shell

3 posts

OpenSSL Cheat Sheat

devops sysadmin

I know I know, there are plenty of openssl cheat sheets out there already((http://www.sslshopper.com/article-most-common-openssl-commands.html))((https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md)). But as I keep using googling it again and again to find the most useful openssl commands I decided to do my own – the first version of the blog entries is already 3 years old actually. Another reason for creating the list is that I remember things better when I am writing the down.

Show contents of a certificate (( https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US ))

openssl x509 -fingerprint -sha256 -noout -text -in domain.com.crt

Show contents of a certificate request (CSR)

openssl req -text -noout -verify -in CSR.csr

OpenSSL HTTPS Client with SNIĀ (( https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/ ))

openssl s_client -connect roman.pertl.name:443 -servername roman.pertl.name

Generate a CSR to send to an external CA

openssl req -new -newkey rsa:2048 -sha256 -nodes -out roman.pertl.org.csr  -keyout roman.pertl.org.key  -subj "/C=US/ST=NY/L=NY/O=Roman Pertl/OU=Hostmaster/CN=roman.pertl.org"

Generate a Self-Signed SSL Certificate

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Newer versions of browsers e.g. Chrome require to set the DNS alt attribute instead/additional of the CN field: ((https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788))
((https://deliciousbrains.com/https-locally-without-browser-privacy-errors/))

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.pertl.org')) -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Generate a Self-Signed CA Root Certificate

openssl req -nodes -newkey rsa:4096 -x509 -sha256 -days 3650 -keyout rootCA.key -reqexts v3_req -extensions v3_ca -out rootCA.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=pertl CA"

Generate custom dh param file

openssl dhparam -out domain.at.dhparam 4096

Quickly create a (swap)file on linux

linux sysadmin

The traditional way for creating a linux swapfile would be using dd to create an empty file e.g.

dd if=/dev/zero of=/swapfile1 bs=1M count=2048

A faster way is to use “fallocate” e.g. (( http://www.cyberciti.biz/faq/ubuntu-linux-create-add-swap-file/ ))

fallocate -l 2G /swapfile1

Don’t forget the usually procedure for swapfiles:

chmod 0600 /swapfile1
chown root:root /swapfile1
mkswap /swapfile1
swapon /swapfile1
# edit /etc/fstab to add the swapfile during boot

Running “backticks” commands on remote servers

linux shell sysadmin

Sometimes it’s necessary to run a complex command on a remote server witch also includes some “backticks”. Usually these commands are interpreted by the local shell so you need to use a little trick to force execution on the remote server:

ssh this.is.my.beautiful.server '( echo `echo "This Command is run on the remote server" ` )'

You need to use single quotes combined with brackets to use the backtick on the remote server.