root certificates, which means that users must include one or more intermediate certificates in their configuration. Mistakes are easy to make and will invalidate the certificates. Some clients (e.g. Internet Explorer) will use the information provided in this extension to fix an incomplete certificate chain, but many clients won’t.

Authority Information Access:
OCSP - URI:http://ocsp.starfieldtech.com/
CA Issuers - URI:http://certificates.starfieldtech.com/repository/sf_intermediate.crt

The Subject Key Identifier and Authority Key Identifier extensions establish unique subject and authority key identifiers, respectively. The value specified in the Authority Key Identifier extension of a certificate must match the value specified in the Subject Key Identifier extension in the issuing certificate. This information is very useful during the certification path-building process, in which a client is trying to find all possible paths from a leaf (server) certificate to a trusted root. Certification authorities will often use one private key with more than one certificate, and this field allows software to reliably identify which certificate can be matched to which key. In the real world, many certificate chains supplied by servers are invalid, but that fact often goes unnoticed because browsers are able to find alternative trust paths.

X509v3 Subject Key Identifier:
  4A:AB:1C:C3:D3:4E:F7:5B:2B:59:71:AA:20:63:D6:C9:40:FB:14:F1
X509v3 Authority Key Identifier:
  keyid:49:4B:52:27:D1:1B:BC:F2:A1:21:6A:62:7B:51:42:7A:8A:D7:D5:56

The Subject Alternative Name (SAN) extension is used to list all the hostnames for which the certificate is valid. This extension used to be optional; if it isn’t present, clients fall back to using the information provided in the Common Name (CN), which is part of the Subject field. If the extension is present, then the content of the CN field is ignored during validation.

X509v3 Subject Alternative Name:
  DNS:www.feistyduck.com, DNS:feistyduck.com

Public keys

ssh-rsa AAAAB3N....NMqKM= this_is_a_comment That part of an ssh key is just a comment. You can change it to anything you want at any time. It doesn't even need to be the same on different servers. You can remove it as well. It is only there to help you or someone else figure out what to delete when you have many keys in an authorized_keys file and you need to revoke or change one of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment