openssl

179 shaares

Links per page

20 50 100

1 result tagged ssl

openssl

https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
https://linux.die.net/man/1/req

COMMON

configuration

Generate certificate for few domains, create a specific configuration file $file_conf with:

uncomment                 : req_extensions = v3_req (in the [ req ] section)
add in [ v3_req ] section : subjectAltName=DNS:smtp.${domain},DNS:mail.${domain},DNS:imap.${domain}

files

# for one domain and few subdomain (dovecot)
file_conf=${path_ssl}/openssl-multi-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}.key
file_csr=${path_ssl}/private/mail.${domain}.csr
file_crt=${path_ssl}/certs/mail.${domain}.crt
file_pem=${path_ssl}/private/mail.${domain}.pem

# for fews domains & subdomains (postfix)
file_conf=${path_ssl}/openssl-extend-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}-extend.key
file_csr=${path_ssl}/private/mail.${domain}-extend.csr
file_crt=${path_ssl}/certs/mail.${domain}-extend.crt
file_pem=${path_ssl}/private/mail.${domain}-extend.pem

ROOT AUTHORITY + CHILD CERTIFICATES

ROOT AUTHORITY

configure

for authority certificate

file_ca_key=${path_ssl}/private/rootCA-${domain}.key
file_ca_pem=${path_ssl}/certs/rootCA-${domain}.pem

create

Create the Root Key - for CN use the correct FQDN !! ex: mail.ambau.ovh & sign it:

openssl genrsa -out $file_ca_key 4096 # without password
openssl genrsa -des3 -out $file_ca_key 4096 # with password

# Self-sign the certificate
openssl req -x509 -new -nodes -key $file_ca_key -sha256 -days 3650 -out $file_ca_pem

CHILD - once per device

configure

data

domain=ambau.ovh
path_ssl=/var/share/mail/default/ssl

# for fews domains & subdomains (postfix)
file_conf=${path_ssl}/openssl-extend-${domain}-mail.cnf
file_key=${path_ssl}/private/mail.${domain}-extend.key
file_csr=${path_ssl}/private/mail.${domain}-extend.csr
file_crt=${path_ssl}/certs/mail.${domain}-extend.crt
file_pem=${path_ssl}/private/mail.${domain}-extend.pem

configuration

generate certificate for few domains, create a specific conf file $file_conf with:

in the '[ req ]' section uncomment:
req_extensions = v3_req ()
add in '[ v3_req ]' section :
subjectAltName=DNS:smtp.${domain},DNS:mail.${domain},DNS:imap.${domain}

create

# Create the key
openssl genrsa -out $file_key 2048

# Create the Certificate Signing Request CSR - for CN use the correct FQDN !! ex: mail.ambau.ovh
openssl req -new  -key $file_key -out $file_csr -config $file_conf
# verify configuration of CSR
openssl req -text -noout -in $file_csr

# Self-sign the certificate the CSR
openssl x509 -req -days 1460 -sha256 -in $file_csr -CA $file_ca_pem -CAkey $file_ca_key -CAcreateserial -out $file_crt -extensions v3_req -extfile $file_conf

# Create pem file
cat $file_crt $file_key > $file_pem

rights

chmod  600 ${path_ssl}/private
chmod  644 -R ${path_ssl}/certs
find ${path_ssl}/private -type f -exec chmod  0400 {} \;
find ${path_ssl}/certs -type f -exec chmod  0444 {} \;

SIMPLE certificate

# create certificat & keyfile, 1095 days
openssl req -x509 -newkey rsa:2048 -keyout mydomain.key -out mydomain.crt -days 1095

# create certificat & keyfile for postfix, 3650 days
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/certs/mydomain.pem

TEST SSL

starttls

telnet ${domain} 25
telnet ${domain} 587
openssl s_client -starttls smtp -connect ${domain}:25
openssl s_client -starttls smtp -connect ${domain}:587
openssl s_client -starttls smtp -connect ${domain}:143
openssl s_client -starttls smtp -connect ${domain}:110
openssl s_client -tls1_2 -servername host -connect 203.0.113.15:443

ssl

openssl s_client -connect ${domain}:465
openssl s_client -connect ${domain}:993 -showcerts # imap 993

show expiration date for certificate

domain="ambau.ovh"

# for mail connection
echo | openssl s_client -connect mx.${domain}:25 -starttls smtp | openssl x509 -noout -dates
# for ftp connection
echo | openssl s_client -connect ftp.${domain}:21 -starttls ftp | openssl x509 -noout -dates

client connection to imaps

openssl s_client -connect mx.${domain}:993
993:a logout
993:quit

ENCODE FILE

encode & compress file

tar -czf - $FILE | openssl enc -e -aes256 -out $FILE.tar.gz
openssl enc -d -aes256 -in $FILE.tar.gz | tar xz -C $PATH

encode file

openssl enc -e -aes-256-cbc -in /root/.mariadb -pass 3667gaz > /root/.mariadb.enc
openssl enc -in /root/.mariadb.enc -d -aes-256-cbc -pass stdin > /root/.mariadb

bash · mail · ssl

Mon Oct 8 18:03:08 2018 * · permalink

http://code.ambau.ovh/snippets/openssl.html