Posts

Showing posts from July, 2021

OpenSSL: troubleshooting

  Troubleshooting certificate issues is not an easy task. They can be caused by various root causes: Common Name (CN) mismatch, usage of self-signed certificate, expired certificate, invalid cert chain and many other. Fortunately, here we have some commands to help!   Testing client connection echo | openssl s_client -connect host:443 -state In this example echo command is used to send a new line and terminate connection and -state prints out the SSL session states. echo | openssl s_client -connect host:443 -status -status switch sends an Online Certificate Status Protocol (OCSP) request to the server to check revocation status of the certificate "With OSCP, a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status." - Entrust More on OCSP: https://www.entrust.com/knowledgebase/ssl/online-certificate-stat...

OpenSSL: demystifying command line parameters

Creating a certificate using openssl is a task that most IT Admins will face sooner or later. SSL/TLS is often used to secure communications between browser and web server - but that's not the only use case. Certificates can be used by Log Management/SIEM Engineers to protect data in transit by establishing secure links between system components ( note: TLS mutual authentication is also desired in this scenario to ensure data integrity ).  Example: Secure communication with Logstash .   Eventually, understanding openssl is an important topic for LPIC-303 exam (and the primary reason that encouraged me to write this post, to be honest).  Creating a private key openssl genrsa -des3 -out priv.key 2048 genrsa      generate an RSA private key -des3      use 3DES cipher to encrypt the key; passphrase is required -out <filename>      output the key to the specified file [numbits] 2048      the size of the pr...