OpenSSL: demystifying command line parameters

Creating a certificate using openssl is a task that most IT Admins will face sooner or later. SSL/TLS is often used to secure communications between browser and web server - but that's not the only use case. Certificates can be used by Log Management/SIEM Engineers to protect data in transit by establishing secure links between system components (note: TLS mutual authentication is also desired in this scenario to ensure data integrity). 
 
Eventually, understanding openssl is an important topic for LPIC-303 exam (and the primary reason that encouraged me to write this post, to be honest). 

Creating a private key

openssl genrsa -des3 -out priv.key 2048

genrsa    generate an RSA private key

-des3    use 3DES cipher to encrypt the key; passphrase is required

-out <filename>    output the key to the specified file

[numbits] 2048    the size of the private key to generate in bits; 2048 is the default one but you should consider 4096 key length, see this excellent blog post from  Daniel Pocock to learn more

 

Creating a self signed certificate

This command may be used to generate a test certificate or a self signed root CA.

openssl req -new -x509 -key priv.key -out cert.pem -days 360 -set_serial 123456

req    creates and processes certificate requests in PKCS#10 format

-new    generates a new certificate request; it will prompt the user for the relevant field values

-x509    outputs a self signed certificate

-key <filename>    the file to read the private key from

 -out <filename>    specifies the output filename

-days <number>    the certificate expires after this number of days; default is 30

-set_serial <number>    certificate serial number; unless this option is specified, a large random number will be used


Creating a CSR

A certificate signing request (CSR) is a block of encoded text provided to the CA for signing. It contains information that the CA will use to create your certificate.

openssl req -new -key priv.key -out req.csr

 

Signing a CSR

openssl ca -in req.csr -extensions v3_ca -out newcert.pem

ca can be used to sign certificate requests and generate CRLs; it also maintains a text database of issued certificates and their status

-in <filename>   a single certificate request to be signed by the CA

-extensions v3_ca    certificate extensions to be added when a certificate is issued; in this case v3

-out <filename>    the output file

 

Bonus: Generating a password with OpenSSL

This command is not required for LIPC-3 but I still find it useful. 

openssl rand -base64 32

 rand    outputs n pseudo-random bytes

-base64    perform base64 encoding on the output

<num>    number of bytes to generate

 

Comments

Post a Comment

Popular posts from this blog

Splunk: Authentication with Discord? Wht not! (OAuth 2.0)

Image
As some of you may already know, thanks to OAuth standard (which stands for Open Authorization) we don't need a separate account for every single website. It allows us to share information about our Google account with a third party, such as our name and e-mail address. On many sites we are free to use that "Login with Google/Facebook/other" button to sign up and/or login. Thanks to OAuth we don't have to give our password to the app/website. Upon login we are redirected to the OAuth provider site to login there (for instance to our Google account). And now the best part - if we are already logged on the provider site, this is likely to result in instant login on a third party site (sometimes interrupted by a pop up to confirm OAuth scope).  Here is a list of well-known OAuth providers (Wikipedia): https://en.wikipedia.org/wiki/List_of_OAuth_providers To get better understanding of OAuth 2.0 I would recommend reading these docs for developers: Using OAuth 2.0 to Acces
Read more

Study notes: Understanding DNSSEC

Image
DNSSEC Recently I have been researching materials covering DNSSEC as it is an important subject for LPIC-3 Exam 303. DNSSEC has been developed to address security issues of the DNS protocol, in particular preventing DNS cache poisoning attacks . Below I post DNSSEC description from Internet Corporation for Assigned Names and Numbers (ICANN), which I find useful and included in my study notes.  "DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself
Read more

Linux: auditd fundamentals

Image
auditd stands for the audit daemon and it can be used to log events happening on a Linux host. It is a very powerful tool that can enable Threat Detection and/or - as the name suggests - create audit records. It writes to /var/log/audit/audit.log and collects such information as timestamp, PID, UID, Audit UID (auid), session info (ses), SELinux info (subj) and message (msg). Installation auditd is installed by default on most of the Linux distributions. In my case, I'm using RHEL 8 for the test purpose. The package is called audit .  Rules auditd is rule-based software and it support the following three types of rules: control : to configure general settings of the audit system, such as event rate limit, etc. file : file rules or watches can monitor files or directories and are using the following syntax: -w path-to-file -p permissions -k keyname syscall : these rules are loaded into the matching engine that intercepts every single syscall on the system and for this reason they
Read more