.bootstrap - Safe with most medications

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers.

Normally it requires some manual number matching to match a given private key with a given certificate, however with this command you are able to do a comparison automatic:


$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq


(If more than one hash is displayed, they don’t match)

Related posts:

1. View x509 certificate details
2. Howto Create Generate a Certificate Signing Request
3. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
4. View The Contents Of A Certificate Signing Request (CSR)
5. Openssl to create an unencrypted key from an encrypted one (Remove password)
6. SSL Certificates Review: What to Buy
7. OpenSSL CSR Wizard
8. Howto Secure Apache
9. SSH Key for Login Without Password
10. sec_error_reused_issuer_and_serial – Firefox

This howto demonstrates how to convert an OpenSSL key to a public/private OpenSSH key-pair.

The motivation for converting this is simple — dual use. That is to say, any user or application that has been issued a certificate can now use their SSL-based credentials for both SSL- and SSH-based authentication.

Requirements
You’ll need a valid certificate and private key — actually only the key is required. This recipe assumes that your certificate and key will have the names user-crt.pem and user-key.pem, respectively. If your key is encrypted (which it should be), you’ll also need to have it’s passphrase handy.

You’ll need a shell account on a system that supports OpenSSH logins using public/private key authentication.

Solution
The solution is to extract the public key from the private key using ssh-keygen, copy the new key-pair into place, and test them out.

1. Copy the private SSL key to ~/.ssh/id_ssl.
$ cp user-key.pem ~/.ssh/id_ssl
$ chmod 600 ~/.ssh/id_ssl

2. Extract the public SSH key using ssh-keygen.
$ ssh-keygen -y -f ~/.ssh/id_ssl > ~/.ssh/id_ssl.pub
$ chmod 600 ~/.ssh/id_ssl.pub

3. Add the public key to your authorized_keys
$ cat ~/.ssh/id_ssl.pub >> ~/.ssh/authorized_keys

4. Test the new key by attempting to SSH to localhost.
$ ssh -i ~/.ssh/id_ssl localhost

At this point, you’ll need to enter your passphrase (assuming you had one), and if all goes well, you’ll be sitting at a new shell prompt.

5. Remove the test key from your authorized_keys file.

In theory, a single certificate and key issued to an employee would be sufficient to access all participating SSL- and SSH-based resources in a given environment (or perhaps the entire company).

This post is based on an original recipe by Klayton Monroe.

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. SSH Key for Login Without Password
3. Openssl to create an unencrypted key from an encrypted one (Remove password)
4. GnuPG/GPG: Exporting your Public Key
5. Howto Create Generate a Certificate Signing Request
6. SSL Certificates Review: What to Buy
7. OpenSSL CSR Wizard
8. View x509 certificate details
9. View The Contents Of A Certificate Signing Request (CSR)
10. How to Mount a Remote Filesystem Using SSH and sshfs

Today I stumbled over this nice designed wizard for creation of SSL Certificate Signing Requests (CSR) using OpenSSL.

Related posts:

1. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
2. SSL: Verifying that a Certificate matches a Private Key
3. Openssl to create an unencrypted key from an encrypted one (Remove password)
4. View x509 certificate details
5. Howto Create Generate a Certificate Signing Request
6. SSL Certificates Review: What to Buy
7. View The Contents Of A Certificate Signing Request (CSR)
8. sec_error_reused_issuer_and_serial – Firefox
9. Varnish : Simple and Fast HTTP Acceleration
10. Howto setup SPF (Sender Policy Framework) on a domain

Buying a SSL certificate is not an easy task. There exists well over 100 providers and resellers of certificate and the prices varies from less than 100 $ a year to nearly 2000 dollars a year. The purpose of this short review is to walk you through the desert of sandy SSL certificate providers some more serious than other.

A SSL certificate is basically a proof of identity….

Related posts:

1. SSL: Verifying that a Certificate matches a Private Key
2. View x509 certificate details
3. sec_error_reused_issuer_and_serial – Firefox
4. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
5. OpenSSL CSR Wizard
6. View The Contents Of A Certificate Signing Request (CSR)
7. Howto Create Generate a Certificate Signing Request
8. Adult Content Websites and Credit Card Payments
9. Wordpress plugins
10. Review: Samsung LED TV


openssl req -text -noout -in host.csr


Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
               OU=Certification Services Division,
               CN=Thawte Server CA/emailAddress=server-certs@thawte.com
       Validity
           Not Before: Jul  9 16:04:02 1998 GMT
           Not After : Jul  9 16:04:02 1999 GMT
       Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
                OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f

Related posts:

1. Howto Create Generate a Certificate Signing Request
2. SSL: Verifying that a Certificate matches a Private Key
3. View x509 certificate details
4. HTTP Request Smuggling
5. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
6. an ex-microsoft employee’s view on Linux and the open source community
7. GnuPG/GPG: Exporting your Public Key

Remove the encryption from the RSA private key

debian21:~# openssl rsa -in server.key -out server.key.unencrypted

Then make sure the server.key.unencrypted file is only readable by root

debian21:~# chmod 400 server.key.unencryped

Now server.key.unencrypted will contain an unencrypted copy of the key. If you point your server (e.g. Apache ) at this file it will not prompt you for a pass-phrase.

Link to OpenSSL – The Open Source toolkit for SSL/TLS

Related posts:

1. Howto Create Generate a Certificate Signing Request
2. HackerGuide: Crack Password Encrypted Zip-files
3. OpenSSL CSR Wizard
4. SSL: Verifying that a Certificate matches a Private Key
5. Howto: Convert an OpenSSL key to a public/private OpenSSH key-pair
6. View x509 certificate details
7. Remove iTunes DRM
8. Crack Windows Password
9. Howto: How to Reset the MySQL Root Password
10. Block referer spam easily