To test mutual SSL (two-way SSL)
authentication using curl, you need to set up a server that requires client certificates for access, and then use curl to make
requests to this server with the appropriate client certificate.
Here’s a step-by-step guide for setting up and
testing mutual SSL with curl:
1. Generate Certificates
If you haven’t already, you need to generate the necessary certificates. Here’s a brief overview:
a. Create a CA (Certificate Authority):
bash
# Generate CA private key
openssl genpkey -algorithm RSA -out ca.key
# Generate CA certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt
b. Generate a server certificate:
# Generate server private key
openssl genpkey -algorithm RSA -out server.key
# Generate server CSR
openssl req -new -key server.key -out server.csr
# Sign the server CSR with the CA certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
c. Generate a client certificate:
bash
# Generate client private key
openssl genpkey -algorithm RSA -out client.key # Generate client CSR
openssl req -new -key client.key -out client.csr
# Sign the client CSR with the CA certificate
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
2. Set Up the Server
For this example, let’s assume you’re using an Nginx server. Configure it to use mutual SSL:
Nginx configuration (e.g., /etc/nginx/nginx.conf or a server block configuration file):
nginx
bash
For this example, let’s assume you’re using an Nginx server. Configure it to use mutual SSL:
Nginx configuration (e.g., /etc/nginx/nginx.conf or a server block configuration file):
nginx
server {
listen 443 ssl;
# Path to your server certificate and private key
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
# Path to CA certificate for verifying client certificates
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
After updating the configuration, restart Nginx:
sudo systemctl restart nginx
Configure Apache
a. Copy Certificates to Apache Directories:
Place your certificates and keys in a secure directory, for example:
bash
sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/
sudo cp ca.crt /etc/ssl/certs/
sudo cp client.crt /etc/ssl/certs/
sudo cp client.key /etc/ssl/private/
b. Edit Apache Configuration:
You need to configure Apache to use the server certificate and to request a client certificate. This is typically done in a virtual host configuration file or in the main Apache configuration file.
For Ubuntu/Debian, edit the file /etc/apache2/sites-available/000-default.conf. For RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf or a similar file.
Add or update the following directives:
apache
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
# Enable SSL
SSLEngine on
# Server Certificate
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
# CA Certificate
SSLCACertificateFile /etc/ssl/certs/ca.crt
# Request a client certificate
SSLVerifyClient require
SSLVerifyDepth 1
# Additional SSL settings
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# DocumentRoot settings
<Directory /var/www/html>
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
c. Enable SSL Module and Site Configuration:
On Debian/Ubuntu:
bash
sudo a2enmod ssl
sudo a2ensite default-ssl
On RHEL/CentOS: You might already have SSL enabled; just ensure the configuration file is included and correctly set.
d. Restart Apache:
Apply the configuration changes by restarting Apache:
bash
sudo systemctl restart apache2 # For Debian/Ubuntu
sudo systemctl restart httpd # For RHEL/CentOS
3. Test with curl
Use curl to make a request to the server with mutual SSL:
curl -v https://your-server-domain/ --cert client.crt --key client.key --cacert ca.crt
Explanation:
--cert
client.crt: Specifies the client certificate to use.
--key
client.key: Specifies the private key associated with the client
certificate.
--cacert
ca.crt: Specifies the CA certificate used to verify the server's
certificate.
Example output:
plaintext
* Trying <server-ip>...
* TCP_NODELAY set
* Connected to your-server-domain (<server-ip>) port 443 (#0)
* schannel: SSL/TLS connection with your-server-domain port 443 (step 1/3)
* schannel: setting hostname via SNI
* schannel: SSL/TLS connection with your-server-domain port 443 (step 2/3)
* schannel: SSL/TLS connection with your-server-domain port 443 (step 3/3)
* Server certificate:
* subject:CN=your-server-domain
* start date:Sep 1 00:00:00 2024 GMT
* expire date: Sep 1 00:00:00 2025 GMT
* subjectAltName: host "your-server-domain" matched cert's "your-server-domain"
* issuer: CN=My CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: your-server-domain
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.18.0
< Date: Mon, 02 Sep 2024 00:00:00 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Mon, 02 Sep 2024 00:00:00 GMT
< Connection: keep-alive
< ETag: "5f2e3b7d-264"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style> /* Add some basic styling here */</style></head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and working.</p>
</body>
</html>
* Connection #0 to host your-server-domain left intact If curl successfully connects and retrieves content, mutual SSL is working correctly. If there are issues, check both server and client logs for troubleshooting.
If curl successfully connects and retrieves content, mutual SSL is working correctly. If there are issues, check both server and client logs for troubleshooting.
Thursday, September 5, 2024
Wednesday, September 4, 2024
What is DevOps
- What is DevOps
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.
Under a DevOps model, development and operations teams are no longer “siloed.” Sometimes, these two teams are merged into a single team where the engineers work across the entire application lifecycle, from development and test to deployment to operations, and develop a range of skills not limited to a single function.
In some DevOps models, quality assurance and security teams may also become more tightly integrated with development and operations and throughout the application lifecycle. When security is the focus of everyone on a DevOps team, this is sometimes referred to as DevSecOps.
These teams use practices to automate processes that historically have been manual and slow. They use a technology stack and tooling which help them operate and evolve applications quickly and reliably. These tools also help engineers independently accomplish tasks (for example, deploying code or provisioning infrastructure) that normally would have required help from other teams, and this further increases a team’s velocity.
- What is Automation, Scaling, Infrastructure
- Why DevOps is Important, etc
Tuesday, January 2, 2024
Wednesday, December 6, 2023
grep urls from bash script
grep -rnE "script|link" app/Views/ | awk '!/base_url/' | awk '!/site_url/' | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u |uniq >> url.txt
Friday, October 13, 2023
Windows tool for creating a self-signed certificate
Windows tool
for creating a self-signed certificate.
https://sourceforge.net/projects/portecle/
kindly
install portecle tool from above link. The steps for creating the certificate
that we need are as given below :
1) Install
the tool from above link.
2) Go to File -> New Keystore -> PKCS #12. Click on Okay.
3) Go to Tools -> Generate Key Pair. Select RSA. Enter 2048 and click on
Okay.
4) Select SHA256 with RSA in the dropdown list. Enter roughly the details asked
in the form. Click on Okay.
5) Enter an Alias in the dialog box and click on Okay. Key Pair generation
successful message is displayed.
6) Now, right click on the keypair (identified by the alias) displayed and
click
on export.
The other opensource tool is - openSSL.
Wednesday, October 4, 2023
How To Create PKCS #12 For Your Application
This post is about creating PKCS #12 to serve e.g. your content via HTTPS in your application itself or in another web container (such a Tomcat or another application server).
The PKCS #12 format is a binary format for storing cryptography objects. It usually contains the server certificate, any intermediate certificates (i.e. chain of trust), and the private key, all of them in a single file. A PKCS #12 file may be encrypted and signed. PKCS #12 files are usually found with the extensions .pfx and .p12.
The PKCS #12 is similar to JKS format, but you can use it not only in Java but also in other libraries in C, C++ or C# etc, so I prefer this type of a keystore to be more general.
To use PKCS #12 inside your application, you have two way how to do it:
- Create your own self-signed SSL certificate
- Create a certificate using the Certificate Signing Request (CSR, a.k.a PKCS #10)
The first option is fast and simple, but not suitable for production environment. The second option is about creating CSR to be signed by any trusted Certificate Authority (CA).
Create your own self-signed SSL certificate
When you need to create a new certificate as quickly as possible, run the following two commands:
Generate a private key and a certificate in separated files using PEM format
openssl – the command for executing OpenSSL.
req – certificate request and certificate generating utility in OpenSSL.
-x509 – used to generate a self-signed certificate.
-newkey rsa:4096 - option to create a new certificate request and a new private key, rsa:4096 means generating an RSA key nbits in size.
-keyout myPrivateKey.pem – use the private key file myPrivateKey.pem as the private key to combining with the certificate.
-out myCertificate.crt – use myCertificate.crt as the output certificate name.
-days 3650 – specifies the number of days to certify the certificate for.
-nodes - a created private key will not be encrypted.
Combine a private key and a certificate into one key store in the PKCS #12 format
openssl – the command for executing OpenSSL.
pkcs12 – the PKCS #12 utility in OpenSSL.
-export - the option specifies that a PKCS #12 file will be created.
-out keyStore.p12 – specifies a filename to write the PKCS #12 file to.
-inkey myPrivateKey.pem – file to read private key from.
-in myCertificate.crt – the filename to read the certificate.
The wizard will prompt you for an export password. If filled, this password will be used as a key store password.
And that is all you need, use keyStore.p12 in your application.
Create a certificate using the Certificate Signing Request
Generate a private key and a certificate signing request into separated files
openssl – the command for executing OpenSSL.
req – certificate request and certificate generating utility in OpenSSL.
-newkey rsa:4096 - option to create a new certificate request and a new private key, rsa:4096 means generating an RSA key nbits in size.
-keyout myPrivateKey.pem – use the private key file myPrivateKey.pem as the private key to combining with the certificate.
-out request.csr – use request.csr as the certificate signing request in the PKCS #10 format.
-nodes - a created private key will not be encrypted.
Generate a certificate signing request from an existing private key
openssl – the command for executing OpenSSL.
req – certificate request and certificate generating utility in OpenSSL.
-new - generates a new certificate request.
-key myPrivateKey.pem – specifies the file to read the private key from.
-out request.csr – use request.csr as the certificate signing request in the PKCS#10 format.
Now it is time to send request.csr as a result of the previous step to your CA (Certificate Authority) to be signed.
You are almost done. When you get a new certificate for your request.csr from your CA, use it together with a private key to create a PKCS#12 file:
Combine a private key and a certificate into one key store in the PKCS #12 format
openssl – the command for executing OpenSSL.
pkcs12 – the PKCS #12 utility in OpenSSL.
-export - the option specifies that a PKCS #12 file will be created.
-out keyStore.p12 – specifies a filename to write the PKCS #12 file to.
-inkey myPrivateKey.pem – file to read private key from.
-in myCertificate.crt – the filename to read the certificate.
-certfile CA.crt – optional parameter to read additional certificates from, useful to create a complete trust chain.
The output file keyStore.p12 is what you need to add to your application. When you filled an export password use it as a key store password in a configuration file.
Tuesday, August 29, 2023
MYSQLCHECK - TABLE MAINTENANCE PROGRAM
MYSQLCHECK - TABLE MAINTENANCE PROGRAM
HELP
mysqlcheck --helpRUN PROGRAM
mysqlcheck employees staff
Subscribe to:
Posts (Atom)