Certificados TLS: Difference between revisions
| (19 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
* [[OpenSSL: Criando uma Autoridade Certificadora (CA)]] | * [[OpenSSL: Criando uma Autoridade Certificadora (CA)]] | ||
== Criando as chaves ssl == | ==== Criando as chaves ssl ==== | ||
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nginx.key -out nginx.crt \ | openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nginx.key -out nginx.crt \ | ||
-subj "/C=BR/ST=DF/L=Brasilia/O=Company/OU=TI/CN=$(hostname).company.com.br" | -subj "/C=BR/ST=DF/L=Brasilia/O=Company/OU=TI/CN=$(hostname).company.com.br" | ||
== Importando um Certificado == | ==== Importando um Certificado ==== | ||
Download do certificado | Download do certificado | ||
| Line 18: | Line 18: | ||
ikeycmd -cert -add -db "key.jks" -file "FILENAME.cer" -pw <PASSWORD> -label <LABEL_CERTIFICADO> > /dev/null | ikeycmd -cert -add -db "key.jks" -file "FILENAME.cer" -pw <PASSWORD> -label <LABEL_CERTIFICADO> > /dev/null | ||
= iKeyCmd Cheat Sheet = | |||
= Trocando a chave SSL do Connect:Direct = | |||
Vamos criar uma chave 2024/2025 como exemplo: | |||
keytool -genkeypair -alias cdnode01_24_25 -keyalg RSA -keysize 2048 -validity 10 -keystore cdkeystore.p12 -storetype PKCS12 \ | |||
-sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR" | |||
Enter keystore password: | |||
Re-enter new password: | |||
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 10 days | |||
for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR | |||
Gerando a nova chave 2025/2026 | |||
keytool -genkeypair -alias cdnode01_25_26 -keyalg RSA -keysize 2048 -validity 365 -keystore cdkeystore.p12 -storetype PKCS12 \ | |||
-sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR" \ | |||
-ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net | |||
Enter keystore password: | |||
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 365 days | |||
for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR | |||
Exportando o CSR | |||
keytool -certreq -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.csr -storetype PKCS12 \ | |||
-ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net | |||
Enter keystore password: | |||
Criando a nossa CA | |||
openssl genpkey -algorithm RSA -out ca-key.pem -aes256 -pass pass:MinhaSenhaForte -pkeyopt rsa_keygen_bits:4096 | |||
......+..+...+....+++++++++++++++++++++++++++++++++++++++++++++*.. | |||
....+........+.........+.......+...+..+....+..+....+......+..+.... | |||
openssl req -x509 -new -nodes -key ca-key.pem -sha384 -days 3650 -out ca-cert.pem -passin pass:MinhaSenhaForte \ | |||
-subj "/C=BR/ST=Goias/O=ebasso.net/CN=Minha CA" | |||
Criar o arquivo san.ext | |||
authorityKeyIdentifier=keyid,issuer | |||
basicConstraints=CA:FALSE | |||
keyUsage = digitalSignature, keyEncipherment | |||
extendedKeyUsage = serverAuth | |||
subjectAltName = @alt_names | |||
[alt_names] | |||
DNS.1 = cdnode01.ebasso.net | |||
DNS.2 = www.cdnode01.ebasso.net | |||
Assinado o CSR | |||
openssl x509 -req -in cdnode01_25_26.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cdnode01_25_26.crt \ | |||
-days 365 -sha384 -passin pass:MinhaSenhaForte -extfile san.ext | |||
Certificate request self-signature ok | |||
subject=C=BR, ST=Goias, O=EbassoNet, CN=cdnode01.ebasso.net | |||
Importando a nossa CA | |||
keytool -import -keystore cdkeystore.p12 -storetype PKCS12 -file ca-cert.pem -alias minha-ca -noprompt | |||
Enter keystore password: | |||
Certificate was added to keystore | |||
Importando a nossa chave | |||
keytool -import -trustcacerts -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.crt -storetype PKCS12 -noprompt \ | |||
-ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net | |||
Enter keystore password: | |||
Certificate reply was installed in keystore | |||
Listando as nossas chaves | |||
keytool -list -keystore cdkeystore.p12 -storetype PKCS12 -v | |||
= Keytool Cheat Sheet = | |||
List certificates | |||
keytool -v -list -keystore <JAVA_HOME>/lib/security/cacerts -storepass changeit | |||
Add a client certificate to keystore | |||
keytool -import -alias cert-interno -file /<TEMP_DIR>/certificadoInterno.der \ | |||
-keystore <JAVA_HOME>/lib/security/cacerts -storetype jceks \ | |||
-storepass changeit -noprompt | |||
Remove certificate from keystore | |||
keytool -delete -noprompt -alias <ALIAS> -keystore JAVA_HOME>/lib/security/cacerts -storepass changeit | |||
= iKeyCmd Cheat Sheet (Deprecated)= | |||
List certificates | List certificates | ||
| Line 37: | Line 128: | ||
ikeycmd -cert -setdefault -db "key.kdb" -label "mydefaultcertificate" -pw changeit | ikeycmd -cert -setdefault -db "key.kdb" -label "mydefaultcertificate" -pw changeit | ||
To create a new certificate request | |||
ikeycmd -certreq -create -db gui-truststore.jks -pw password -size 2048 \ | |||
-sig_alg SHA256WithRSA -dn "CN=srv.company.com" -file certreq.csr -label label \ | |||
-san_dnsname srv1.company.com,srv2.company.com \ | |||
-san_ipaddr 192.168.2.1,192.168.2.2 | |||
To receive the signed certificate by using the iKeycmd command, issue the following command: | |||
ikeycmd -cert -receive -db gui-truststore.jks -pw password -format format -file certificate_file | |||
To create a self signed certificate | |||
ikeycmd -cert -create -db keyselfsigned.jks -pw 1234 -label mysigner -dn "CN=srv.company.com" -size 2048 -expire 3650 -ca true | |||
* [[WLP: Adicionando um certificado TLS como confiável na Liberty trust store]] | * [[WLP: Adicionando um certificado TLS como confiável na Liberty trust store]] | ||
* [[]] | |||
* [[]] | |||
* [[Java: Importando Certificados SSL para a Java Virtual Machine (JVM)]] | |||
* [[Keytool: Importando chave TLS do servidor LDAP]] | |||
* [[Keytool: Importando uma chave da Let's Encrypt]] | |||
* [[Sametime: Importando Certificados SSL para o cacerts]] | |||
Latest revision as of 14:53, 19 March 2025
OpenSSL Cheat Sheet
Criando as chaves ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nginx.key -out nginx.crt \ -subj "/C=BR/ST=DF/L=Brasilia/O=Company/OU=TI/CN=$(hostname).company.com.br"
Importando um Certificado
Download do certificado
openssl s_client -connect <HOST:PORT> </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <FILENAME.cer>
Importando via ikeycmd
ikeycmd -cert -add -db "key.jks" -file "FILENAME.cer" -pw <PASSWORD> -label <LABEL_CERTIFICADO> > /dev/null
Trocando a chave SSL do Connect:Direct
Vamos criar uma chave 2024/2025 como exemplo:
keytool -genkeypair -alias cdnode01_24_25 -keyalg RSA -keysize 2048 -validity 10 -keystore cdkeystore.p12 -storetype PKCS12 \ -sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR" Enter keystore password: Re-enter new password: Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 10 days for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR
Gerando a nova chave 2025/2026
keytool -genkeypair -alias cdnode01_25_26 -keyalg RSA -keysize 2048 -validity 365 -keystore cdkeystore.p12 -storetype PKCS12 \ -sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR" \ -ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net Enter keystore password: Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 365 days for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR
Exportando o CSR
keytool -certreq -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.csr -storetype PKCS12 \ -ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net Enter keystore password:
Criando a nossa CA
openssl genpkey -algorithm RSA -out ca-key.pem -aes256 -pass pass:MinhaSenhaForte -pkeyopt rsa_keygen_bits:4096 ......+..+...+....+++++++++++++++++++++++++++++++++++++++++++++*.. ....+........+.........+.......+...+..+....+..+....+......+..+....
openssl req -x509 -new -nodes -key ca-key.pem -sha384 -days 3650 -out ca-cert.pem -passin pass:MinhaSenhaForte \ -subj "/C=BR/ST=Goias/O=ebasso.net/CN=Minha CA"
Criar o arquivo san.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = cdnode01.ebasso.net DNS.2 = www.cdnode01.ebasso.net
Assinado o CSR
openssl x509 -req -in cdnode01_25_26.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cdnode01_25_26.crt \ -days 365 -sha384 -passin pass:MinhaSenhaForte -extfile san.ext Certificate request self-signature ok subject=C=BR, ST=Goias, O=EbassoNet, CN=cdnode01.ebasso.net
Importando a nossa CA
keytool -import -keystore cdkeystore.p12 -storetype PKCS12 -file ca-cert.pem -alias minha-ca -noprompt Enter keystore password: Certificate was added to keystore
Importando a nossa chave
keytool -import -trustcacerts -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.crt -storetype PKCS12 -noprompt \ -ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net Enter keystore password: Certificate reply was installed in keystore
Listando as nossas chaves
keytool -list -keystore cdkeystore.p12 -storetype PKCS12 -v
Keytool Cheat Sheet
List certificates
keytool -v -list -keystore <JAVA_HOME>/lib/security/cacerts -storepass changeit
Add a client certificate to keystore
keytool -import -alias cert-interno -file /<TEMP_DIR>/certificadoInterno.der \ -keystore <JAVA_HOME>/lib/security/cacerts -storetype jceks \ -storepass changeit -noprompt
Remove certificate from keystore
keytool -delete -noprompt -alias <ALIAS> -keystore JAVA_HOME>/lib/security/cacerts -storepass changeit
iKeyCmd Cheat Sheet (Deprecated)
List certificates
ikeycmd -cert -list personal -db "key.kdb" -pw changeit ikeycmd -cert -list ca -db "key.kdb" -pw changeit
Add a client certificate to keystore
ikeycmd -cert -add -db "key.kdb" -label <MYCERTLABEL> -file <FILENAME.crt> -format ascii -pw changeit
Remove certificate from keystore (using stashed password)
ikeycmd -cert -delete -label <MYCERTLABEL> -db "key.kdb" -stashed
Set default certificate
ikeycmd -cert -setdefault -db "key.kdb" -label "mydefaultcertificate" -pw changeit
To create a new certificate request
ikeycmd -certreq -create -db gui-truststore.jks -pw password -size 2048 \ -sig_alg SHA256WithRSA -dn "CN=srv.company.com" -file certreq.csr -label label \ -san_dnsname srv1.company.com,srv2.company.com \ -san_ipaddr 192.168.2.1,192.168.2.2
To receive the signed certificate by using the iKeycmd command, issue the following command:
ikeycmd -cert -receive -db gui-truststore.jks -pw password -format format -file certificate_file
To create a self signed certificate
ikeycmd -cert -create -db keyselfsigned.jks -pw 1234 -label mysigner -dn "CN=srv.company.com" -size 2048 -expire 3650 -ca true