Friday, July 17, 2020

Creating your own CA and development certificates

Into the world of SSL/TLS we go again.

For this I will need my own CA. I seem to always set one up but forget the process I followed so I’m documenting it here now. Hopefully you can benefit from this.

Step 1 - Create your private key
First we need to create our private key with the following command:

  • openssl genrsa -aes256 -out myCA.key 2048

The above step will produce a file called myCA.key which is your private key for the CA. Make sure you don’t lose this or the passphrase you provided to generate the key. Normally I suspect this key would be kept in an HSM device.

Step 2 - Create your certificate
Now we will generate the root certificate using this command using the key file we just created, you will need to enter the passphrase you used in step 1.
  • openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Make sure you are careful when you input the values as the input does not support backspace, so if you stuff up something rather run this step again.

You can check out the cert details by running the following command:
  • openssl x509 -in myCA.pem -text -noout

This should show like below, make sure you double check the subject of the certificate that it matches the values you inputted:


Now you have completed this step you can import the certificate into your trusted root store so that that any certificates you sign/create will be trusted.

Get the certificate on you PC and install. On windows it’s easiest to rename the certificate .pem file to .cert like so:

Right click on and chose install 'Install Certificate'
Make sure you add it to your trusted root certificates:

Step 3 - Creating you development server certificates
Now that we have a CA we can sign certificates :-) :-)

Follow this process to create and sign a certificate.

  1. Create a private key with the following command:
  • openssl genrsa -out dev.myserver.key 2048
  1. Ok this is where it gets tricky! You use the following command to create a certificate signing request (CSR) using the private key you created in the previous step:
  • openssl req -new -key dev.myserver.key -out dev.myserver.csr
BUT WAIT! you more than likely want to have multiple names of the dev server that you would reference by DNS/IP e.g. I have the following for my dev server:
  • mypingaccess
  • mypingaccess.mylab.co.za
  • mypingaccess.sandbox.co.za

In order to add these alternative names, also known as subject alternative names (SANs) you need to do the following:

b1) create a configuration file that contains the the names like so:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                = ZA
stateOrProvinceName        = Gauteng
localityName               = Sandton
organizationName           = IT
commonName                 = mypingaccess.mylab.co.za
[ req_ext ]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ alt_names ]
DNS.1   = mypingaccess
DNS.2   = mypingaccess.mylab.com
DNS.3   = mypingaccess.sandbox.co.za

I created the file in /tmp/san.cnf

b2) then I ran the following command to create the CSR: 
  • openssl req -out dev.myserver.csr -newkey rsa:2048 -nodes -keyout dev.myserver.private.key -config /tmp/san.cnf
b3) now make sure the SANs are part of the CSR with the following command:
  • openssl req -noout -text -in dev.myserver.csr | grep DNS
You should see the following output:
DNS:mypingaccess, DNS:mypingaccess.mylab.com, DNS:mypingaccess.sandbox.co.za

  1. Now that we have a CSR we can sign it with our CA. Use the following command to sign it:
  • openssl x509 -req -in dev.myserver.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.myserver.crt -days 825 -sha256 -extfile /tmp/san.cnf -extensions req_ext
  1. Now check that the SANs are in the newly signed cert with the following command:
  • openssl x509 -in dev.myserver.crt -text -noout | grep DNS
You should have the following:
DNS:mypingaccess, DNS:mypingaccess.mylab.com, DNS:mypingaccess.sandbox.co.za

This part really broke a number of times by following a number of online posts because they did not include the -extfile and -extensions option, also when they did include it they reference another cnf file and not the one I used to create the CSR. What I also found was that if this file had the incorrect parameters in it that the DNS SANs name would be stripped (not included) in the certificate (the CRT file).

Cool now that we have the certificate we need to install it on our server. This will depend on the application/web server you are using, but please keep in mind that because the server is encrypting the content it will need both the private and public keys.

Some application servers like Apache will allow you to provide both the private and public keys separately, while other servers will require a keypair. Here are the steps to create a PKCS#12 keypair:

  • openssl pkcs12 -export -out certificate.pfx -inkey dev.myserver.private.key -in dev.myserver.crt

This will prompt you for a password to protect the keypair because it contains the private key which you should not share with a public entity. You should now have a certificate.pfx file you can import as required.

Here’s an example of how I imported this in PingAccess:

1) Go to the Security -> Key Pairs option and click 'Import'


2) Provide an alias for the key pair, provide the password and upload the 'certificate.pfx'

3) Click ‘Save’ on the bottom right. You should get the following pop up->


4) View the key pair:




If you connect to PingAccess you will still get a certificate error as you now need to configure the HTTP listener to use the key pair.



You will see that the current ADMIN key pair was created on installation and is set as the ADMIN HTTPS listener:



Now go back to the key pair list and click the pencil icon on the key pair you imported. From the drop down select the 'Assign HTTPS Listener' option:

Choose where you want to use the key pair:


The good news is no restart required. Open another browser instance or incognito mode and you connection should be secure:


You can view the certificate and confirm the path:


Thursday, February 1, 2018

Locate Class File in JAR

This is a really easy way on Linux to find a class file in a set of JAR files:

find myDirectory/ -name "*.jar" | xargs grep HelloWorld.class

Sunday, April 24, 2016

Learning to say No!

The questions I kept asking myself was 'How did I get to this point?', 'Why do I have so much on my plate?' and 'Why do I never have any time to catch up on my admin?' Well the truth of the matter is that I say Yes way to quickly. It's not easy saying No when you want to please people. But what I forget is that when I say Yes to something I actually saying No to something else.

Chatting to one of my friends a couple of weeks ago he said I was 'oversubscribed' and I knew straight away I was in trouble, because it was the truth. Getting your way out of a situation like this is a lot more difficult than I would have initial thought. It required me to change my thinking.

Yes I want to offer a good service to my 'customers', yes I want to conduct myself in a professional way and yes I like it when I contribute to a positive outcome. The trouble is you can very quickly come to a point where you become completely ineffective. And this is key. I was being very efficient in what I was doing, but if I externalised it and looked from the outside for a moment I would see that people viewed me as very ineffective because I had become 'oversubscribed'.

 So! What I have I had to change? I've learnt to say No! At first this was a bit tricky as you don't want to let people down etc. etc. BUT it's a critical skill to have when managing relationships, customers and life in general. I guess a lot of it also comes down to having firm boundaries. Here some tips that helped me get to this point:

  • When you say no to something you say yes to something else, and vice vesa
  • When you say yes to everything people come to expect you to always say yes, so when they need 'work' done they'll always come straight to you cause they know you'll say yes
  • People don't respect people that say yes to everything
  • Sometimes you don't need to say no, you just need to say not now, or the timing of this is not for you. A lot of saying no comes down to how you say no. That's were I found this article that came in handy -> The Gentle Art of Saying No What this did not cover for me was why I should be saying no. And this is critical, if you don't know why you're saying no, you land up going back to saying yes. 
I guess that's enough about yes and no for now, but I've had to learn this the hard way, and I guess in life sometimes that's the only way we do learn certain things.

Quote for the day here:

"Success is a lousy teacher. It seduces smart people into thinking they can't lose." Bill Gates

Sunday, May 17, 2015

Wednesday, January 28, 2015

X11 Forwarding - request failed on channel 0

A quick note on getting X11 forwarding working ->

Error: X11 forwarding request failed on channel 0
Platofrm: SLES 11 SP3
Resolution: install xorg-x11-xauth

Other interesting things to try which could also cause this issue: http://ask.xmodulo.com/fix-broken-x11-forwarding-ssh.html

Saturday, January 24, 2015

How to Avoid Death by PowerPoint

Interesting video on this:

How to avoid death By PowerPoint: David JP Phillips at TEDxStockholm

Main points from this are:

  • One message per slide
  • Use contrast and size to steer focus
  • Avoid sentences if speaking at the same time
  • Use a dark background
  • Six objects per slide
Another one more on the lighter side that I enjoyed by Don McMillan: 





Monday, January 19, 2015

NetIQ IDM 4.0.2 Install - iManager Error



Considering I keep forgetting to do this in my lab environments I thought I post a quick note on it.

Environment:
SLES 11 64 bit SP3
IDM 4.0.2

Error:
Unable to create AdminNamespace. java.lang.NoClassDefFoundError: Could not initialize class com.novell.admin.ns.nds.jclient.NDSNamespaceImpl




From tomcat log file:
java.lang.UnsatisfiedLinkError: /var/opt/novell/iManager/nps/WEB-INF/bin/linux/libJClient.so.1.0.0: libstdc++.so.5: cannot open shared objec
t file: No such file or directory
NDSNamespaceImpl....235 java.lang.Exception: Unable to initialize JClient: java.lang.UnsatisfiedLinkError: /var/opt/novell/iManager/nps/WEB-
INF/bin/linux/libJClient.so.1.0.0: libstdc++.so.5: cannot open shared object file: No such file or directory

Fix:
Install libstdc++33-32bit
Command: yast –i libstdc++33-32bit

Reference:
https://www.netiq.com/documentation/imanager/imanager_install/data/bobxl9n.html

Quote on development tools



"One piece of advice I would pass on to new developers is to remember it is your job to make life easier/better for the USER, not for yourself. Pick the platform, language, and framework that lets you get the' job done for the end user as fast, cheaply, and as maintainable as possible. If that means YOU have to do a lot more work, well, so be it. Never ever use a language simply because it is "cool". Languages are tools, you pick a tool because it works, not because it makes you feel happy."




Dave Marney

Friday, January 9, 2015

Quote for the day

"Good professional firms have service quality programmes. They do so to genuinely respond
more effectively. They do not do so to merely satisfy some external auditor."

Friday, November 7, 2014

Stop Outlook from launching multiple instances

Basically just edit the shortcut to Outlook and add the /recycle option:




Followers