Openssl on Janik von Rotz

Generate PEM key- and truststores With Puppet

Thu, 07 Mar 2019 10:23:04 +0100

This post is a follow-up of Generate pkcs12 key- and truststores with Puppet.
In this post we are going to create PEM key- and truststores with Puppet.

PEM files are base64 encoded X.509 certificates. Enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- multiple PEM files can be concatinated into key- and truststores. And that is exactly what we are going to do using a Puppet manifest.

Generate pkcs12 key- and truststores with Puppet

Wed, 30 Jan 2019 11:16:52 +0100

In my last post I have showed how to generate pkcs12 key- and truststores using openssl and keytool.

For this post we assume that we want to automate the store assembling with Puppet. Puppet is a configuration management tool that shares many ideas with Ansible. In the world of Puppet you define a manifest file that describes a state of how a file, service or any type of resource should look like. Puppet applies these manifests and makes sure that the targeted system reaches the defined state.

Create pkcs12 key- and truststore with keytool and openssl

Tue, 22 Jan 2019 14:05:15 +0100

In my last post I’ve showed you how to create a custom certificate authority and sign a server cert using openssl without user interaction.

For this post I assume that we want to set up a webservice that requires a pkcs12 keystore. Using openssl and the java keytool we are going to create a pkcs12 store and add our ca cert, server cert and server key. Further, we assume that the application also requires a truststore containing the ca cert only.

Create a certificate authority and sign server certificates without prompting using openssl

Mon, 21 Jan 2019 16:20:35 +0100

Most of the times people want to get a certificate for the hostname localhost, let’s encrypt wrote a nice post about this, but sometimes people want a certificate for any hostname. And further, signed by a custom CA and if possible should the key material be generated without user interaction. In this post I have covered the less likely case.

Find certificate files that will expire soon and create a csr

Thu, 29 Nov 2018 13:44:51 +0100

The certificate expiration period should be kept as short as possible in a public key infrastructure. But the cost of resigning certificates must not be too high. This trade off causes a lot of problems. Every now and then a certificate expires without anybody noticing it or the same certificate is used for 10 years, which is obviously a security risk. In order to avoid this problem you either use Let’s Encrypt or another fully automated certificate management system. If this is not available you must know at least which certificates are going to expire soon.

Open SSL Heartbleed Bug

Wed, 09 Apr 2014 15:25:47 +0000

For those who missed it. The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160).

Details of the bug are available here: The Heartbleed Bug

You can check you website here: Heartbleed test

Details and update instructions from the websites of your Linux vendor of choice:

On Ubuntu the update is simply done by executing these commands:

sudo apt-get update
sudo apt-get upgrade

The following command shows (after an upgrade) all services that need to be restarted.

Nginx SSL website

Thu, 03 Apr 2014 07:54:04 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9408793.

Introduction

This best practice shows you the most advanced SSL configurations for your Nginx website. For productive usage it’s recommended to use only public-signed certificates.

Convert SSL certificates

Thu, 27 Mar 2014 14:01:50 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9413205.

Requirements

Get a free verified SSL certificate from StartSSL (optional)

Instructions

When buying a certificate from you CA (Certification Authority) e.g. a wildcard certificate for *.example.org, you have to convert this file to different formats in order to use them with your webserver installation.