Create a certificate with any expiry date

Create a certificate with any expiry date

1. Create CA certificate and private key key

a. openssl genrsa -out ca.key 2048

b. openssl req -new -x509 -key ca.key -out ca.crt

2. Generate CSR

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout  server.key

3. Sign the CSR and create certificate

openssl ca  -policy policy_anything -out clientcert.pem -startdate 190221080000Z -enddate 190221090000Z -cert ca.crt -keyfile ca.key -infiles server_anil.csr

These commands have to be executed for the above command to succeed:

mkdir -p demoCA/newcerts
touch demoCA/index.txt.attr
touch demoCA/index.txt
echo '01' > demoCA/serial

4. Reference 

How to setup your own CA with OpenSSL -  https://gist.github.com/Soarez/9688998 

SSL/TLS record structure

Below is the structure of SSL/TLS record:

Capture ssl master keys from any openssl application

Just follow the instructions (in comments) in the c file.

https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c

Update: Newer openssl has '-keylogfile ' option, using which, session keys can be logged into a file

Create a client certificate signed by a CA certificate

#!/bin/bash

#script to generate client cert-key pair signed by ca cert-key pair

#create cert signing request
openssl req -nodes -keyout anil.ca.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=clisigner/emailAddress=clisigner@signer.com" -new -out anil.ca.cert.csr

###Generate the certificate using csr
openssl x509 -in anil.ca.cert.csr -out anil.ca.cert -req -signkey anil.ca.key -days 365

#create cert signing request for client cert
openssl req -nodes -keyout anil.cli.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=client/emailAddress=client@client.com" -new -out anil.cli.cert.csr
###Generate the certificate using csr
openssl x509 -in anil.cli.cert.csr -out anil.cli.cert -req -signkey anil.cli.key -CA anil.ca.cert -CAkey anil.ca.key -days 365 -CAcreateserial


## verify certificate signature
openssl verify -verbose -CAfile anil.ca.cert anil.cli.cert


echo " Netscaler does not accept private key in format generated above"
echo "So, use this command to encrypt it"
echo "openssl rsa -in anil.ca.key -passout pass:123456 -des3 -out anil.ca.key2"

Adding new path to library search on Linux

If you want to a path (directory) to be looked into for a shared library, without adding it to LD_LIBRARY_PATH, then ad the path to /etc/ld.so.conf and run ldconfig

i.e

1. Add directory to /etc/ld.so.conf
2. run ldconfig

Remove password and merge PDF files in ubuntu

To remove password :

for file in *.pdf ; do qpdf --password=anil6053 --decrypt $file ./nopw/$fil
e; done


To merge pdf files,

pdftk *.pdf cat output mergedfile.pdf


If there are cases where some online tool has a limit on size of pdf file that it accepts, then the size of pdf can be reduced using the below command. You will of course loose some resolution...

Command to reduce the size of pdf :

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -dNOPAUSE -dQUIET -dBATCH -sOutputFile=smaller.pdf large.pdf

Extract layer 7 data from packet capture

If you want to extract the tcp payload of a set of packets (A tcp stream for example) Below command comes handy.

tshark -r test.pcap -2 -R"tcp.port==444" -T fields -e data  | tr -d '\n' | xxd -r -p > layer7_data

xxd converts ASCII hex to binary.