SSL: Difference between revisions

From miki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 5: Line 5:
* What are file types {{file|.crt}}, {{file|.pem}}, {{file|.key}}
* What are file types {{file|.crt}}, {{file|.pem}}, {{file|.key}}
* Given a file, how can recognize its type?
* Given a file, how can recognize its type?

== Basic ==
;.p12
:A PKCS#12 container. Contains a '''X509 public key certificate''' and a '''private key'''.
;.crt
:Likely only a '''public key certificate'''.


== How-to ==
== How-to ==
=== Identify certificate formats ===
(source: ChatGPT)

; 1. DER Encoded Binary X.509 (.cer)
* '''Format''': Binary
* '''Extension''': <code>.cer</code>, <code>.der</code>
* '''Description''': DER (Distinguished Encoding Rules) is a binary format for X.509 certificates. It is a strict subset of ASN.1 (Abstract Syntax Notation One) encoding rules. This format is typically used in Java environments.
* '''Usage''': Commonly used in various applications and systems that require a binary format for certificates.
* To convert DER to PEM:
<source lang="bash">
openssl x509 -inform der -in certificate.der -out certificate.pem
</source>

; 2. Base-64 Encoded X.509 (.cer), also known as PEM format
* '''Format''': Text (Base-64)
* '''Extension''': <code>.cer</code>, <code>.pem</code>, <code>.crt</code>, <code>.key</code>
* '''Description''': This is the same X.509 certificate as the DER format but encoded in Base-64. The Base-64 encoding makes it suitable for text-based protocols and systems. The certificate content is enclosed between <code>-----BEGIN CERTIFICATE-----</code> and <code>-----END CERTIFICATE-----</code> markers.
* '''Usage''': Often used in web servers and email clients where certificates need to be included in text-based formats.
* To convert PEM to DER:
<source lang="bash">
openssl x509 -outform der -in certificate.pem -out certificate.der
</source>

; 3. PKCS #7 Certificates (.p7b)
* '''Format''': Binary or Text (Base-64)
* '''Extension''': <code>.p7b</code> or <code>.p7c</code>
* '''Description''': PKCS #7 (Public Key Cryptography Standards #7) is a standard for cryptographic message syntax. It can contain a full certificate chain (the certificate, intermediate certificates, and the root certificate). It can be encoded in either binary or Base-64.
* '''Usage''': Commonly used to transfer a certificate chain, especially in environments that require the entire chain for validation.

; 4. Certificates with .crt Extension
* '''Format''': Can be either DER or Base-64
* '''Extension''': <code>.crt</code>
* '''Description''': The <code>.crt</code> extension is a generic extension for certificates and can be in either DER or Base-64 format. The content of the file determines the actual format.
* '''Usage''': Widely used in Unix/Linux environments. The format (DER or Base-64) can be determined by inspecting the file content.

; Summary Table

{| class=wikitable
|-
! Format !! Extension !! Encoding !! Description
|-
| DER Encoded X.509 || <code>.cer</code> || Binary || Strict binary format, used in various applications.
|-
| Base-64 Encoded X.509 || <code>.cer</code> || Text || Base-64 encoded, suitable for text-based protocols.
|-
| PKCS #7 || <code>.p7b</code> || Binary/Text || Can contain a full certificate chain, used for transferring chains.
|-
| Generic Certificate || <code>.crt</code> || Binary/Text || Can be either DER or Base-64, commonly used in Unix/Linux environments.
|}

; How to Determine the Format
* '''DER''': If you open the file in a text editor and see binary data, it's likely DER.
* '''Base-64''': If you see <code>-----BEGIN CERTIFICATE-----</code> and <code>-----END CERTIFICATE-----</code>, it's Base-64.
* '''PKCS #7''': If you see <code>-----BEGIN PKCS7-----</code> and <code>-----END PKCS7-----</code>, it's a Base-64 encoded PKCS #7 file.

=== Generate a random number ===
<source lang="bash">
openssl rand -hex 16 # Generate a 16-byte random number
</source>
=== Verify a certificate in PEM format ===
A PEM-formatted certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----:

<source lang="text">
-----BEGIN CERTIFICATE-----
MIIGHjCCBAagAwIBAgIQHQb5gLlawpkQt56Wjrr/cDANBgkqhkiG9w0BAQsFADCB
...
...
SoUf1jU8dfGn8d2SfJq60xbAkyfZ7+UT8AK6jhB53pazYw==
-----END CERTIFICATE-----

</source>

<source lang="bash">
# Good certificate if this doesn't fail
openssl x509 -in /etc/git-ssl/some_cert.ca.pem -text -noout
</source>

=== Identify a certificate / private key file ===
<source lang=bash>
## Identify a .crt file
file root.crt
# root.crt: PEM certificate

## .p12 -> .crt (extract public key certificate)
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt
openssl x509 -in mycert.crt -text

## .p7b -> .cer
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

## If getting
# unable to load PKCS7 object
# 140038090782360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PKCS7
openssl pkcs7 -print_certs -inform der -in cert.p7b -out cert.cer

## Note that our .cer is still not a PEM:
file cert.cer
# cert.cer: ASCII text

openssl pkcs7 -inform der -in cert.p7b -outform pem -out cert.cer
## ... still not a PEM ...
file cert.cer
# cert.cer: ASCII text

## .cer -> .pem
openssl x509 -in cert.cer -out cert.pem
</source>


=== Split PKCS#12 certificate into CA / Cert / Private key ===
=== Split PKCS#12 certificate into CA / Cert / Private key ===
Line 18: Line 131:


Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]).
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]).

=== Generate PEM certificate from PKCS7 Root CA certificate ===
This can be used to convert an exported Windows CA certificate ({{file|*.p7b}} files) into PEM format (as required by NetworkManager for instance).

<source lang=bash>
# The key option here is '-print_certs'
openssl pkcs7 -inform der -print_certs -in rootca.p7b -out rootca.pem
</source>


=== Checking Certificate Chain with OpenSSL ===
=== Checking Certificate Chain with OpenSSL ===
Line 52: Line 173:
;Internet Explorer
;Internet Explorer
* Click on the ''error certificate'' icon in address bar,
* Click on the ''error certificate'' icon in address bar,
* Cick ''View certificates'',
* Cick ''View certificates'',
* then click ''Install certificate...''.
* then click ''Install certificate...''.
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode).
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode).

=== Encrypt a file with AES ===
To encrypt:
<source lang="bash">
tar -czf - . | openssl enc -e -aes128 -pbkdf2 -out secured.tgz.enc
</source>

To decrypt:
<source lang="bash">
openssl enc -d -aes128 -pbkdf2 -in secured.tgz.enc | tar xz -C test
</source>

=== Append CA to PEM certificate in a single file ===
One can concat several PEM certificate in base64 format in a single file [https://serverfault.com/questions/282382/how-do-append-a-ca-to-an-ssl-certificate]:
-----BEGIN CERTIFICATE-----
(Your certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate's base64 data here)
-----END CERTIFICATE-----

So, say we have the files {{file|ca.pem}}, {{file|interim-ca.pem}}, {{file|cert.pem}}, we can concat them with:
<source lang="bash">
cat cert.pem interim-ca.pem ca.pem > chain.pem
</source>

=== Display the content of a certicate ===
<source lang="bash">
# https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/
# For PEM (base64) certificates (*.cer, *.pem)
openssl x509 -in acs.cdroutertest.com.pem -text

# ...
# X509v3 extensions:
# X509v3 Authority Key Identifier:
# keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 <-- the ID of CA certificate
#
# X509v3 Subject Key Identifier:
# CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92 <-- the ID of this certificate
# ...


# For DER certificates (*.cer, *.der)
openssl x509 -in MYCERT.der -inform der -text
</source>

=== Troublueshoot an SSL connection ===

<source lang="bash">
openssl s_client -connect some.server.com -servername some.server.com
</source>


== Certificate authorities ==
== Certificate authorities ==


* [http://wiki.cacert.org/FAQ/ImportRootCert CACert FAQ].
=== Import CA certificates ===

See the [http://wiki.cacert.org/FAQ/ImportRootCert CACert FAQ] for a complete guide.
=== Import CA certificates on Android===


; Import CA on Android
* Browse to the file, and click on it to import.
* Browse to the file, and click on it to import.
* Go to ''Settings &rarr; Security &rarr; Trusted credentials''. User-added CA certificates appears in the ''User'' panel.
* Go to ''Settings &rarr; Security &rarr; Trusted credentials''. User-added CA certificates appears in the ''User'' panel.


; Import CA on Firefox on Android
; Import CA certificate on Firefox (Android)
* Some versions of Firefox do not seem to use the Android CA Store. In that case, the CA certificate must be imported directly in Firefox. Unfortunately there
* Some versions of Firefox do not seem to use the Android CA Store. In that case, the CA certificate must be imported directly in Firefox. Unfortunately there is no easy way to do so. The best work-around is to download the certificate from a web server that serves the file with MIME type '''application/x-x509-ca-cert''' [https://www.jethrocarr.com/2013/05/17/firefox-mobile-for-android-cas/]. For client certificate, it must be '''application/x-x509-user-cert'''.
:* Copy the CA certificate to a web server you manage. We assume the certificate has a {{file|.crt}} extension.
is no easy way to do so. The best work-around is to download the certificate from a web server that serves the file with MIME type '''application/x-x509-ca-cert''' [https://www.jethrocarr.com/2013/05/17/firefox-mobile-for-android-cas/].
For client certificate, it must be '''application/x-x509-user-cert'''.
:* Copy the CA certificate to a web server you manage
:* Add to Apache configuration:
:* Add to Apache configuration:
<source lang=apache>
<source lang=apache>
Line 77: Line 250:
<source lang=bash>
<source lang=bash>
service apache2 reload
service apache2 reload
</source>

=== Import CA certificate on Debian ===
From [https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ brightbox.com]:

<source lang=bash>
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates
</source>
</source>

Latest revision as of 14:49, 9 July 2024

Links

Questions

  • What are file types .crt, .pem, .key
  • Given a file, how can recognize its type?

Basic

.p12
A PKCS#12 container. Contains a X509 public key certificate and a private key.
.crt
Likely only a public key certificate.

How-to

Identify certificate formats

(source: ChatGPT)

1. DER Encoded Binary X.509 (.cer)
  • Format: Binary
  • Extension: .cer, .der
  • Description: DER (Distinguished Encoding Rules) is a binary format for X.509 certificates. It is a strict subset of ASN.1 (Abstract Syntax Notation One) encoding rules. This format is typically used in Java environments.
  • Usage: Commonly used in various applications and systems that require a binary format for certificates.
  • To convert DER to PEM:
openssl x509 -inform der -in certificate.der -out certificate.pem
2. Base-64 Encoded X.509 (.cer), also known as PEM format
  • Format: Text (Base-64)
  • Extension: .cer, .pem, .crt, .key
  • Description: This is the same X.509 certificate as the DER format but encoded in Base-64. The Base-64 encoding makes it suitable for text-based protocols and systems. The certificate content is enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
  • Usage: Often used in web servers and email clients where certificates need to be included in text-based formats.
  • To convert PEM to DER:
openssl x509 -outform der -in certificate.pem -out certificate.der
3. PKCS #7 Certificates (.p7b)
  • Format: Binary or Text (Base-64)
  • Extension: .p7b or .p7c
  • Description: PKCS #7 (Public Key Cryptography Standards #7) is a standard for cryptographic message syntax. It can contain a full certificate chain (the certificate, intermediate certificates, and the root certificate). It can be encoded in either binary or Base-64.
  • Usage: Commonly used to transfer a certificate chain, especially in environments that require the entire chain for validation.
4. Certificates with .crt Extension
  • Format: Can be either DER or Base-64
  • Extension: .crt
  • Description: The .crt extension is a generic extension for certificates and can be in either DER or Base-64 format. The content of the file determines the actual format.
  • Usage: Widely used in Unix/Linux environments. The format (DER or Base-64) can be determined by inspecting the file content.
Summary Table
Format Extension Encoding Description
DER Encoded X.509 .cer Binary Strict binary format, used in various applications.
Base-64 Encoded X.509 .cer Text Base-64 encoded, suitable for text-based protocols.
PKCS #7 .p7b Binary/Text Can contain a full certificate chain, used for transferring chains.
Generic Certificate .crt Binary/Text Can be either DER or Base-64, commonly used in Unix/Linux environments.
How to Determine the Format
  • DER: If you open the file in a text editor and see binary data, it's likely DER.
  • Base-64: If you see -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, it's Base-64.
  • PKCS #7: If you see -----BEGIN PKCS7----- and -----END PKCS7-----, it's a Base-64 encoded PKCS #7 file.

Generate a random number

openssl rand -hex 16     # Generate a 16-byte random number

Verify a certificate in PEM format

A PEM-formatted certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----:

-----BEGIN CERTIFICATE-----
MIIGHjCCBAagAwIBAgIQHQb5gLlawpkQt56Wjrr/cDANBgkqhkiG9w0BAQsFADCB
...
...
SoUf1jU8dfGn8d2SfJq60xbAkyfZ7+UT8AK6jhB53pazYw==
-----END CERTIFICATE-----
# Good certificate if this doesn't fail
openssl x509 -in /etc/git-ssl/some_cert.ca.pem -text -noout

Identify a certificate / private key file

## Identify a .crt file
file root.crt
# root.crt: PEM certificate

## .p12 -> .crt (extract public key certificate)
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt
openssl x509 -in mycert.crt -text

## .p7b -> .cer
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

## If getting
# unable to load PKCS7 object
# 140038090782360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PKCS7
openssl pkcs7 -print_certs -inform der -in cert.p7b -out cert.cer

## Note that our .cer is still not a PEM:
file cert.cer
# cert.cer: ASCII text

openssl pkcs7 -inform der -in cert.p7b -outform pem -out cert.cer
## ... still not a PEM ...
file cert.cer
# cert.cer: ASCII text

## .cer -> .pem
openssl x509 -in cert.cer -out cert.pem

Split PKCS#12 certificate into CA / Cert / Private key

Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].

openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem

Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see Linux Admin).

Generate PEM certificate from PKCS7 Root CA certificate

This can be used to convert an exported Windows CA certificate (*.p7b files) into PEM format (as required by NetworkManager for instance).

# The key option here is '-print_certs'
openssl pkcs7 -inform der -print_certs -in rootca.p7b -out rootca.pem

Checking Certificate Chain with OpenSSL

Checking A Remote Certificate Chain With OpenSSL

Change .p12 / .pfx password

Say you have a private key / certificate file mycert.pfx, and you want to change its password:

# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes         # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem                                               # DON'T FORGET THIS!

Extract key from .p12/ .pfx

  • openssl pkcs12 takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with openssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes  # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem                     # To extract the modulus
openssl rsa -noout -text -in mycert.pem                        # To extract all the fields

Query a public key certificate

openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject       # Query certificate name. Must match Apache ServerName
# For instance:
#   subject= /C=BE/ST=BBW/L=Brussels/O=immie.org/CN=www.immie.org

Generate a new self-signed SSL certificate for Apache server

See Apache.

Accept self-signed certificates (bypass browser warning)

Internet Explorer
  • Click on the error certificate icon in address bar,
  • Cick View certificates,
  • then click Install certificate....
  • Server public certificate must be imported in the Trusted Root Certification Authorities (and *not* in Intermediate CA which is chosen in automatic mode).

Encrypt a file with AES

To encrypt:

tar -czf - . | openssl enc -e -aes128 -pbkdf2 -out secured.tgz.enc

To decrypt:

openssl enc -d -aes128 -pbkdf2 -in secured.tgz.enc | tar xz -C test

Append CA to PEM certificate in a single file

One can concat several PEM certificate in base64 format in a single file [2]:

-----BEGIN CERTIFICATE-----
(Your certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate's base64 data here)
-----END CERTIFICATE-----

So, say we have the files ca.pem, interim-ca.pem, cert.pem, we can concat them with:

cat cert.pem interim-ca.pem ca.pem > chain.pem

Display the content of a certicate

# https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/
# For PEM (base64) certificates (*.cer, *.pem)
openssl x509 -in acs.cdroutertest.com.pem -text

# ...
#         X509v3 extensions:
#             X509v3 Authority Key Identifier:
#                 keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7    <-- the ID of CA certificate
#
#             X509v3 Subject Key Identifier:
#                 CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92          <-- the ID of this certificate
# ...


# For DER certificates (*.cer, *.der)
openssl x509 -in MYCERT.der -inform der -text

Troublueshoot an SSL connection

openssl s_client -connect some.server.com -servername some.server.com

Certificate authorities

Import CA certificates on Android

  • Browse to the file, and click on it to import.
  • Go to Settings → Security → Trusted credentials. User-added CA certificates appears in the User panel.
Import CA certificate on Firefox (Android)
  • Some versions of Firefox do not seem to use the Android CA Store. In that case, the CA certificate must be imported directly in Firefox. Unfortunately there is no easy way to do so. The best work-around is to download the certificate from a web server that serves the file with MIME type application/x-x509-ca-cert [3]. For client certificate, it must be application/x-x509-user-cert.
  • Copy the CA certificate to a web server you manage. We assume the certificate has a .crt extension.
  • Add to Apache configuration:
AddType application/x-x509-ca-cert .crt
  • Don't forget to reload apache configuration
service apache2 reload

Import CA certificate on Debian

From brightbox.com:

sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates