Hamid R. Hashmi's Blog: Self-Signed Certificates with Higher Cipher Suite

Create directory

mkdir openssl && cd openssl

STEP 1:
generate Private key pair

openssl genrsa -out server.key 2048

generate public

openssl rsa -in server.key -pubout -out server_pub.key

STEP 2:

Create Certificate Signing Request (CSR)

cat > csr.conf <<EOF  
[ req ] 
default_bits = 2048 
prompt = no 
default_md = sha256 
req_extensions = req_ext 
distinguished_name = dn 
  
[ dn ] 
C = PK 
ST = Punjab 
L = Rawalpindi 
O = HBVOICE 
OU = DevOps 
CN = servers.hbvoice.local 
  
[ req_ext ] 
subjectAltName = @alt_names 

[ alt_names ] 
DNS.1 = kamailio.hbvoice.local 
DNS.2 = debian10.hbvoice.local 
DNS.3 = centos7.hbvoice.local 
IP.1 = 192.168.0.132 
IP.2 = 192.168.0.167 
IP.3 = 192.168.0.115 
EOF

Generate Certificate signing request(CSR) using the private key

openssl req -new -key server.key -out server.csr -config csr.conf

STEP 3:

Create Certificate Authority

openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj "/CN=HBVOICE/C=PK/L=Islamabad" -keyout rootCA.key -out rootCA.crt

Create External File

cat > cert.conf <<EOF  
authorityKeyIdentifier=keyid,issuer 
basicConstraints=CA:FALSE  
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment  
subjectAltName = @alt_names  

[alt_names] 
DNS.1 = kamailio.hbvoice.local  
DNS.2 = debian10.hbvoice.local 
DNS.3 = centos7.hbvoice.local
EOF

Generate SSL Certificate with Self Signed CA

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile cert.conf

Reference

Check SSL Certificate

openssl s_client -showcerts -connect kamailio.hbvoice.local:4443

STEP 4:

Create fullchain.pem file

openssl rsa -in server.key -out nopassword.key 
cat nopassword.key > fullchain.pem 
cat server.crt >> fullchain.pem

To add Certificate Authority in Linux

Debian

Copy your CA to dir

cp rootCA.crt /usr/local/share/ca-certificates/foo.crt 
sudo update-ca-certificates

To remove:

Remove your CA.

sudo update-ca-certificates --fresh

if you want to search your rootCA to in List

update-ca-certificates --fresh --verbose | grep -i HBVOICE

Some Use full OpenSSL s_client Commands

openssl s_client -connect debian10.hbvoice.local:9440 
mntr 
openssl s_client -connect debian10.hbvoice.local:9440 --showcerts 
openssl s_client -connect debian10.hbvoice.local:9440 -brief 
openssl s_client -connect debian10.hbvoice.local:9440 2> /dev/null | openssl x509 -noout –dates 
openssl s_client -verify_return_error -connect debian10.hbvoice.local:9440 
openssl s_client -connect kyle.com:443 2> /dev/null | openssl x509 -noout –fingerprint 
openssl ciphers -s –tls1_3 
openssl s_client -verify_return_error -connect debian10.hbvoice.local:9440 –tls1_2 
openssl s_client -verify_return_error -connect debian10.hbvoice.local:9440 -tls1_3 -cipher TLS_AES_256_GCM_SHA384

For more details Please use this link

Enjoy ;)

Hamid R. Hashmi's Blog

Self-Signed Certificates with Higher Cipher Suite

STEP 4:

Create fullchain.pem file
openssl rsa -in server.key -out nopassword.key cat nopassword.key > fullchain.pem cat server.crt >> fullchain.pem

To add Certificate Authority in Linux

No comments:

Post a Comment

SIPp UAC Scenario to send RTP

Self-Signed Certificates with Higher Cipher Suite

STEP 4:Create fullchain.pem fileopenssl rsa -in server.key -out nopassword.key cat nopassword.key > fullchain.pem cat server.crt >> fullchain.pem

To add Certificate Authority in Linux

No comments:

Post a Comment

SIPp UAC Scenario to send RTP

STEP 4:

Create fullchain.pem file
openssl rsa -in server.key -out nopassword.key cat nopassword.key > fullchain.pem cat server.crt >> fullchain.pem