phares3757/.infineon
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
12-06
.infineon/_-Review/ssl-certs.md
Mike Phares 11bb8c848c Removed mklink for git
2024-11-06 12:39:13 -07:00

148 lines
5.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
created: 2024-05-19T06:33:47.209Z
type: note
updated: 2024-07-27T04:23:39.000Z
---
# SSL/TLS Certificates
X.509 is an ITU standard defining the format of public key certificates. X.509 are used in TLS/SSL, which is the basis for HTTPS. An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (hostname, organization, etc.) and a public key (RSA, DSA, ECDSA, ed25519, etc.), and is either signed by a Certificate Authority or is Self-Signed.
## Self-Signed Certificates
### Generate CA
1. Generate RSA
```bash
openssl genrsa -aes256 -out "L:\Tmp\ca-key.pem" 4096
```
2. Generate a public CA Cert
```bash
openssl req -new -x509 -sha256 -days 3650 -key "L:\Tmp\ca-key.pem" -out "L:\Tmp\ca.pem"
```
### Optional Stage: View Certificate's Content
```bash
openssl x509 -in "L:\Tmp\ca.pem" -text
openssl x509 -in "L:\Tmp\ca.pem" -purpose -noout -text
```
### Generate Certificate
1. Create a RSA key
```bash
openssl genrsa -out "L:\Tmp\cert-key.pem" 4096
```
2. Create a Certificate Signing Request (CSR)
```bash
openssl req -new -sha256 -subj "/CN=phares" -key "L:\Tmp\cert-key.pem" -out "L:\Tmp\cert.csr"
```
3. Create a `extfile` with all the alternative names
```bash
echo subjectAltName=DNS:*.ddns.net,IP:192.168.0.11 > "L:\Tmp\extfile.cnf"
```
```bash
# optional
echo extendedKeyUsage = serverAuth >> "L:\Tmp\extfile.cnf"
```
4. Create the certificate
```bash
openssl x509 -req -sha256 -days 3650 -in "L:\Tmp\cert.csr" -CA "L:\Tmp\ca.pem" -CAkey "L:\Tmp\ca-key.pem" -out "L:\Tmp\cert.pem" -extfile "L:\Tmp\extfile.cnf" -CAcreateserial
```
5. Combine
```bash
cat "L:\Tmp\cert.pem" > "L:\Tmp\full-chain.pem"
cat "L:\Tmp\ca.pem" >> "L:\Tmp\full-chain.pem"
```
## Certificate Formats
X.509 Certificates exist in Base64 Formats **PEM (.pem, .crt, .ca-bundle)**, **PKCS#7 (.p7b, p7s)** and Binary Formats **DER (.der, .cer)**, **PKCS#12 (.pfx, p12)**.
### Convert Certs
COMMAND | CONVERSION
---|---
`openssl x509 -outform der -in cert.pem -out cert.der` | PEM to DER
`openssl x509 -inform der -in cert.der -out cert.pem` | DER to PEM
`openssl pkcs12 -in cert.pfx -out cert.pem -nodes` | PFX to PEM
## Verify Certificates
`openssl verify -CAfile ca.pem -verbose cert.pem`
## Install the CA Cert as a trusted root CA
### On Debian & Derivatives
- Move the CA certificate (`ca.pem`) into `/usr/local/share/ca-certificates/ca.crt`.
- Update the Cert Store with:
```bash
sudo update-ca-certificates
```
Refer the documentation [here](https://wiki.debian.org/Self-Signed_Certificate) and [here.](https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html)
### On Fedora
- Move the CA certificate (`ca.pem`) to `/etc/pki/ca-trust/source/anchors/ca.pem` or `/usr/share/pki/ca-trust-source/anchors/ca.pem`
- Now run (with sudo if necessary):
```bash
update-ca-trust
```
Refer the documentation [here.](https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)
### On Arch
System-wide Arch(p11-kit)
(From arch wiki)
- Run (As root)
```bash
trust anchor --store myCA.crt
```
- The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the "legacy" directories automatically updated.
- If you get "no configured writable location" or a similar error, import the CA manually:
- Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
- and then
```bash
update-ca-trust
```
wiki page [here](https://wiki.archlinux.org/title/User:Grawity/Adding_a_trusted_CA_certificate)
### On Windows
Assuming the path to your generated CA certificate as `C:\ca.pem`, run:
```powershell
Import-Certificate -FilePath "L:\Tmp\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root
```
- Set `-CertStoreLocation` to `Cert:\CurrentUser\Root` in case you want to trust certificates only for the logged in user.
OR
In Command Prompt, run:
```sh
certutil.exe -addstore root C:\ca.pem
```
- `certutil.exe` is a built-in tool (classic `System32` one) and adds a system-wide trust anchor.
### On Android
The exact steps vary device-to-device, but here is a generalised guide:
1. Open Phone Settings
2. Locate `Encryption and Credentials` section. It is generally found under `Settings > Security > Encryption and Credentials`
3. Choose `Install a certificate`
4. Choose `CA Certificate`
5. Locate the certificate file `ca.pem` on your SD Card/Internal Storage using the file manager.
6. Select to load it.
7. Done!
## Download
- [redirecting-error-command-prompt](https://learn.microsoft.com/en-us/troubleshoot/developer/visualstudio/cpp/language-compilers/redirecting-error-command-prompt)
```bash
# </dev/null openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
# | openssl x509 > /tmp/$SERVERNAME.cert
"C:\Program Files\Git\mingw64\bin\openssl.exe" s_client -connect gitea.ddns.net:443 -servername gitea.ddns.net > gitea.ddns.net.msg 2> gitea.ddns.net.err
^C
"C:\Program Files\Git\mingw64\bin\openssl.exe" x509 -in gitea.ddns.net.msg > gitea.ddns.net.cert
certutil -addstore "Root" gitea.ddns.net.cert
certutil -store root | findstr gitea.ddns.net
```
Reference in New Issue View Git Blame Copy Permalink