ホーム エクスプローラ ヘルプ
登録 サインイン
AFS
/
infrastructure-notes
2
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 883a468866
ブランチ タグ
infrastructure-...
/
OpenSSL Notes.md

OpenSSL Notes.md 2.7 KB
履歴 Raw

OpenSSL Notes

Generating a self-signed certificate with a san

keycloak example:

openssl req -x509 -newkey rsa:2048 -sha256 -days 3560 -nodes -keyout selfsigned.key -out selfsigned.crt \
  -subj '/CN=keycloak.xdrtest.accenturefederalcyber.com' \
  -extensions san -config <( \
  echo '[req]'; \
  echo 'distinguished_name=req'; \
  echo '[san]'; \
  echo 'subjectAltName=DNS:localhost,DNS:keycloak.xdrtest.accenturefederalcyber.com,DNS:auth.xdrtest.accenturefederalcyber.com,DNS:keycloak-0.pvt.xdrtest.accenturefederalcyber.com' \
  echo '[ext]'; \
  echo 'basicConstraints=CA:TRUE,pathlen:0')

Generating a CSR

wildcard example: NOTE SAN will be done during signing

openssl req -new -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr \
  -subj '/C=US/ST=Virginia/L=Fairfax/O=Accenture Federal Services/OU=Extended Detection and Response/CN=*.xdr.accenturefederalcyber.com/'

validate it:

openssl req -in wildcard.csr -noout -text -verify

Signing with our Private CA

This should only be used to generate certificates when we must have the private key. Otherwise, it is all-around better to just use ACM.

cat <<EOF > tmp.policy
{
  "Extensions": {
    "SubjectAlternativeNames": [
      { "DnsName": "localhost" },
      { "DnsName": "xdr.accenturefederalcyber.com" },
      { "DnsName": "xdrtest.accenturefederalcyber.com" },
      { "DnsName": "*.xdr.accenturefederalcyber.com" },
      { "DnsName": "*.xdrtest.accenturefederalcyber.com" },
      { "DnsName": "*.pvt.xdr.accenturefederalcyber.com" },
      { "DnsName": "*.pvt.xdrtest.accenturefederalcyber.com" }
    ]
  }
}
EOF
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
  --api-passthrough file://./tmp.policy \
  --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
  --csr fileb://./wildcard.csr \
  --signing-algorithm SHA512WITHECDSA \
  --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
  --validity Value=365,Type=DAYS

Retrieve the certificate:

aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
    --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
    --certificate-arn OUTPUTFROMPREVIOUS \
    --output text | sed 's/\t/\n/' > tmp.crt
# Validate the certificate
openssl x509 -in tmp.crt -noout -text

Parsing a Certificate Revocation List

curl http://xdr-root-crl.s3.us-gov-east-1.amazonaws.com/crl/6e85d623-ce0b-4a85-aa64-af293a422010.crl | openssl crl -inform DER -text -noout