How can I convert my P12 cert into a PEM file
From https://stackoverflow.com/questions/15144046/converting-pkcs12-certificate-into-pem-using-openssl
To convert your P12 certificate file (that has your cert and private key, at a minimum in it) you use the following command:
IN_P12=YOUR.p12
OUT_PEM=YOUR-cert-n-key.encrypted.pem
openssl pkcs12 -in $IN_P12 -out $OUT_PEM
You’ll be prompted for your P12 passphrase, and the PEM passphrase you want to use for YOUR.pem.
NOTE: If you want/need to strip off your password simply add -nodes command like this:
OUT_PEM=YOUR-cert-n-key.pem
openssl pkcs12 -in $IN_P12 -out $OUT_PEM -nodes
If you want to have two separate files then use
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
How can I dump all certs in a PEM file?
See https://unix.stackexchange.com/a/696244/119816
while openssl x509 -noout -text; do :; done < cert-bundle.pem
(Q) How can I extract an encrypted private key out of a PEM file and save it without the passphrase?
openssl pkey -in $IN_P12 -out newfile.key.pem
By default, no passphrase is needed for the -out file. If you need the key encrypted, using a different encryption schema use: -aes256, -des, or -des3 as
you wish.
Info about certs
(Q) How can I dump a Java keystore file to see what is in it?
JKSFILE=/data/myproj/certs/myproj.jks
JKSFILE=/etc/pki/ca-trust/extracted/java/cacerts
JKSFILE=out.jks
keytool -list -v -keystore $JKSFILE -storepass changeme | less
(Q) How can I import a PEM formated cert into my Java Truststore (ca.jks)?
keytool -importcert -file "neo-all.crt" -keystore ca.jks -alias "NeoProj"
(Q) How can I convert a JKS formatted keystore to a P12 formatted keystore?
keytool -importkeystore -srckeystore ca.jks -destkeystore ca.p12 -srcstoretype JKS -deststoretype PKCS12
(Q) How can I enable Java certificate/mutual authentication logging?
JAVA_CERT_LOGGING="-Djavax.net.debug=ssl:handshake:verbose"
java $JAVA_CERT_LOGGING -jar foo.jar ARGS
To do this in Java code you could use:
@Import(AppConfig.class)
@SpringBootApplication
@Slf4j
public class HelloAppWebApplication implements ApplicationRunner {
@Autowired
Environment env;
public static void main(String[] args) {
log.info("Args are: " + Arrays.toString(args));
List<String> argsList = new ArrayList<String>(Arrays.asList(args));
// argsList.add("--debug"); // Shows debug info for SpringBoot
System.setProperty("javax.net.debug", "ssl:handshake:verbose");
args = argsList.toArray(new String[0]);
SpringApplication.run(HelloAppWebApplication.class, args);
}
(Q) How can I pass a certificate to curl?
CURL_OPTS="--cert $CURL_CERT_PEM --key $CURL_CERT_KEY --cacert $CURL_CA_BUNDLE"
curl $CURL_OPTS https://example.com/my/path
Creating a Cert
(Q) How can I Create a self signed cert with a private key (no password/passphrases)? Like this
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1825 -nodes
Generating a 4096 bit RSA private key
.........................................++
....................................................++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Maryland
Locality Name (eg, city) [Default City]:Columbia
Organization Name (eg, company) [Default Company Ltd]:Localhost Services
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:webmaster@steranka.com
To see the files created
ls -ltr
total 8
-rw-rw---- 1 pats users 3272 Nov 30 19:30 key.pem
-rw-rw---- 1 pats users 2106 Nov 30 19:30 cert.pem
NO pass phrase used to. These certs a not password protected.
(Q) How can I dump the cert?
openssl x509 -in cert.pem -text -noout
From URL: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
(Q) How can I dump the contents of the p12 file created?
openssl pkcs12 -info -in key-and-cert.p12 -nodes
# reuse this command with any file use the following
INFILE=key-and-cert.p12
openssl pkcs12 -info -in $INFILE -nodes
(Q) How can I create a keystore that has the cert and private key? Add private key and cert to keystore.jks
openssl pkcs12 -export -in cert.pem -inkey key.pem -name localhost > key-and-cert.p12
keytool -importkeystore -srckeystore key-and-cert.p12 -destkeystore keystore.jks -deststoretype jks -srcstoretype pkcs12 -alias localhost
From URL: https://docs.oracle.com/en/database/other-databases/nosql-database/18.3/security/import-key-pair-java-keystore.html
Used this for reference https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/
openssl req -newkey rsa:4096 -keyout ki.key -out ki.csr
More
Researching: https://stackoverflow.com/questions/54445450/import-p7b-file-to-java-keystore-using-keytool
keytool -printcert -file ki-base64-cert-chain.p7b
openssl pkcs7 -print_certs [-text] -in whatever.p7b
openssl pkcs7 -print_certs -inform der -in ki-der-cert-chain.p7b | head
openssl pkcs7 -print_certs -inform pem -in ki-base64-cert-chain.p7b | head
Getting Secrets from K8S
(Q) How can I get the database password from a postgresql deployment inside of K8S?
The following worked for me.
kg secret postgresql --template="" | base64 -d
Trying out git-crypt (from devops team)
sudo yum -y install gcc-c++ openssl-devel openssl
git clone https://github.com/AGWA/git-crypt.git
cd git-crypt
make ENABLE_MAN=yes
make ENABLE_MAN=yes install PREFIX="${HOME}/.local"
git-crypt --version
git-crypt 0.6.0
Initial Setup
git-crypt init
git-crypt add-gpg-user "your-email@gmail.com"
vim .gitattributes
git-crypt status
(Q) How can I use openssl to view the certificate chain of the server I’m connecting to? (A) Like this
openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
0 s:/CN=www.google.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUjCCBDqgAwIBAgIQYDXMqQHtWiMJO7OdoHRzjjANBgkqhkiG9w0BAQsFADBG
. . . truncated . . .
IwYBrsfDvySRiAjlGYlU0xK+fAwN0Q==
-----END CERTIFICATE-----
subject=/CN=www.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4904 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 1DD1B8DA8CC58FB463E39E7474689F04FDEEE8BB4B0DCEB782B1921B2B42A5A3
Session-ID-ctx:
Master-Key: 46C73DE1F84C9112884A89834CE3E4CBE778D135172C97A89DDF4BD674C579895E754A3EBA88F5F446B17E3B141E06BB
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 02 7f a8 a7 b2 09 35 9d-cf 42 71 cc f6 e7 6d 2a ......5..Bq...m*
. . . truncated session ticket . . .
Start Time: 1686795149
Timeout : 300 (sec)
Verify return code: 0 (ok)
(Q) Can I use openssl to show the mutual authentication handshake? (A) You can but it has limited use if auth only happens sub-directories of an http://example.com/proj1/proj/path
HOST=example.com
openssl s_client -state -nbio -connect $HOST:443 -prexit -showcerts 2>&1 | grep "^SSL"
openssl s_client -state -showcerts -msg -prexit -connect $HOST:443 2>&1 | grep "^SSL"
For example,
openssl s_client -state -showcerts -msg -prexit -connect $CURL_NO:443 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
<<< THIS IS WHERE IT WOULD BE
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL handshake has read 2091 bytes and written 415 bytes
Using curl to show the TLS handshake
Wow, this shows curl showing the TLS handshake message See https://stackoverflow.com/questions/50694429/curl-with-client-certificate-authentication
curl -v --cert cert.p12 --cert-type p12 --pass foobar
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
(Q) What are the high-level messages sent back and forth in mutual authentication? (A) See https://stackoverflow.com/questions/17173559/how-to-verify-if-java-sends-the-client-certificate-in-a-mutual-auth-scenario/75379087#75379087
Produced ClientHello handshake message
Consuming ServerHello handshake message
Consuming server Certificate handshake message <<< Receiving Server cert
Consuming ECDH ServerKeyExchange handshake message
Consuming CertificateRequest handshake message <<< Server asking for client cert
Consuming ServerHelloDone handshake message
Produced client Certificate handshake message <<< Sending client cert
Produced ECDHE ClientKeyExchange handshake message
Produced CertificateVerify handshake message
Produced ChangeCipherSpec message
Produced client Finished handshake message
Consuming ChangeCipherSpec message
Consuming server Finished handshake message
(Q) When debugging mutual authentication, how can I tell multiple Java TLS connections apart? (A) See https://stackoverflow.com/questions/75837285/debugging-multiple-ssl-streams-in-java-how-to-tell-them-apart