certificate


Create a PKCS#12 file that contains both the certificate and the private key

In today’s world, security is a significant concern for everyone. Securing sensitive information such as passwords, certificates, and private keys is important. OpenSSL is a widely used tool for encrypting, decrypting, and managing digital certificates and keys. In this blog, we will explain the following command:

openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks;

This command creates a PKCS#12 file containing the certificate and the private key. PKCS#12 (Public-Key Cryptography Standards #12) is a file format that stores cryptographic objects such as private keys, certificates, and intermediate certificates.

Let’s break down this command and explain what each option does:

openssl pkcs12

This is the OpenSSL command for PKCS#12.

-export

This option tells OpenSSL to export the certificate and private key.

-out certificate.p12

This option specifies the output file name and format. In this case, the output file will be named certificate.p12.

-in certificate.pem

This option specifies the input file name and format. In this case, the input file is the certificate file named certificate.pem.

-inkey key.pem

This option specifies the private key file name and format. In this case, the private key file is named key.pem.

-passin pass:bytefreaks

This option specifies the password to decrypt the private key. In this case, the password is “bytefreaks”.

-passout pass:bytefreaks

This option specifies the password to encrypt the PKCS#12 file. In this case, the password is “bytefreaks”

;

This symbol indicates the end of the command.

When you run this command, OpenSSL will prompt you to enter the password for the private key. Once you enter the correct password, OpenSSL will create a PKCS#12 file named certificate.p12 that contains both the certificate and the private key encrypted with the password “bytefreaks”.

In conclusion, the openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks; command is used to create a PKCS#12 file that contains both the certificate and the private key. This file is encrypted with the password “bytefreaks” to ensure security.


How to retrieve the SSL cert expiration date from a PEM encoded certificate?

We use the following command to get the ending date of PEM encoded certificates that are generated using certbot and Let's Encrypt:

openssl x509 -enddate -noout -in fullchain.pem;

To get a list of all certificates and their expiration dates, we issue the following find command that executes the above snippet on each result while printing the name of the file first.

find ~/certificates/ -name "fullchain.pem" -print -exec openssl x509 -enddate -noout -in '{}' \;

In this example, the certificates are in our home folder under the name ‘certificates’. The results will look like the following sample:

/home/tux/certificates/example.com/fullchain.pem
notAfter=Aug 22 10:12:55 2021 GMT
/home/tux/certificates/site2.example.com/fullchain.pem
notAfter=Nov 22 03:22:44 2021 GMT

Cloudflare Origin Server Certificate for IIS 10 Server on Windows Server 2016 to allow Full (strict) mode SSL/TLS encryption mode 8

Create a Certificate Request from your Windows Server

  1. Open Internet Information Services (IIS) Manager from the Windows Server 2016 through Control Panel -> Administrative Tools
  2. Select your server from the Connections and open Server Certificates
  1. From the Server Certificates Actions select Create Certificate Request
  1. Fill in the following form with your details:
Common name: [your domain]
Organization: [your organization name]
etc.
  1. Set the settings for the Cryptographic service provider of the certificate, the bigger the length of the certificate the better the security but it makes the server slower.
  1. Specify the filename of the txt file where you will save the certificate request

Create the certificate from Cloudflare using your own certificate request that you created from your Windows Server

  1. Open your Cloudflare account, select your domain, open SSL/TLS tab and click on Origin Server in order to create the certificate
  1. Select the option ‘I have my own private key and CSR’ where you will Copy-Paste the certificate you saved on the txt file from your Windows Server, fill in the hostnames, select the expiration years and press Next
  1. Copy-Paste in PEM key format the certificate in a text file and save the file

Add the public certificate from Cloudflare at your Windows Server

  1. Copy the file with the PEM certificate from Cloudflare at your Windows Server
  2. Select ‘Complete Certificate Request’ from the IIS Manager Server Certificates Actions
  1. Select the PEM certificate you copied at the server and add a friendly name (e.g. the domain it covers and the expiration date of it):
  1. The certificate will appear at the list of the Server Certificates with the Friendly name you added at the form before

Import Cloudflare Origin CA root certificate at your Windows server

  1. Copy the Cloudflare Origin CA — RSA Root certificate from Cloudflare website, save to a file and transfer it to your Windows Server
  2. Open the Certificates Microsoft Management Console (MMC) snap-in by typing mmc.exe at the command prompt (or at the run dialog that you can open by pressing the buttons Win+R)
  3. On the File menu, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins dialog box, select Certificates snap-in in the Available snap-ins list, click Add, and then select OK
  1. In the Certificates snap-in dialog-box, select Computer account, and then select Next
  1. In the Select computer dialog box, click on Finish
  1. In the Add or Remove Snap-ins dialog box, select OK
  1. In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then select Import
  1. In the Certificate Import Wizard, select Next
  1. In the File to Import page, select the file with the Cloudflare origin CA root certificate you saved before, and then select Next
  1. Select Next at the Certificate Import Wizard
  1. Select Finish at the Certificate Import Wizard
  1. The certificate will appear at the Certificates list

Use the newly created server origin certificate from Cloudflare for your website

  1. Select Bindings from the IIS Manager Web Site Actions
  1. Select the https binding and click Edit. If you do not have an https binding, press Add... to create one like in the second screen down
  1. At the SSL certificate dropdown list Select the new certificate and press OK

Force your website domain to pass through Cloudflare

  1. Open your Cloudflare account, select your domain, go to DNS option and change the Proxy status for your website from DNS only to Proxied by click it
  1. Enable Cloudflare full (strict) SSL TLS encryption mode in the SSL/TLS tab

Ignore SSL certificates for GIT

The background

So, recently a new firewall was installed, this firewall performs SSL/TLS decryption on all encrypted traffic…

In order for machines to continue operating normally, a custom certificate was issued and installed on each one. On certain machines though, the certificate was not installed and this caused verification problems.

The story

While trying to clone a git project from github we got the following output


$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
fatal: unable to access 'https://github.com/ioi/translation.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

The horrible solution

To mitigate the problem (not solve it), we directed git to ignore the SSL certificates and not verify them using the following call right before the clone command.


export GIT_SSL_NO_VERIFY=true

As expected, the execution went smoothly after this change


$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
remote: Counting objects: 297, done.
remote: Total 297 (delta 0), reused 0 (delta 0), pack-reused 297
Receiving objects: 100% (297/297), 4.40 MiB | 1.50 MiB/s, done.
Resolving deltas: 100% (39/39), done.
Checking connectivity... done.