SSL – Tim van Kooten Niekerk : DEVOPS

GNU/Linux Curl SOAP Request using Mutual SSL

2018-10-06 / GNU/Linux / Tim van Kooten Niekerk

POST a Soap Message using curl using Mutual SSL…

curl -k --cert certchain.pem:password --key server.key \
-d "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:tot=\"http://timvkn.nl/services/testservice\" ><soapenv:Header/><soapenv:Body><tot:getTest><Name>%</Name></tot:getTest></soapenv:Body></soapenv:Envelope>" \
-H 'Content-Type: application/soap+xml' \
-H 'SOAPAction: "http://timvkn.nl/services/testservice/getTest"' \
https://timvkn.nl/testservice/getTest --tlsv1.2 -o result.xml -v

GNU/Linux Test LDAP server SSL/TLS connection

2017-03-21 / GNU/Linux / Tim van Kooten Niekerk

Test LDAP server SSL/TLS connection using LDAP commandline client…

ldapsearch -H ldaps://dc01.totietoot.nl -b "OU=Employees,OU=Totietoot,DC=Totietoot,DC=nl" "userPrincipalName=john@totietoot.nl" -W -D john@totietoot.nl -d 1

env LDAPTLS_REQCERT=never|allow|try|demand LDAPTLS_CACERT=/path/to/ca-cert.pem ldapsearch -H ldaps://dc01.totietoot.nl -b "OU=Employees,OU=Totietoot,DC=Totietoot,DC=nl" "userPrincipalName=john@totietoot.nl" -W -D john@totietoot.nl -d 1

Active Directory LDAP Ldapsearch SSL TLS

MSWIN Manual Remove SSL Binding

2014-03-04 / MS Windows Server / Tim van Kooten Niekerk

List and / or delete Windows SSL bindings manually.

netsh http show sslcert
netsh http delete sslcert 0.0.0.0:8443

Binding Cert SSL

GNU/Linux WGET Auth

2013-06-19 / GNU/Linux / Tim van Kooten Niekerk

With the wget example below, you can download a file when HTTP auth is required.

wget --http-user=<username> --http-password=<password> --ca-certificate='chain1.pem' 'https://www.example.com/site/file.bin' -O file.bin

Form-based authenticatie wget example using a session cookie…

wget --post-data='UserName=<username>&Password=<password>' --ca-certificate='chain2.pem' --cookies=on --keep-session-cookies --save-cookies=cookie.txt 'https://login.example.com/auth' -O result.txt

wget --referer='https://login.example.com/auth' --ca-certificate='chain2.pem' --cookies=on --keep-session-cookies --load-cookies=cookie.txt 'https://www.example.com/site/file.bin' -O file.bin

Auth Chain Session SSL Wget

GNU/Linux STUNNEL Server config

2013-03-22 / GNU/Linux / Tim van Kooten Niekerk

Server STUNNEL config…

;debug = 7
;output = stunnel.log
cert = HU-TEST-SERVER.pem
verify = 3
CAfile = HU-TEST-KEYSTORE.pem
[test]
accept = 7080
connect = fq.host.name:7080

Network SSL Stunnel

OpenSSL Certificate Commands & Examples

2008-05-15 / GNU/Linux / Tim van Kooten Niekerk

Below script creates al selfgesigned certificate from a private key and removes the password from the key so you can you can use the key-pair in Apache.

# Create Key and Certificate Signing Request (option -des3 creates a triple des encrypted key)...
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

# Remove password from key and sign certificate with key... 
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# Re-encrypt private key...
openssl rsa -des -in server.key.org -out server.key
openssl rsa -aes256 -in server.key.org -out server.key

For ease you can add all key and signing options to a config file. This way you can also add a subjectAlternate to the certificate.

>openssl req -new -config server.cnf -key server.key -out server.csr

# server.cnf #
[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext

[ dn ]
C = NL
O = Totietoot
CN = examplefqdn.totietoot.nl

[ req_ext ]
subjectAltName = DNS:examplefqdn.totietoot.nl, DNS:examplealtname.totietoot.nl

Use the following command to convert the key-pair to pkcs12 format.

openssl pkcs12 -export -in server.crt -inkey server.key [-name tomcat] -out server.p12 -CAfile chain.pem -caname root -chain

Convert pkcs12 file to java keystore (jks):

keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <password> -alias <name>

Decode a certificate request or a x509 certificate:

openssl req -in server.csr -noout -text
openssl x509 -in server.crt -noout -text

Convert a PFX file to PEM-format (single file)…

openssl pkcs12 -in server.pfx -out key-n-certs.pem -nodes

Check certificate and connection using openssl…

openssl s_client -showcerts -connect f.q.d.n:1234
openssl s_client -starttls smtp -showcerts -connect f.q.d.n:25 -servername f.q.d.n

Convert certificate (PEM) to public key…

openssl x509 -inform pem -in certificate.cer -pubkey -noout > pubkey.pem

Add a (CA) certificate to the JAVA CACerts certificate truststore…

"C:\Java\jdk1.8.0_121\bin\keytool" -import -alias ADCERT-CA-1 -keystore "C:\Java\jdk1.8.0_121\jre\lib\security\cacerts" -trustcacerts -file ADCERT-CA-1.cer

Apache Certificate OpenSSL Selfsigned SSL