Blog Image

MaxSpirit - bevlogen ICT!

Melle Visser

https://www.maxspirit.nl

Revoked Certificate?

Certificaten Posted on Wed, February 23, 2022 09:04:27

Revoked Certficate, hoe controleer je dat?

Je kan gebruik maken van deze website: https://decoder.link/result

Maar we kunnen natuurlijk ook openssl gebruiken 😉

Benodigdheden:

  • PEM certificaat
  • PEM certificaat intermediate (of root als er geen intermediate is)
  • openssl

Opvragen ocsp_uri:
openssl x509 -in intermediate.pem -noout -ocsp_uri

$ openssl x509 -in intermediate.pem -noout -ocsp_uri
http://ocsp.digicert.com

Met deze ocsp_uri kunnen we de status opvragen:
openssl ocsp -no_nonce -issuer intermediate.pem -cert certificate.pem -url <ocsp_uri> -VAfile intermediate.pem 

$ openssl ocsp -no_nonce -issuer intermediate.pem -cert certificate.pem -url http://ocsp.digicert.com -VAfile intermediate.pem

Voorbeeld response:

Response verify OK
certificate.pem: revoked
This Update: Feb 21 16:57:01 2022 GMT
Next Update: Feb 28 16:12:01 2022 GMT
Revocation Time: Jan 17 07:24:28 2022 GMT

of

Response verify OK
certificate.pem: good
This Update: Feb 20 20:44:10 2022 GMT
Next Update: Feb 27 20:44:10 2022 GMT

Zie ook: https://www.sslcertificaten.nl/support/Terminologie/Online_Certificate_Status_Protocol_(OCSP)



Oracle Wallet toolkit

Certificaten Posted on Fri, November 02, 2018 16:49:02

Oracle gebruikt de Oracle Wallet om certificaten in op te slaan.
Hier een aantal methodes om daar mee om te gaan.

Oracle Wallet aanmaken
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd “geheim”

Importeer een Java keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd “geheim” \
-keystore KEYSTORE.jks -jkspwd “geheim”

Importeer een P12 keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet import_pkcs12 -wallet ./ -pwd “geheim” \
-pkcs12file P12.jks -pkcs12pwd “geheim”

Importeer een PEM certifcaat in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert ./CERTIFICATE.pem -pwd “geheim”

Maak auto-login mogelijk van de Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login -pwd “geheim”

Toon wat er in de Oracle Wallet zit
$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./ -pwd “geheim”

Help pagina Oracle Wallet

$ORACLE_HOME/oracle_common/bin/orapki help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

orapki [crl|wallet|cert|help] <-nologo> <-jsafe>
Syntax :
[-option [value]] : mandatory, for example [-wallet [wallet]]
[-option <value>] : optional, but when option is used its value is mandatory.
<option> : optional, for example <-summary>, <-complete>
[option1] | [option2] : option1 ‘or’ option2

$ORACLE_HOME/oracle_common/bin/orapki wallet help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

wallet:
create [-wallet [wallet]] [[-pwd <pwd>] [-auto_login|-auto_login_local]] | [-auto_login_only] [-with_trust_flags] [-compat_v12]
display [-wallet [wallet]] <-summary|-complete> [-pwd <pwd>]
convert [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] [-compat_v12]
change_pwd [-wallet [wallet]] [-oldpwd <oldpwd>] [-newpwd <newpwd>]
enable_trust_flags [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] <-untrust_all>
add [-wallet [wallet]] <[-dn [dn]]> <-asym_alg [RSA|ECC]> <[-keysize [512|1024|2048|4096|8192|16384]] |
[-eccurve [p192|p224|p256|p384|p521|k163|k233|k283|k409|k571|b163|b233|b283|b409|b571]]>
<-self_signed [-validity [days]] | [-valid_from [mm/dd/yyyy] -valid_until [mm/dd/yyyy]]
[-serial_file <file_loc>] | [-serial_num <serial_num>]> <-addext_ski>
<-addext_ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly>
<-addext_basic_cons [CA] | [-pathLen [pathlen]]]>
<-addext_san [DNS:<value>]>
<[-cert [filename]] [-trusted_cert|-user_cert]> [-pwd <pwd>] | [-auto_login_only]
[-sign_alg <md5|sha1|sha256|sha384|sha512|ecdsasha1|ecdsasha256|ecdsasha384|ecdsasha512>]
<-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]>
assign_trust_flags [-wallet [wallet]] [-pwd <pwd>] [-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]]
[-dn [cert_dn]] <-issuer [issuer_dn]> <-serial_num [serial_num]>
remove [-wallet [wallet]] [-dn [subject_dn]] [-issuer_dn [issuer_dn]] [-serial_num <serial_num>]
[-trusted_cert_all|-trusted_cert|-user_cert|-cert_req] [-pwd <pwd>] | [-auto_login_only]
replace [-wallet [wallet]] [-issuer_dn <issuer_dn>] [-serial_num <serial_num>] [-cert [filename]]
[-trusted_cert|-user_cert]> <-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]> [-pwd <pwd>]
export [-wallet [wallet]] [-dn [dn]] [-cert [filename] | -request [filename]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_trust_chain [-wallet [wallet]] [-certchain [filename]] [-dn [user_cert_dn]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_private_key [-wallet [wallet]] [-pwd <pwd>] [-pvtkeyfile [filename]] [-alias [pvtkey_alias]] [-pvtkeypwd <pwd>] [-salt salt]
import_private_key [-wallet [wallet]] [-pwd <pwd>] [-alias [pvtkey_alias]] [-pvtkeyfile [filename]] [-pvtkeypwd <pwd>] [-salt salt] [-cert [certfilename]] [-cacert [cacertfilename]]
upload [-wallet [wallet]] [-ldap [host:port]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
download [-wallet [wallet]] [-ldap [host:nonsslport]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
jks_to_pkcs12 [-wallet [wallet]] [-pwd <pwd>] [-keystore [keystore]] [-jkspwd [jkspwd]]
<-aliases [alias:alias..]>
pkcs12_to_jks [-wallet [wallet]] [-pwd <pwd>] [-jksKeyStoreLoc <jksKSloc> -jksKeyStorepwd <jksKS_pwd>]
[-jksTrustStoreLoc <loc> -jksTrustStorepwd <pwd>]
p11_add [-wallet [wallet]] [-p11_lib <pkcs11Lib>] [-p11_tokenlabel <tokenLabel>]
[-p11_tokenpw <tokenPassphrase>] [-p11_certlabel <certlabel>] [-pwd <pwd>]
p11_verify [-wallet [wallet]] [-pwd <pwd>]
import_pkcs12 [-wallet <wallet>] [[-pwd <pwd>] | [-auto_login_only]] [-pkcs12file <pkcs12Loc>] [-pkcs12pwd <pkcs12Pwd>]
help



SSH key generation

Certificaten Posted on Tue, May 17, 2016 11:37:26

Connecten met SSH kan natuurlijk prima met een username en wachtwoord.
Maar als je lui bent dan is er ook een handige optie door gebruik te maken van keys.

Stap 1 : Genereer een key voor de verbinding

ssh-keygen -t rsa -f id_voor_serverA

Dit genereert een RSA key met de bestandsnaam id_voor_serverA en id_voor_serverA.pub (key pair)

Stap 2 : Opzetten ssh config bestand

Maak een entry voor serverA in het bestand ~/.ssh/config

Host serverA

Hostname ssh.servera.com

Port 22

IdentityFile ~/.ssh/id_voor_serverA

User <username>

Stap 3 : inloggen en public key toevoegen aan het bestand authorized_keys van serverA

cat ~/.ssh/id_voor_serverA.pub | ssh serverA “cat >> ~/.ssh/authorized_keys”

et voila. Nu kan ingelogd worden met een simpel: ssh serverA
(in plaats van: ssh -l <username> -p 22 ssh.servera.com)



Welk Certificaat is actief

Certificaten Posted on Wed, June 03, 2015 09:21:32

Wat te doen om te weten welk certificaat actief is op een server, webstite, LDAP, etc

Gebruik dan openssl s_client

openssl s_client -connect host:port

of

openssl s_client -showcerts -connect host:port

 

Voor FTPS site gebruik:

openssl s_client -showcerts -connect host:21 -starttls ftp

 

Voorbeeld:
openssl s_client -connect www.google.nl:443

CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = google.com
verify return:1



Keytool commandos

Certificaten Posted on Sun, August 17, 2014 12:17:04

Handige commando’s voor gebruik van Keytool oa overgenomen van SSLShopper

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Create a Java keystore from a p12/pkcs12 file
keytool -v -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass <password> -destkeystore keystore.jks -deststoretype JKS -deststorepass <password>

Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks

Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Default Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts



Certificaten Converteren

Certificaten Posted on Tue, March 20, 2012 15:40:50

Certificaten converteren kan eenvoudig met OpenSSL

Converteer Encrypted Private Key naar Unencrypted
openssl rsa -in privateKey.key -out privateKey.key.nopassword

 

Converteer DER (.crt .cer .der) naar PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

Converteer PEM naar DER
openssl x509 -outform der -in certificate.pem -out certificate.der

 

Converteer PEM certificaat en private key naar PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CACert.crt

 

Converteer P7b (PEM) naar PEM
openssl pkcs7 -in certificate.p7b -text -print_certs -out certificate.pem

Converteer P7b (DER) naar PEM
openssl pkcs7 -inform der -in certificate.p7b -text -print_certs -out certificate.pem

 
Converteer PKCS#12 (.pfx .p12) naar PEM (key en certificaten)
openssl pkcs12 -in keyStore.pfx -out certificate.pem -nodes

Converteer PKCS#12 (.pfx .p12) naar PEM (alleen key)
openssl pkcs12 -in keyStore.pfx -out certificate.key -nodes -nocerts

Converteer PKCS#12 (.pfx .p12) naar PEM (alleen certificaten)
openssl pkcs12 -in keyStore.pfx -out certificate.pem -nodes -nokeys



Certificaten Controleren

Certificaten Posted on Fri, March 09, 2012 12:10:38

Certificaten controleren kan eenvoudig met OpenSSL

Controleer een Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr

Controleer een private key
openssl rsa -in privateKey.key -check

Controleer een PEM certificaat
openssl x509 -in certificate.pem -text -noout
openssl x509 -in certificate.pem -text -noout |grep ‘Subject:\|Issuer:’

Controleer een DER certificaat
openssl x509 -in certificate.crt -text -noout -inform der
openssl x509 -in certificate.crt -text -noout -inform der |grep ‘Subject:\|Issuer:’

Controleer een PKCS7 PEM bestand (.p7b)
openssl pkcs7 -in keyStore.p7b -inform PEM -print_certs -text -noout

Controleer een PKCS7 DER bestand (.p7b)
openssl pkcs7 -in keyStore.p7b -inform DER -print_certs -text -noout

Controleer een PKCS12 bestand (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12

Controleer of de key hoort bij het certificaat
openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5

Als de twee md5 hash’s overeenkomen, dan zijn key en certificaat een setje (paartje).

Handige Links

http://www.sslshopper.com/article-most-common-openssl-commands.html