Skip to content

SSL Certificate | Openssl | Let's Encrypt

Openssl

Manage SSL certificate with openssl

Generate Certificate Signing Request (CSR) 
    # You can add passphrase when you create certificate
    # or leave it blank(just type enter)

    #create with no interaction, no prompt
    ### cert.pem: certifcate, cert.key the key...for domain: doc.enoks.fr
    ## domain can be a wildcard like:  *.enoks.fr

    openssl req -x509 -new -newkey rsa:4096  -sha256 -nodes -out cert.pem -keyout cert.key -subj "/C=FR/ST=France/L=Paris/O=EnoKS/CN=doc.enoks.fr/emailAddress=toto@gmail.com"

    ### with interaction
    openssl req  -x509 -newkey rsa:4096  -sha256  -nodes -out cert.pem -keyout key.pem
Read Certificate data with openssl 
    ## read certificate
    openssl x509 -noout -text -in cert.pem

    ## for csr  means generated without -x509
    openssl req -noout -text  -in xxx.cert

    ## get expiration date directly
    openssl x509 -enddate -noout -in cert.pem

    ## Get both dates
    openssl x509 -dates -noout -in cert.pem

    # To remove or add passphrase to private key
    openssl rsa -in oldkey.pem -out newkey.pem

Get an endpoint Certificates

Get the url CA(Certificate Authority) and Server certificate with openssl s_client

With openssl s_client 
    openssl s_client -showcerts  -connect doc.enoks.fr:443 2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p'
    -----BEGIN CERTIFICATE-----
    MIIF9DCCBNygAwIBAgISBKf5GlgoKhh7kDQfHgccaQ0KMA0GCSqGSIb3DQEBCwUA
    MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
    EwJSMzAeFw0yNDAyMjIxNzM4MTVaFw0yNDA1MjIxNzM4MTRaMBcxFTATBgNVBAMT
    DGRvYy5lbm9rcy5mcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ40
    BZUwzGJ4eXOf9/3zdZ4ZCxzGrXt340J6srVFQsn/022U3q0wnbWFk8cu0rCg9orh
    9iXb9u4bKXMA5HcFMj5gvdY8T+Kn8hunbMV4S4NVpgIhI+K5xEjBoH2mFWGgXg7l
    5wvbtLlvWq/XtcZrtmYLMnuKSxpPue006hSCzRliRmsJhnqL00J0Zx5eZMSRZzyK
    DiV0Cd7i63crMZbwmfwzhA/H4oC2S+P+N7gIZd2b4tIJSCY3urlQWu50q/ZKmQua
    ey3pxNsdwzXjmHvu/0wbJj4hpAanxf5trgBj3upTsu4AtPsj4w1BxGPehHdWawyH
    k0bvSQkVy/8FVWiSQJQ4ENw7gGcXen7tWda4henPIGGnPieIywYvqVfk2JmWTpuk
    17slh4u5PNGiC2/Nkd2yO5WCX+HsMbZCgmbJYE0t41Vs7sg0YDjqnc7jVdw8x/5n
    MW5d/orHPfc5SeXqqCbR9Pwk/vF37vCvvRy+GJvxUVNCV+GRnnooujCL5uubyVBD
    eIkIWsmcIxsU5tu+KQ5mlBqNVeWGxb6bMuVS1KAHI7W0RY9hmaTEoKqoiOal0yge
    O17POjyI56i7yNc2YRAJYz7L8MtW3d+7e8iRMQEtn+bUdcctDlZc/1oamsSMfcsP
    jNvpPFcz/2GFf/Zbt2qa5ZOcWx+DHOggAKhGLGYZAgMBAAGjggIdMIICGTAOBgNV
    HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
    EwEB/wQCMAAwHQYDVR0OBBYEFK79sqqxVGmLk9koe1g/sE+xBlHCMB8GA1UdIwQY
    MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
    BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
    cjMuaS5sZW5jci5vcmcvMCUGA1UdEQQeMByCDGRvYy5lbm9rcy5mcoIMd3d3LmVu
    b2tzLmZyMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB
    8wDxAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGN0hxvHAAA
    BAMARzBFAiBwdEX+r1G+5Kd0c2r0z2EZKL7wmsZMlD02IUjJDVNLYQIhAIDXgjIB
    ELOsu7vn/8U4dfXe6ZjVm4xoPCveCo4etbRYAHcAdv+IPwq2+5VRwmHM9Ye6NLSk
    zbsp3GhCCp/mZ0xaOnQAAAGN0hxvgQAABAMASDBGAiEAsjXs3f8yZ4+GQ825WQDj
    y/ngWUEQs9UFzXivbj6SSiQCIQDh8fV5i/7S0oi3bY1pqCA+Kf2/Pxy5vyaP4WA2
    M0mcWDANBgkqhkiG9w0BAQsFAAOCAQEAcPtjgoqPGIFcHSdSY7dNc+n2Zqc5JBwy
    XBv1eGQtimiJTETTurJqA38Rniqc1brthOUlCgX043SRJJA+eyRMCWz16ZH85+yn
    9IuIVuwbwaZW8gOk64ju0tDz9/uPm+6B5rBAe+VRODcZhJCrKxLxZ5K0Mk+8TJNd
    vyU9I3GJkO3uNkQXwLP+dIYP6df7ETnKTqDA3fZDrs3zLgdsk7Up5BtMUz8Q/Olb
    WEymE40afGX6DASf897TmM9Yr+lQWFCNYom2vNY3d7gZeZR8n1CbDKKjlew+1zIR
    u6f6AP+3Sg8TVzLi0oqEJWc3IUFPTaaYJYOoOSv3vKwjDPLdtun+PA==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
    TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
    cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
    WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
    RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
    AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
    R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
    sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
    NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
    Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
    /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
    AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
    Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
    FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
    AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
    Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
    gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
    PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
    ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
    CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
    lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
    avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
    yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
    yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
    hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
    HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
    MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
    nLRbwHOoq7hHwg==
    -----END CERTIFICATE-----

Multiple domains in one single CSR

To generate one single certificate for multiple different domains and/or a wilcard certificate, use a conf file is the best choice

Create tls.conf 
    # certificate for mydomain1.com mydomain2.com mydomain3.com, server_ip
    [ req ]
        prompt = no
        default_bits       = 2048
        distinguished_name = req_distinguished_name
        req_extensions     = req_ext
        [ req_distinguished_name ]
        countryName                 = FR
        stateOrProvinceName         = IDF
        localityName               = PARIS
        organizationName           = enoks
        commonName                 = mydomain1.com
        [ req_ext ]
        subjectAltName = @alt_names
        [alt_names]
        IP.1   = server_ip
        DNS.1  = domain2.com
        DNS.2  = domain3.domain.com

    # And then
    openssl req -new -newkey rsa:4096 -x509 -sha256 -nodes -out cert.pem  -keyout cert.key -config tls.conf

Create your Own CA certitifcate to sign your certificates

During the first setp, we created a certificate Signing Request (also called self-signed certificate) which is not signed by any Certificate Authority

Now, we will generate CA key and certificate(It is an CSR) first and then use them with the flags -CA, CAkey and CAcreateserial to create the signed certificate

Create CA certificate 
    # Create CA Key: myCA.key
    openssl genrsa -out myCA.key 4096

    # Create self-signed CA certificate "myCA.cert"  with the key myCA.key
    openssl req -x509 -new -nodes -key myCA.key -out myCA.cert -subj "/C=FR/ST=France/L=Paris/O=EnoKS/CN=doc.enoks.fr/emailAddress=toto@gmail.com"

Now, create a certificate config file tls.conf that contains atleast the [ v3_ext ] block about to the authority conf.
The certificate conf/options can be passed with -subj option.

Create tls.conf 
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

# add certificate and owner information here
[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>

[ req_ext ]
subjectAltName = @alt_names

# add some alternative names
[ alt_names ]
IP.1   = server_ip
DNS.1  = domain2.com
DNS.2  = domain3.domain.com

# ################################# CA block #################################"
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
Create signed certificate 
    # Generate server.key
    openssl genrsa -out server.key 2048
    # Generate the CSR server.csr
    openssl req -new -key server.key -out server.csr -config tls.conf

    # Create a signed certificate server.crt using the ca.key, ca.crt and server.csr
    openssl x509 -req  -in server.csr -out server.crt \
    -CA myCA.crt -CAkey myCA.key -CAcreateserial  \
    -days 365  -sha256 -extensions v3_ext -extfile tls.conf

    # -passin file:passphrase.txt   to add a passphrase

Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit
It provides people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free.

https://certbot.eff.org/ will generete installation procedures/commands for you according
to your need. it is very easy

Ex : Nginx hosted on Ubuntu with ssh access to the server 
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot

# 2 options generate your certificate

### Option1 Run this command to get a certificate and have Certbot
###edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step
sudo certbot --nginx

### Option2 f you're feeling more conservative and would like
###to make the changes to your Nginx configuration by hand
sudo certbot certonly --nginx

# Test automatic renewal
sudo certbot renew --dry-run

Caution

if you have iptables enabled with rules
Assure port 80 is open.
It is used to make DNS http verfication

SSL Configuration Hardening

  • Use ssllabs performs a deep analysis of your SSL configuration.
  • Can also use nmapcommand like nmap -Pn --script ssl-enum-ciphers -p 443 doc.enoks.fr
  • Leverage moz://a SSL configuration Generator to generate a right conf.