OpenSSL
Contents
-
OpenSSL
- About OpenSSL
- Install
- Information about the local openssl
- CA filesystem structure
- chain_check.sh
- Extract certificates from server
- Examine multiple certificates
- Certificate chain verification
- Check for certificate expiration
- Check fingerprints
- Diffie-Hellman Parameters
- Exclude CBC ciphers
- ssl-cert
- Custom CA Certificates
- CAcert root-certificate
About OpenSSL
Install
Install openssl
1 apt install openssl
or install openssl from source
Information about the local openssl
Debian 13 (Trixie)
openssl version -a
1 OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
2 built on: Mon Jan 6 18:01:42 2025 UTC
3 platform: debian-amd64
4 options: bn(64,64)
5 compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -Wa,--noexecstack -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/reproducible-path/openssl-3.4.0=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZSTD -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
6 OPENSSLDIR: "/usr/lib/ssl"
7 ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
8 MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
9 Seeding source: os-specific
10 CPUINFO: OPENSSL_ia32cap=0x7ed8320b078bffff:0x209c01a9
So openssl by default reads "$OPENSSLDIR/openssl.cnf" as config, which in Debian is a link to "/etc/ssl/openssl.cnf"
CA filesystem structure
Create a PKI filesystem structure
Suggestions of different implementations are hidden in the comments.
chain_check.sh
Comfortable bash script to extract and examine certificate chains.
chain_check.sh
Extract certificates from server
Quickly extract some certificate file from a server
Examine multiple certificates
Certificate chain verification
Create a directory like /etc/ssl/certs/, which may be used with option -CApath
Now you may verify against this specific certificate directory
Strict starttls against a smtp-server using the default -CAfile
Check for certificate expiration
Check fingerprints
Determine fingerprints
Diffie-Hellman Parameters
Generate or renew files with Diffie-Hellman-Parameters
Here's a little script that generates the DH-Parameters and stores them in a safe way.
/usr/local/sbin/dh_renew.sh
1 #!/bin/bash -eu
2
3 # AUTOMATE EXCHANGE OF DH-PARAMERTER
4 # GENERATION OF FILES TAKES A WHILE
5 # DUE TO LIMITED ENTROPY IN VMS
6
7 umask 022
8
9 DIR_TMP="$(mktemp -d)"
10 DIR_DST="/etc/ssl/dhparam"
11
12 if ! dpkg-query -s ssl-cert |grep -q "ok installed" ; then
13 echo "Please install ssl-cert first. Exiting …"
14 exit 2
15 fi
16
17 install -o root -g ssl-cert -m 750 -d "$DIR_DST"
18
19 echo -e '\nGenerating files in tmp-dir:'
20 for SIZE in 512 1024 2048 4096; do
21 FILE_PATH_TMP="$DIR_TMP/dhparam_${SIZE}.tmp"
22 openssl dhparam -out "$FILE_PATH_TMP" "$SIZE"
23 chown root:ssl-cert "$FILE_PATH_TMP"
24 chmod 640 "$FILE_PATH_TMP"
25 done
26
27 echo -e '\nMoving files to destination:'
28 for FILE_PATH_SRC in ${DIR_TMP}/*.tmp; do
29 FILE_NAME="$(basename "$FILE_PATH_SRC")"
30 FILE_PATH_DST="$DIR_DST/${FILE_NAME%.tmp}.pem"
31 mv -v "$FILE_PATH_SRC" "$FILE_PATH_DST"
32 done
33
34 echo -e '\nCleaning up:'
35 [ -n "$DIR_TMP" ] && [ -d "$DIR_TMP" ] && grep -q '^/tmp/.\+' <<< "$DIR_TMP" && \
36 rm -rv "$DIR_TMP"
37
38 cat <<- EOF
39
40 You should now restart your services:
41 postfix reload
42 systemctl restart apache2.service
43
44 EOF
This will take some time!
Conversions
CER to PEM
PKCS12
When certifcates are encrypted in RC2-CBC oder 3DES_CBC the option -legacy will be necessary.
Please also see: FreeKB: OpenSSL - Display the contents of a PKCS12 file
Exclude CBC ciphers
As a positive list for inclusiuon
1 CIPHER=HIGH;
2 openssl ciphers "$CIPHER" \
3 |grep -Eo ':[^:]+CBC[^:]+:' \
4 |sed 's/^:/:-/;s/:$//' \
5 |tr -d '\n' \
6 |sed "s/^/$CIPHER/"
7 HIGH:-ECDHE-PSK-AES256-CBC-SHA384:-SRP-DSS-AES-256-CBC-SHA:-SRP-AES-256-CBC-SHA:-DHE-PSK-AES256-CBC-SHA384:-DHE-PSK-AES256-CBC-SHA:-PSK-AES256-CBC-SHA384:-ECDHE-PSK-AES128-CBC-SHA256:-SRP-DSS-AES-128-CBC-SHA:-SRP-AES-128-CBC-SHA:-DHE-PSK-AES128-CBC-SHA256:-DHE-PSK-AES128-CBC-SHA:-PSK-AES128-CBC-SHA256
As a block list for exclusion
1 tobias@libertas ..kstable IT/Projekte/BEBAWA_HBL/OpenVPN % CIPHER=HIGH;
2 openssl ciphers "$CIPHER" \
3 |grep -Eo ':[^:]+CBC[^:]+:' \
4 |sed 's/:$//' \
5 |tr -d '\n'
6 :ECDHE-PSK-AES256-CBC-SHA384:SRP-DSS-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA:PSK-AES256-CBC-SHA384:ECDHE-PSK-AES128-CBC-SHA256:SRP-DSS-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:PSK-AES128-CBC-SHA256
ssl-cert
Please do yourself a favor and install package "ssl-cert"
1 aptitude install ssl-cert
package contains make-ssl-cert
creates group ssl-cert and fixes unix filesystem permissions
directory /etc/ssl/private must
be owned by root:ssl-cert
have unix filesystem permissions 740
- this ensures that group members
- can read contained files
- cannot traverse or list directory contents
files contained by directory /etc/ssl/private must
be owned by root:ssl-cert
have unix filesystem permissions 640"
Sample listing
ls -l /etc/ssl/
Users that must be able to read a system private key, must be member of group "ssl-cert" (like www-data). A user whose group member ship has changed during a session has to logout an login a again (e.g. systemctl restart apache2).
make-ssl-cert
Snakeoil
This is great for the purpose of testing and fast results. Generates a self-signed certificate and places it under the correct path, ownership and permissions.
1 make-ssl-cert generate-default-snakeoil --force-overwrite
This creates a 2048bit-RSA-keypair, signs the pubkey as a x509-certificate with the private key and places the files with the correct permissions in the following positions:
But never think of going live with a self-signed certificate! This is insecure, when not using DANE.
If there is no trust anchor (signature of a certificate authority you trust or DANE), anybody located between Alice and Bob can break the chain and present you a totally different self-signed certificate with the same subject (like a proxy). It can probably even be crafted to collide with your hash/fingerprint, so you won't ever be able to detect it.
Quick self-signed cert with SAN - make-ssl-cert
make-ssl-cert can work with openssl templates like
/usr/share/ssl-cert/ssleay.cnf
1 #
2 # SSLeay example configuration file.
3 #
4
5 RANDFILE = /dev/urandom
6
7 [ req ]
8 default_bits = 4096
9 default_keyfile = privkey.pem
10 distinguished_name = req_distinguished_name
11 prompt = no
12 policy = policy_anything
13 req_extensions = v3_req
14 x509_extensions = v3_req
15
16 [ req_distinguished_name ]
17 commonName = @HostName@
18
19 [ v3_req ]
20 basicConstraints = CA:FALSE
21 subjectAltName = @SubjectAltName@
The following command opens a debconf dialogue and where subject und subject alternative names are asked and generates a file which contains a self-sgned certificate and the private key.
1 make-ssl-cert /usr/share/ssl-cert/ssleay.cnf output_file.pem
Quick self-signed cert with SAN - OpenSSL
When you need to create certificate signing requests (CSRs) with subject alternative names (SANs), there are several possibilities.
Option 1 - extra configuration file
Minimum openssl version: none (< 1.1.1)
Create an extra config file
req_git.cnf
1 [ req ]
2 default_days = 1825
3 default_bits = 4096
4 distinguished_name = req_distinguished_name_git
5
6 [ req_distinguished_name_git ]
7 countryName_default = DE
8 stateOrProvinceName_default = Saxony
9 0.organizationName_default = Rockstable IT
10 #organizationalUnitName_default = DevOps
11 #commonName = git.1a.rockstable.it
12 #emailAddress =
13
14 [ v3_req_git ]
15 basicConstraints = CA:FALSE
16 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
17 subjectAltName = DNS:git.1a.rockstable.it,DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it
And use it with -reqexts v3_req_git or -extensions v3_req_git.
Option 2 - default configuration file
Minimum openssl version: none (< 1.1.1)
You may also enrich the default configuration file with add some addition sections
/etc/ssl/openssl.cnf
And use it with -reqexts v3_req_git or -extensions v3_req_git.
Or use .includedir …
Option 3 - specify on cli - process substitution
Minimum openssl version: none (< 1.1.1)
Create and load the openssl-config on the cli via some fancy process substitution:
1 CERT_CN="git.rockstable.it"
2 openssl req -x509 -newkey rsa:4096 \
3 -keyout /etc/ssl/private/$CERT_CN.key \
4 -out /etc/ssl/certs/$CERT_CN.crt \
5 -subj "/CN=$CERT_CN" \
6 -days 1825 \
7 -nodes \
8 -extensions SAN \
9 -config <(cat /etc/ssl/openssl.cnf \
10 <(printf "[SAN]\nsubjectAltName=DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it"))
Option 4 - specify on cli - normal option
Minimum openssl version: none (>= 1.1.1)
It has become much easier since us can now use the option -addext ext
Avoid prompting for subject fields
More info at:
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
Lightweight Directory Access Protocol (LDAP): Schema for User Applications
ConfigName |
Type |
SubjectName |
countryName |
optional |
/C |
stateOrProvinceName |
optional |
/ST |
localityName |
optional |
/L |
organizationName |
optional |
/O |
organizationalUnitName |
optional |
/OU |
commonName |
supplied |
/CN |
emailAddress |
optional |
/emailAddress |
Bringing the pieces together
1 CERT_CN="hostname.rockstable.it"
2 SUBJECT="/C=DE/ST=Saxony/L=Leipzig/O=Rockstable IT/CN=$CERT_CN"
3 openssl req -x509 -newkey rsa:4096 \
4 -keyout /etc/ssl/private/$CERT_CN.key \
5 -out /etc/ssl/certs/$CERT_CN.crt \
6 -subj "$SUBJECT" \
7 -days 1825 \
8 -nodes \
9 -addext "subjectAltName = DNS:$CERT_CN,DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it"
Fix permissions
Custom CA Certificates
Please do not put them in /etc/ssl/certs directly, use /usr/local/share/ca-certificates and perform
/usr/lib/ssl/misc/CA.pl suggests
XCA suggests (when using the export function)