.bootstrap - Safe with most medications

OpenSSL is quite a complex application, however it is quite easy to get it to show you details or a given x509 SSL certificate using this command:


$ openssl x509 -in filename.crt -noout -text


Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. View The Contents Of A Certificate Signing Request (CSR)
3. Howto Create Generate a Certificate Signing Request
4. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
5. dos2unix on Ubuntu and Debian
6. OpenSSL CSR Wizard
7. Run Single Commands on a SSH-based Server
8. Bash shortcuts tips and tricks
9. Openssl to create an unencrypted key from an encrypted one (Remove password)
10. SSL Certificates Review: What to Buy

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers.

Normally it requires some manual number matching to match a given private key with a given certificate, however with this command you are able to do a comparison automatic:


$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq


(If more than one hash is displayed, they don’t match)

Related posts:

1. View x509 certificate details
2. Howto Create Generate a Certificate Signing Request
3. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
4. View The Contents Of A Certificate Signing Request (CSR)
5. Openssl to create an unencrypted key from an encrypted one (Remove password)
6. SSL Certificates Review: What to Buy
7. OpenSSL CSR Wizard
8. SSH Key for Login Without Password
9. Credit Card Number Generator
10. Howto Secure Apache

This howto demonstrates how to convert an OpenSSL key to a public/private OpenSSH key-pair.

The motivation for converting this is simple — dual use. That is to say, any user or application that has been issued a certificate can now use their SSL-based credentials for both SSL- and SSH-based authentication.

Requirements
You’ll need a valid certificate and private key — actually only the key is required. This recipe assumes that your certificate and key will have the names user-crt.pem and user-key.pem, respectively. If your key is encrypted (which it should be), you’ll also need to have it’s passphrase handy.

You’ll need a shell account on a system that supports OpenSSH logins using public/private key authentication.

Solution
The solution is to extract the public key from the private key using ssh-keygen, copy the new key-pair into place, and test them out.

1. Copy the private SSL key to ~/.ssh/id_ssl.
$ cp user-key.pem ~/.ssh/id_ssl
$ chmod 600 ~/.ssh/id_ssl

2. Extract the public SSH key using ssh-keygen.
$ ssh-keygen -y -f ~/.ssh/id_ssl > ~/.ssh/id_ssl.pub
$ chmod 600 ~/.ssh/id_ssl.pub

3. Add the public key to your authorized_keys
$ cat ~/.ssh/id_ssl.pub >> ~/.ssh/authorized_keys

4. Test the new key by attempting to SSH to localhost.
$ ssh -i ~/.ssh/id_ssl localhost

At this point, you’ll need to enter your passphrase (assuming you had one), and if all goes well, you’ll be sitting at a new shell prompt.

5. Remove the test key from your authorized_keys file.

In theory, a single certificate and key issued to an employee would be sufficient to access all participating SSL- and SSH-based resources in a given environment (or perhaps the entire company).

This post is based on an original recipe by Klayton Monroe.

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. SSH Key for Login Without Password
3. Openssl to create an unencrypted key from an encrypted one (Remove password)
4. Howto Convert Text File From UTF-8 to ISO-8859-1 Encoding
5. Howto Create Generate a Certificate Signing Request
6. Sending Spam with SWT
7. SSL Certificates Review: What to Buy
8. OpenSSL CSR Wizard
9. OpenSSH: Disabled Reverse DNS Lookup
10. GnuPG/GPG: Exporting your Public Key

Today I stumbled over this nice designed wizard for creation of SSL Certificate Signing Requests (CSR) using OpenSSL.

Related posts:

1. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
2. SSL: Verifying that a Certificate matches a Private Key
3. Openssl to create an unencrypted key from an encrypted one (Remove password)
4. View x509 certificate details
5. Howto Create Generate a Certificate Signing Request
6. SSL Certificates Review: What to Buy
7. View The Contents Of A Certificate Signing Request (CSR)
8. sec_error_reused_issuer_and_serial – Firefox
9. Varnish : Simple and Fast HTTP Acceleration
10. Howto setup SPF (Sender Policy Framework) on a domain

This howto describes the instructions to generate a CSR for your Web site. When you have completed the outlined steps. In this guide I use OpenSSL, which is the open source project that replaced SSLeay.

Create a RSA private key for your Apache server, PEM-formatted:

openssl genrsa -out domain.com.key 1024


Create a Certificate Signing Request using the RSA private key created above (output will be PEM format):

openssl req -new -key domain.com.key -out domain.com.csr


Note that the Common Name field is the field where the domain name should be stated.

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. View The Contents Of A Certificate Signing Request (CSR)
3. View x509 certificate details
4. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
5. OpenSSL CSR Wizard
6. Openssl to create an unencrypted key from an encrypted one (Remove password)
7. Howto: Create your own Debian or Ubuntu package repository
8. Howto setup SPF (Sender Policy Framework) on a domain
9. SSL Certificates Review: What to Buy
10. Ubuntu Howto: Install Xen

Buying a SSL certificate is not an easy task. There exists well over 100 providers and resellers of certificate and the prices varies from less than 100 $ a year to nearly 2000 dollars a year. The purpose of this short review is to walk you through the desert of sandy SSL certificate providers some more serious than other.

A SSL certificate is basically a proof of identity….

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. View x509 certificate details
3. sec_error_reused_issuer_and_serial – Firefox
4. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
5. Review: Nokia E66
6. OpenSSL CSR Wizard
7. Red Hat Enterprise Linux 5 Released
8. View The Contents Of A Certificate Signing Request (CSR)
9. iPhone Reviews
10. Howto Create Generate a Certificate Signing Request


openssl req -text -noout -in host.csr


Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
               OU=Certification Services Division,
               CN=Thawte Server CA/emailAddress=server-certs@thawte.com
       Validity
           Not Before: Jul  9 16:04:02 1998 GMT
           Not After : Jul  9 16:04:02 1999 GMT
       Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
                OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f

Related posts:

1. Howto Create Generate a Certificate Signing Request
2. SSL: Verifying that a Certificate matches a Private Key
3. View x509 certificate details
4. HTTP Request Smuggling
5. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
6. an ex-microsoft employee’s view on Linux and the open source community
7. GnuPG/GPG: Exporting your Public Key

Remove the encryption from the RSA private key

debian21:~# openssl rsa -in server.key -out server.key.unencrypted

Then make sure the server.key.unencrypted file is only readable by root

debian21:~# chmod 400 server.key.unencryped

Now server.key.unencrypted will contain an unencrypted copy of the key. If you point your server (e.g. Apache ) at this file it will not prompt you for a pass-phrase.

Link to OpenSSL – The Open Source toolkit for SSL/TLS

Related posts:

1. Howto Create Generate a Certificate Signing Request
2. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
3. SSL: Verifying that a Certificate matches a Private Key
4. HackerGuide: Crack Password Encrypted Zip-files
5. OpenSSL CSR Wizard
6. Crack Windows Password
7. Block referer spam easily
8. Decompile and Disassemble Windows Exe-files
9. View x509 certificate details
10. Remove iTunes DRM