Thursday, October 29, 2015

Multidomain SSL certificate CSR generation and openssl custom config to simplify this process

Bunch of CAs (Certificate authorities ) allow you to sign mutidomain SSL certificates.
Why it's very useful?

  • cheaper then wildcard (*.domain.com) when you need SSL cert  just for 2-5 domains like www.domain.com; domain.com and login.domain.com
  • cheaper and convenient when you need to have SSL certificate for wildcard domain and doman apex aka  "naked" or "root" domain (*.domain.com and domain.com)


How to make CSR fot these domains? Sure thing using OpenSSL, but you need to do a trick here: OpenSSL does not support multidomain configuration in interactive mode (when you are answering to the OpenSSL question while generating certificate).
   
What options do we have:

  • Use non-interactive mode with  long command line and specify all parameters there (really long line)
  • Create custom config and specify all there. More over this config will help you during certificate renewal next time.
Let's build our custom config :


Wildcard multidomain:

Create file wild.yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = *.yourdomain.com

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = *.yourdomain.com
Generate csr:
openssl req -new -sha256 -key wild.yourdomain.com.key -out wild.yourdomain.com.csr -config wild.yourdomain.cnf

Multidomain:

Create file yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = *.yourdomain.com

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = www.yourdomain.com
Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf
And sure thing you can use it for normal domains:

Normal domain:

Create file yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = login.yourdomain.com


Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf

More details about working with CSR, OpenSSL certificates and etc you can find here: http://security-ingvar-ua.blogspot.ca/2012/10/ssl-certificates-commands-and-tips.html


Friday, October 23, 2015

Password management in CLI. Using the standard unix password manager: pass with AWS CodeCommit and multi-environment setup

Install and configure pass utility: http://www.passwordstore.org/
yum install pass

Multi-environment setup: Work and Personal passwords in 2 different locations, gpg keys and version controls.
less ~/.bashrc 
# Switch to personal pass credentials
personal() {
    if [ -e ~/.gnupg ]; then rm ~/.gnupg ;fi 
    export PASSWORD_STORE_DIR=/run/media/my_user/DATA/Personal/credentials/.pass 
    ln -s /run/media/my_user/DATA/Personal/credentials/.gnupg ~/
}

work() {
    if [ -e ~/.gnupg ]; then rm ~/.gnupg ;fi
    export PASSWORD_STORE_DIR=/home/my_user/Big_corp/credentials/.pass
    ln -s /home/my_user/Big_corp/credentials/.gnupg ~/
}


Enable config above:
$. ~/.bashrc
Switch to personal environment:
$personal
Generate gpg keys:
gpg --gen-key
Check
gpg --list-keys
Note Key-ID anb initiate pass:
pass init 75d6793
For versions enable git feature
pass git init
Start using:
pass insert Test/test
pass ls
pass show Test/test
pass rm Test/test
Version Control
Configure remote if you need ( central git repo, github or AWS CodeCommit )
 AWS Code commit example:
Configure CodeCommit: Create repo + allow access to it for you user and add you public ssh key to the user in IAM.
Then on you machine:
  1. go to $PASSWORD_STORE_DIR
  2. git remote add origin ssh://APrrfrA@git-codecommit.us-east-1.amazonaws.com/v1/repos/credentials
  3. git remote -v
  4. git push origin master
And now you push your changes
pass git push



PS. pass use gpg2 if it available instead of gpg. Recently gpg2 has been updated to version 2.1 that might cause some issues with availability of you gpg keys. So, if you see your kees using gpg --list-keys but can't see them using gpg2 --list-keys, most probably automatic migration to version 2.1 fail and you need to do it manually.  
Force migration from GnuPG 1 to 2.1 
remove files:
rm pubring.kbx 
rm -rf private-keys-v1.d
force migration:
gpg2 --import ~/.gnupg/secring.gpg