-
Notifications
You must be signed in to change notification settings - Fork 10
ssl stuff
Vahid Hedayati edited this page Feb 17, 2016
·
2 revisions
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout master-cert.pem -out root-cacert.pem -config /etc/ssl/openssl.cnf -newkey rsa:4096
Generating a 4096 bit RSA private key
.....................................................................................++
...........................................................................................................................................................................................................................++
unable to write 'random state'
writing new private key to 'master-cert.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:GB
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:foo.com
Organizational Unit Name (eg, section) []:foo.com
Common Name (e.g. server FQDN or YOUR name) []:foo.com
Email Address []:mail@foo.com
/sbin/ifconfig -a|grep addr|grep 192
inet addr:192.168.1.196 Bcast:192.168.1.255 Mask:255.255.255.0
sudo vi /etc/hosts
[sudo] password for mx1:
mx1@mx1-DTP:~$ grep foo /etc/hosts
192.168.1.196 foo.com
req -new -nodes -out server-csr.pem -keyout server-key.pem -newkey rsa:4096
openssl req -new -key master-cert.pem -out master-cert.csr
-------------------
mx1@mx1-DTP:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............................++++++
...++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
mx1@mx1-DTP:~$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:GB
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:foo.com
Organizational Unit Name (eg, section) []:foo.com
Common Name (e.g. server FQDN or YOUR name) []:foo.com
Email Address []:f@foo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeme
An optional company name []:foo
mx1@mx1-DTP:~$
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name mycert
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'
keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype pkcs12 -alias mycert
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
mx1@mx1-DTP:~$ ls -rtml |tail -n1
-rw-rw-r-- 1 mx1 mx1 1396 Feb 17 21:07 server.jks
keytool -list -v -keystore server.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mycert
Creation date: 17-Feb-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=f@foo.com, CN=foo.com, OU=foo.com, O=foo.com, L=London, ST=GB, C=UK
Issuer: EMAILADDRESS=f@foo.com, CN=foo.com, OU=foo.com, O=foo.com, L=London, ST=GB, C=UK
Serial number: afd90b267d64ff57
Valid from: Wed Feb 17 21:05:10 GMT 2016 until: Thu Feb 16 21:05:10 GMT 2017
Certificate fingerprints:
MD5: B5:BA:68:AE:73:5C:91:3C:6D:14:BF:87:90:13:8C:8C
SHA1: 7B:88:60:B8:AE:4C:37:1A:BB:93:65:8F:3E:7D:B3:03:33:91:72:AC
SHA256: A5:75:C7:50:C7:7A:25:A1:5B:C7:FB:F3:76:7F:DC:40:F7:E4:70:51:39:2E:FA:1D:84:90:52:30:66:5B:54:0D
Signature algorithm name: SHA256withRSA
Version: 1
*******************************************
*******************************************
failed ..
Download and compile this https://raw.githubusercontent.com/escline/InstallCert/master/InstallCert.java
Then run
$JAVA_HOME/bin/java InstallCert localhost:8443
Loading KeyStore /usr/lib/jvm/jdk1.8.0_45/jre/lib/security/cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject CN=localhost, OU=Test, O=Test, C=US
Issuer CN=localhost, OU=Test, O=Test, C=US
sha1 6d 95 03 f4 70 73 3b 8f ac e8 41 0c c4 ae bd 7b 6d 1f ce 6c
md5 22 ed a9 12 14 2d 36 6c b1 d1 03 ad 2d 3c 61 60
Enter certificate to add to trusted keystore or 'q' to quit: [1]
1
[
[
Version: V3
Subject: CN=localhost, OU=Test, O=Test, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23675735455219264468038213845707324156703576649278293233871186439946036444672420254297700303784544335207200845127315002581618733319098975736877405779777939775296778369894661737522077205591410991602476170578359723094442660233415031827182669930292604287354889471349595527846955262532045210910559689516780206798476335436442682527448979369479036020295411594573422011382669391100011094981177391794199000669519153228739701052506375608566043411141809326566533598330851035109341454601963739717002229505686165994552631024168184441875801076716409524184818440666897740306681150713926128655275673175475248360482756445750199029233
public exponent: 65537
Validity: [From: Mon Feb 15 22:19:42 GMT 2016,
To: Tue Feb 14 22:19:42 GMT 2017]
Issuer: CN=localhost, OU=Test, O=Test, C=US
SerialNumber: [ 54e14fc7]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 89 AD 4C 84 EC 4B E9 66 06 6D 12 77 5D 2F A7 2F ..L..K.f.m.w]/./
0010: A9 94 DA 28 ...(
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 9D 2B 0B FF 87 C3 85 4A B0 6A F0 65 7A F8 71 1B .+.....J.j.ez.q.
0010: C1 77 C4 02 9B 52 8F 87 83 02 C1 4F A3 91 45 3C .w...R.....O..E<
0020: A4 D1 78 EA A2 25 7C DF F5 48 E0 A2 C3 23 43 44 ..x..%...H...#CD
0030: D0 24 EF B8 9A CB 82 3C AD C4 84 DD 9E 4B 3B 74 .$.....<.....K;t
0040: 9C 08 73 A1 FC EE 1B 5D 29 33 B8 FB 9A 9C 3C F3 ..s....])3....<.
0050: 11 8D 55 90 84 61 CB 9F EB C6 38 5F 70 BE 7A 76 ..U..a....8_p.zv
0060: 97 94 63 81 80 45 4B 50 E3 2C E8 C5 D0 8D 42 84 ..c..EKP.,....B.
0070: ED 02 7F 1D C7 4C 1C F7 2D FF DD E4 22 8B C6 FD .....L..-..."...
0080: F2 AB 5D 83 59 CE BF AB 2B A4 43 5C 22 C6 32 31 ..].Y...+.C\".21
0090: B8 3B AE 90 FE 9B 24 9C 1E 01 1B A9 C3 D0 1D 16 .;....$.........
00A0: CA 9A 58 CF E4 38 EB E6 7E 61 2E 43 D5 05 5B 26 ..X..8...a.C..[&
00B0: EF 50 1D AF CF 39 15 D0 13 DA FF B3 11 3E E6 F1 .P...9.......>..
00C0: 87 EE 78 9A D9 2C EA 5A 71 33 FB F9 73 54 C4 61 ..x..,.Zq3..sT.a
00D0: 94 4D EA C8 C3 58 49 8A 32 3E C6 FC 30 D2 A0 01 .M...XI.2>..0...
00E0: 00 F3 2B 93 66 E6 D6 3E C7 50 47 C1 B9 CB BE E0 ..+.f..>.PG.....
00F0: B7 94 05 4B 9F 6E DA 37 B9 E7 2D 5E E4 9E 5C 2F ...K.n.7..-^..\/
]
Added certificate to keystore 'jssecacerts' using alias 'localhost-1'
mx1@mx1-DTP:~/IdeaProjects/test2$
sudo cp jssecacerts /usr/lib/jvm/jdk8//jre/lib/security/
$ rm .keystore*
$ gv 3
$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
Re-enter new password:
$
$
$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists
$ keytool -delete -alias tomcat
Enter keystore password:
$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
Re-enter new password:
$JAVA_HOME/bin/keytool -list -keystore ~/.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, 16-Feb-2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): DE:C5:C2:FD:F8:24:04:92:9E:3C:D4:CE:1E:7F:6A:33:EC:52:B2:1F
keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts"
/IdeaProjects/test$ sudo keytool -import -noprompt -trustcacerts -alias tomcat -file /home/userDocuments/localhost.csr -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit
Certificate was added to keystore
grails -Dserver.port=8081 -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"-Djavax.net.ssl.trustStorePassword=changeit run-app -https