# OpenSSL Notes
## Generating a self-signed certificate with a san

keycloak example:
```
openssl req -x509 -newkey rsa:2048 -sha256 -days 3560 -nodes -keyout selfsigned.key -out selfsigned.crt \
  -subj '/CN=keycloak.xdrtest.accenturefederalcyber.com' \
  -extensions san -config <( \
  echo '[req]'; \
  echo 'distinguished_name=req'; \
  echo '[san]'; \
  echo 'subjectAltName=DNS:localhost,DNS:keycloak.xdrtest.accenturefederalcyber.com,DNS:auth.xdrtest.accenturefederalcyber.com,DNS:keycloak-0.pvt.xdrtest.accenturefederalcyber.com' \
  echo '[ext]'; \
  echo 'basicConstraints=CA:TRUE,pathlen:0')
```

## Generating a CSR

wildcard example:
*NOTE* SAN will be done during signing
```
openssl req -new -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr \
  -subj '/C=US/ST=Virginia/L=Fairfax/O=Accenture Federal Services/OU=Extended Detection and Response/CN=*.xdr.accenturefederalcyber.com/'
```

validate it:
```
openssl req -in wildcard.csr -noout -text -verify 
```

## Signing with our Private CA

This should only be used to generate certificates when we must have the private key. Otherwise, it is all-around better to just use ACM.

```
cat <<EOF > tmp.policy
{
  "Extensions": {
    "SubjectAlternativeNames": [
      { "DnsName": "localhost" },
      { "DnsName": "xdr.accenturefederalcyber.com" },
      { "DnsName": "xdrtest.accenturefederalcyber.com" },
      { "DnsName": "*.xdr.accenturefederalcyber.com" },
      { "DnsName": "*.xdrtest.accenturefederalcyber.com" },
      { "DnsName": "*.pvt.xdr.accenturefederalcyber.com" },
      { "DnsName": "*.pvt.xdrtest.accenturefederalcyber.com" }
    ]
  }
}
EOF
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
  --api-passthrough file://./tmp.policy \
  --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
  --csr fileb://./wildcard.csr \
  --signing-algorithm SHA512WITHECDSA \
  --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
  --validity Value=365,Type=DAYS
```

Retrieve the certificate:
```
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
    --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
    --certificate-arn OUTPUTFROMPREVIOUS \
    --output text | sed 's/\t/\n/' > tmp.crt
# Validate the certificate
openssl x509 -in tmp.crt -noout -text
```

## Parsing a Certificate Revocation List

```
curl http://xdr-root-crl.s3.us-gov-east-1.amazonaws.com/crl/6e85d623-ce0b-4a85-aa64-af293a422010.crl | openssl crl -inform DER -text -noout
```