About Crypto
Contents
ssl-cert
Please do yourself a favor and install package "ssl-cert"
1 aptitude install ssl-cert
package contains make-ssl-cert
creates group ssl-cert and fixes unix filesystem permissions
directory /etc/ssl/private must
be owned by root:ssl-cert
have unix filesystem permissions 740
- this ensures that group members
- can read contained files
- cannot traverse or list directory contents
files contained by directory /etc/ssl/private must
be owned by root:ssl-cert
have unix filesystem permissions 640"
Sample listing
ls -l /etc/ssl/
Users that must be able to read a system private key, must be member of group "ssl-cert" (like www-data). A user whose group member ship has changed during a session has to logout an login a again (e.g. systemctl restart apache2).
Snakeoil
This is great for the purpose of testing and fast results. Generates a self-signed certificate and places it under the correct path, ownership and permissions.
1 make-ssl-cert generate-default-snakeoil --force-overwrite
This creates a 2048bit-RSA-keypair, signs the pubkey as a x509-certificate with the private key and places the files with the correct permissions in the following positions:
But never think of going live with a self-signed certificate! This is security by obscurity.
If there is no trust anchor (signature of a certificate authority you trust), anybody located between Alice and Bob can break the chain and present you a totally different self-signed certificate with the same subject (like a proxy). It can probably even be crafted to collide with your hash/fingerprint, so you won't ever be able to detect it.
Quick selfsign with SAN
With openssl version < 1.1.1
Option 1 - change config
If you like subject alternative names you could add something like the following to /etc/ssl/openssl.cnf
And use it with -reqexts v3_req_git or -extensions v3_req_git.
Option 2 - specify on cli
Create and load the openssl-config on the cli via nested sub-shells:
1 CERT_CN="git.rockstable.it"
2 openssl req -x509 -newkey rsa:4096 \
3 -keyout /etc/ssl/private/$CERT_CN.key \
4 -out /etc/ssl/certs/$CERT_CN.crt \
5 -subj "/CN=$CERT_CN" \
6 -days 1825 \
7 -nodes \
8 -extensions SAN \
9 -config <(cat /etc/ssl/openssl.cnf \
10 <(printf "[SAN]\nsubjectAltName=DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it"))
With openssl version >= 1.1.1
It has become much easier since us can now use the option -addext ext
Fix permissions
Custom CA Certificates
Please do not put them in /etc/ssl/certs directly, use /usr/local/share/ca-certificates and perform
OpenSSL
Certificate chain verification
Create a directory like /etc/ssl/certs/, which may be used with option -CApath
Now you may verify against this specific certificate directory
Strict starttls against a smtp-server using the default -CAfile
Check for certificate expiration
Check fingerprints
Determine fingerprints
Diffie-Hellman Parameters
Generate or renew files with Diffie-Hellman-Parameters
Here's a little script that generates the DH-Parameters and stores them in a safe way.
/usr/local/sbin/dh_renew.sh
1 #!/bin/bash -eu
2
3 # AUTOMATE EXCHANGE OF DH-PARAMERTER
4 # GENERATION OF FILES TAKES A WHILE
5 # DUE TO LIMITED ENTROPY IN VMS
6
7 umask 022
8
9 DIR_TMP="$(mktemp -d)"
10 DIR_DST="/etc/ssl/dhparam"
11
12 if ! dpkg-query -s ssl-cert |grep -q "ok installed" ; then
13 echo "Please install ssl-cert first. Exiting …"
14 exit 2
15 fi
16
17 install -o root -g ssl-cert -m 750 -d "$DIR_DST"
18
19 echo -e '\nGenerating files in tmp-dir:'
20 for SIZE in 512 1024 2048 4096; do
21 FILE_PATH_TMP="$DIR_TMP/dhparam_${SIZE}.tmp"
22 openssl dhparam -out "$FILE_PATH_TMP" "$SIZE"
23 chown root:ssl-cert "$FILE_PATH_TMP"
24 chmod 640 "$FILE_PATH_TMP"
25 done
26
27 echo -e '\nMoving files to destination:'
28 for FILE_PATH_SRC in ${DIR_TMP}/*.tmp; do
29 FILE_NAME="$(basename "$FILE_PATH_SRC")"
30 FILE_PATH_DST="$DIR_DST/${FILE_NAME%.tmp}.pem"
31 mv -v "$FILE_PATH_SRC" "$FILE_PATH_DST"
32 done
33
34 echo -e '\nCleaning up:'
35 [ -n "$DIR_TMP" ] && [ -d "$DIR_TMP" ] && grep -q '^/tmp/.\+' <<< "$DIR_TMP" && \
36 rm -rv "$DIR_TMP"
37
38 cat <<- EOF
39
40 You should now restart your services:
41 postfix reload
42 systemctl restart apache2.service
43
44 EOF
This will take some time!
Conversions
CER to PEM