Tuesday, April 12, 2022

Pause container image

 The pause container image can be used to create a container that does *Nothing*

Kubernetes uses this 'docker.io/kubernetes/pause' to set up a pod.

This article explains this well : https://www.ianlewis.org/en/almighty-pause-container 

Sunday, November 28, 2021

Single line command to create self signed certificate

 

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes
 
Certificate with extensions:
 
openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out server.pem -days 7300 -subj '/CN=My Name/C=US/OU=My Unit/O=ACME' -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"
 

 

Thursday, February 21, 2019

Create a certificate with any expiry date

Create a certificate with any expiry date

1. Create CA certificate and private key key

a. openssl genrsa -out ca.key 2048

b. openssl req -new -x509 -key ca.key -out ca.crt

2. Generate CSR

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout  server.key

3. Sign the CSR and create certificate

openssl ca  -policy policy_anything -out clientcert.pem -startdate 190221080000Z -enddate 190221090000Z -cert ca.crt -keyfile ca.key -infiles server_anil.csr

These commands have to be executed for the above command to succeed:

mkdir -p demoCA/newcerts
touch demoCA/index.txt.attr
touch demoCA/index.txt
echo '01' > demoCA/serial

4. Reference 

How to setup your own CA with OpenSSL -  https://gist.github.com/Soarez/9688998 

Sunday, June 24, 2018

SSL/TLS record structure

Below is the structure of SSL/TLS record:



Friday, January 19, 2018

Capture ssl master keys from any openssl application


Just follow the instructions (in comments) in the c file.

https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c

Update: Newer openssl has '-keylogfile ' option, using which, session keys can be logged into a file

Thursday, November 23, 2017

Create a client certificate signed by a CA certificate

#!/bin/bash

#script to generate client cert-key pair signed by ca cert-key pair

#create cert signing request
openssl req -nodes -keyout anil.ca.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=clisigner/emailAddress=clisigner@signer.com" -new -out anil.ca.cert.csr

###Generate the certificate using csr
openssl x509 -in anil.ca.cert.csr -out anil.ca.cert -req -signkey anil.ca.key -days 365

#create cert signing request for client cert
openssl req -nodes -keyout anil.cli.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=client/emailAddress=client@client.com" -new -out anil.cli.cert.csr
###Generate the certificate using csr
openssl x509 -in anil.cli.cert.csr -out anil.cli.cert -req -signkey anil.cli.key -CA anil.ca.cert -CAkey anil.ca.key -days 365 -CAcreateserial


## verify certificate signature
openssl verify -verbose -CAfile anil.ca.cert anil.cli.cert


echo " Netscaler does not accept private key in format generated above"
echo "So, use this command to encrypt it"
echo "openssl rsa -in anil.ca.key -passout pass:123456 -des3 -out anil.ca.key2"