179 shaares
  
  
        1 result
        
        
          
          tagged
          
              
                ssl
              
          
        
        
        
      
    https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
https://linux.die.net/man/1/req
COMMON
configuration
Generate certificate for few domains, create a specific configuration file $file_conf with:
uncomment                 : req_extensions = v3_req (in the [ req ] section)
add in [ v3_req ] section : subjectAltName=DNS:smtp.${domain},DNS:mail.${domain},DNS:imap.${domain}files
# for one domain and few subdomain (dovecot)
file_conf=${path_ssl}/openssl-multi-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}.key
file_csr=${path_ssl}/private/mail.${domain}.csr
file_crt=${path_ssl}/certs/mail.${domain}.crt
file_pem=${path_ssl}/private/mail.${domain}.pem
# for fews domains & subdomains (postfix)
file_conf=${path_ssl}/openssl-extend-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}-extend.key
file_csr=${path_ssl}/private/mail.${domain}-extend.csr
file_crt=${path_ssl}/certs/mail.${domain}-extend.crt
file_pem=${path_ssl}/private/mail.${domain}-extend.pemROOT AUTHORITY + CHILD CERTIFICATES
ROOT AUTHORITY
configure
for authority certificate
file_ca_key=${path_ssl}/private/rootCA-${domain}.key
file_ca_pem=${path_ssl}/certs/rootCA-${domain}.pemcreate
Create the Root Key - for CN use the correct FQDN !! ex: mail.ambau.ovh & sign it:
openssl genrsa -out $file_ca_key 4096 # without password
openssl genrsa -des3 -out $file_ca_key 4096 # with password
# Self-sign the certificate
openssl req -x509 -new -nodes -key $file_ca_key -sha256 -days 3650 -out $file_ca_pemCHILD - once per device
configure
data
domain=ambau.ovh
path_ssl=/var/share/mail/default/ssl
# for fews domains & subdomains (postfix)
file_conf=${path_ssl}/openssl-extend-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}-extend.key
file_csr=${path_ssl}/private/mail.${domain}-extend.csr
file_crt=${path_ssl}/certs/mail.${domain}-extend.crt
file_pem=${path_ssl}/private/mail.${domain}-extend.pemconfiguration
generate certificate for few domains, create a specific conf file $file_conf with:
- 
in the '[ req ]' section uncomment: 
 req_extensions = v3_req ()
- 
add in '[ v3_req ]' section : 
 subjectAltName=DNS:smtp.${domain},DNS:mail.${domain},DNS:imap.${domain}
create
# Create the key
openssl genrsa -out $file_key 2048
# Create the Certificate Signing Request CSR - for CN use the correct FQDN !! ex: mail.ambau.ovh
openssl req -new  -key $file_key -out $file_csr -config $file_conf
# verify configuration of CSR
openssl req -text -noout -in $file_csr
# Self-sign the certificate the CSR
openssl x509 -req -days 1460 -sha256 -in $file_csr -CA $file_ca_pem -CAkey $file_ca_key -CAcreateserial -out $file_crt -extensions v3_req -extfile $file_conf
# Create pem file
cat $file_crt $file_key > $file_pemrights
chmod  600 ${path_ssl}/private
chmod  644 -R ${path_ssl}/certs
find ${path_ssl}/private -type f -exec chmod  0400 {} \;
find ${path_ssl}/certs -type f -exec chmod  0444 {} \;SIMPLE certificate
# create certificat & keyfile, 1095 days
openssl req -x509 -newkey rsa:2048 -keyout mydomain.key -out mydomain.crt -days 1095
# create certificat & keyfile for postfix, 3650 days
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/certs/mydomain.pemTEST SSL
starttls
telnet ${domain} 25
telnet ${domain} 587
openssl s_client -starttls smtp -connect ${domain}:25
openssl s_client -starttls smtp -connect ${domain}:587
openssl s_client -starttls smtp -connect ${domain}:143
openssl s_client -starttls smtp -connect ${domain}:110
openssl s_client -tls1_2 -servername host -connect 203.0.113.15:443ssl
openssl s_client -connect ${domain}:465
openssl s_client -connect ${domain}:993 -showcerts # imap 993show expiration date for certificate
domain="ambau.ovh"
# for mail connection
echo | openssl s_client -connect mx.${domain}:25 -starttls smtp | openssl x509 -noout -dates
# for ftp connection
echo | openssl s_client -connect ftp.${domain}:21 -starttls ftp | openssl x509 -noout -datesclient connection to imaps
openssl s_client -connect mx.${domain}:993
993:a logout
993:quitENCODE FILE
encode & compress file
tar -czf - $FILE | openssl enc -e -aes256 -out $FILE.tar.gz
openssl enc -d -aes256 -in $FILE.tar.gz | tar xz -C $PATHencode file
openssl enc -e -aes-256-cbc -in /root/.mariadb -pass 3667gaz > /root/.mariadb.enc
openssl enc -in /root/.mariadb.enc -d -aes-256-cbc -pass stdin > /root/.mariadb