Creating a custom Public Key Infrastructure (PKI) with OpenSSL

How to create a custom PKI Infrastructure with root ca and intermediate ca with openssl.

Directory structure that holds root ca and intermediate ca PKI files.

mkdir -p ~/ca-tomdus/{certs,crl,newcerts,private}
chmod 700 ~/ca-tomdus/private
touch ~/ca-tomdus/db/index
openssl rand -hex 16 > ~/ca-tomdus/serial

mkdir -p ~/ca-tomdus/intermediate/{certs,crl,newcerts,private}
chmod 700 ~/ca-tomdus/intermediate/private
touch ~/ca-tomdus/intermediate/db/index
openssl rand -hex 16 > ~/ca-tomdus/intermediate/serial

Define ca-tomdus.conf openssl configuration file.

[default]
name = tomdus-root-ca
domain_suffix = tomdus.lab
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName = "DE"
organizationName = "tomdus"
commonName = Common Name (FQDN or YOUR name)
commonName_max = 64

[ca_default]
home = ~/ca-tomdus/intermediate
certs = $home/certs
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match

[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 4096
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn

[root_ca_ext]
basicConstraints = critical,CA:true
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
subjectKeyIdentifier = hash


[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
nameConstraints = @name_constraints
subjectKeyIdentifier = hash

[crl_info]
URI.0 = $crl_url

[issuer_info]
caIssuers;URI.0 = $aia_url

[name_constraints]
permitted;DNS.0=tomdus.lab
permitted;DNS.1=*.tomdus.dev
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0


[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash

Generate root CA key and certificate

Change in ca-tomdus.conf  from ~/ca-tomdus/intermediate to ~/ca-tomdus and copy_extensions = copy to copy_extensions = none

openssl genpkey -algorithm RSA -out ~/ca-tomdus/private/tomdus-root-ca.key -aes256
chmod 400 ~/ca-tomdus/private/tomdus-root-ca.key
openssl req -config ~/ca-tomdus/ca-tomdus.conf -key ~/ca-tomdus/private/tomdus-root-ca.key -new -x509 -days 3650 -sha256 -extensions root_ca_ext -out ~/ca-tomdus/certs/tomdus-root-ca.crt
Generate intermediate CA key and certificate
openssl genpkey -algorithm RSA -out ~/ca-tomdus/intermediate/private/tomdus-ca.key -aes256
chmod 400 ~/ca-tomdus/intermediate/private/tomdus-ca.key

Generate CSR

openssl req -config ~/ca-tomdus/ca-tomdus.conf -new -key ~/ca-tomdus/intermediate/private/tomdus-ca.key -out ~/ca-tomdus/intermediate/csr/tomdus-ca.csr

Sign CSR with root CA

openssl ca -config ~/ca-tomdus/ca-tomdus.conf -extensions sub_ca_ext -days 3650 -md sha256 -in ~/ca-tomdus/intermediate/csr/tomdus-ca.csr -out ~/ca-tomdus/intermediate/certs/tomdus-ca.crt

Sample Code: https://gitlab.com/tomdus/pki-infrastructure/

Create custom SELinux Policy

Problem: The apche httpd cannot connect to tomcat running on port 8009 with AJP protocol.

Detection

curl localhost returns 503

curl localhost
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>

There is Permission denied: AH00957 in apache httpd (ssl)_error_log

sudo cat /var/log/httpd/error_log
[Wed Feb 15 16:24:38.140421 2023] [proxy:error] [pid 10679:tid 10824] (13)Permission denied: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (127.0.0.1) failed[Wed Feb 15 16:24:38.140455 2023] [proxy:error] [pid 10679:tid 10824] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s[Wed Feb 15 16:24:38.140458 2023] [proxy_ajp:error] [pid 10679:tid 10824] [client 127.0.0.1:36812] AH00896: failed to make connection to backend: 127.0.0.1

Remedy (1)

sudo setsebool -P httpd_can_network_connect 1

Remedy (2)

Create custom SELinux policy, let generate type enforcement file

sudo grep http /var/log/audit/audit.log | grep denied | audit2allow -m httplocalconf > httplocalconf.te

Edit generated type enforcement httplocalconf.te file

module httplocalconf 1.0;

require {
        type httpd_t;
        type http_port_t;
        class tcp_socket name_connect;
        class file read;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;

Convert it to policy module

checkmodule -M -m -o httplocalconf.mod httplocalconf.te

Compile new  policy

semodule_package -o httplocalconf.pp -m httplocalconf.mod

Install new policy

sudo semodule -i httplocalconf.pp

Links

How to create its own custom SELinux policy module wisely

How to read and correct SELinux denial messages

Chapter 5. Troubleshooting problems related to SELinux

Install IPA Server and replicas (cluster)

IPA Server can be installed standalone or as master – master cluster

Create Master – Master cluster (simple option)

  1. Install and create stand alone IPA Server (@ipa1)
  2. Install client on IPA Client (@ipa3)
  3. Promote ipa client on @ipa3 to server a master
  4. Install ca certificates on ipa3

1. Install and create standalone IPA Sever

For simplicty all password are 123456798; dns forwarder 192.168.178.1 (acces to internet)

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync
sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y
sudo dnf install ipa-server -y
sudo dnf install ipa-server-dns -y
sudo ipa-server-install --domain=ipa.tomdus.lab --realm=IPA.TOMDUS.LAB --ds-password=123456798 --admin-password=123456798 --mkhomedir --ssh-trust-dns --idstart=100000 --no-ntp --setup-dns --forwarder=192.168.178.1 --auto-reverse --allow-zone-overlap

...

sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

2. Install IPA client

In order to install ipa client it is sufficient to enable only idl:DL1/client module, thus as this server will be promoted to IPA Replica muss enable idl:DL1/server and idl:DL1/dns (required by DNS Server)
[tomas@ipa3 ~]$ sudo dnf module list idm:DL1
Last metadata expiration check: 0:00:17 ago on Wed 08 Jun 2022 01:45:55 PM CEST.
CentOS Stream 8 - AppStream
Name Stream Profiles Summary
idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync -y

sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y

Verify network connection on ipa3

[tomas@ipa3 ~]$ ping 10.0.2.38  (IP Address of IPA1)[tomas@ipa3 ~]$ cat /etc/resolv.conf 
# Generated by NetworkManager
search ipa.tomdus.lab
nameserver 10.0.2.38
[tomas@ipa3 ~]$ dig ipa1.ipa.tomdus.lab
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> ipa1.ipa.tomdus.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10689
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b6dd4e79f5137f6a795623dc62a096d3ae0ca70d1d10c863 (good)
;; QUESTION SECTION:
;ipa1.ipa.tomdus.lab. IN A

;; ANSWER SECTION:
ipa1.ipa.tomdus.lab. 1200 IN A 10.0.2.38

;; AUTHORITY SECTION:
ipa.tomdus.lab. 86400 IN NS ipa1.ipa.tomdus.lab.

;; Query time: 1 msec
;; SERVER: 10.0.2.38#53(10.0.2.38)
;; WHEN: Wed Jun 08 14:32:17 CEST 2022
;; MSG SIZE rcvd: 141

Install client

[tomas@ipa3 ~]$ sudo dnf install ipa-server -y[tomas@ipa3 ~]$ sudo ipa-client-install --mkhomedir --domain=ipa.tomdus.lab --realm IPA.TOMDUS.LAB --principal admin --password 123456798 --no-ntp
This program will set up IPA client.
Version 4.9.8

Discovery was successful!
Client hostname: ipa3.ipa.tomdus.lab
Realm: IPA.TOMDUS.LAB
DNS Domain: ipa.tomdus.lab
IPA Server: ipa1.ipa.tomdus.lab
BaseDN: dc=ipa,dc=tomdus,dc=lab

Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Issuer: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Valid From: 2022-06-02 06:40:56
Valid Until: 2042-06-02 06:40:56

Enrolled in IPA realm IPA.TOMDUS.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TOMDUS.LAB
Systemwide CA database updated.
Hostname (ipa3.ipa.tomdus.lab) does not have A/AAAA record.
Missing reverse record(s) for address(es): 10.0.3.5.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.tomdus.lab as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Client has been succesfully registered and visible inside IPA server

3. Promote client ipa3 to replica

In order to promote client as a replica the client muss be assigned to host group ipaservers

Check DNS entries for ipa3

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab
10.0.3.5[tomas@ipa3 ~]$ host -r 10.0.3.5
Host 5.3.0.10.in-addr.arpa. not found: 3(NXDOMAIN)

Common problem that can be solved inside DNS

Check – OK

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab
10.0.3.5[tomas@ipa3 ~]$ host -r 10.0.3.5
5.3.0.10.in-addr.arpa domain name pointer ipa3.ipa.tomdus.lab.

Promote client to replica

[tomas@ipa3 ~]$ sudo ipa-replica-install --admin-password=123456798 --mkhomedir --ssh-trust-dns --setup-dns --forwarder=192.168.178.1 --auto-reverse --allow-zone-overlap
Lookup failed: Preferred host ipa3.ipa.tomdus.lab does not provide DNS.
Checking DNS forwarders, please wait ...
Reverse record for IP address 10.0.3.5 already exists OK as we corrected is manually above
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds[1/38]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=ipa,dc=tomdus,dc=lab ...
Perform post-installation tasks ...[2/38]: tune ldbm plugin[3/38]: adding default schema[4/38]: enabling memberof plugin[5/38]: enabling winsync plugin[6/38]: configure password logging[7/38]: configuring replication version plugin[8/38]: enabling IPA enrollment plugin[9/38]: configuring uniqueness plugin[10/38]: configuring uuid plugin[11/38]: configuring modrdn plugin[12/38]: configuring DNS plugin[13/38]: enabling entryUSN plugin[14/38]: configuring lockout plugin[15/38]: configuring topology plugin[16/38]: creating indices[17/38]: enabling referential integrity plugin[18/38]: configuring certmap.conf[19/38]: configure new location for managed entries[20/38]: configure dirsrv ccache and keytab[21/38]: enabling SASL mapping fallback[22/38]: restarting directory server[23/38]: creating DS keytab[24/38]: ignore time skew for initial replication[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[26/38]: prevent time skew after initial replication[27/38]: adding sasl mappings to the directory[28/38]: updating schema[29/38]: setting Auto Member configuration[30/38]: enabling S4U2Proxy delegation[31/38]: initializing group membership[32/38]: adding master entry[33/38]: initializing domain level[34/38]: configuring Posix uid/gid generation[35/38]: adding replication acis[36/38]: activating sidgen plugin[37/38]: activating extdom plugin[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=ipa3,idnsname=ipa.tomdus.lab.,cn=dns,dc=ipa,dc=tomdus,dc=lab'.
Configuring Kerberos KDC (krb5kdc)[1/5]: configuring KDC[2/5]: adding the password extension to the directory[3/5]: creating anonymous principal[4/5]: starting the KDC[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin[1/2]: starting kadmin [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)[1/3]: configuring TLS for DS instance[2/3]: importing CA certificates from LDAP[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)[1/22]: stopping httpd[2/22]: backing up ssl.conf[3/22]: disabling nss.conf[4/22]: configuring mod_ssl certificate paths[5/22]: setting mod_ssl protocol list[6/22]: configuring mod_ssl log directory[7/22]: disabling mod_ssl OCSP[8/22]: adding URL rewriting rules[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf[10/22]: setting up httpd keytab[11/22]: configuring Gssproxy[12/22]: setting up ssl[13/22]: configure certmonger for renewals[14/22]: publish CA cert[15/22]: clean up any existing httpd ccaches[16/22]: enable ccache sweep[17/22]: configuring SELinux for httpd[18/22]: create KDC proxy config[19/22]: enable KDC proxy[20/22]: starting httpd[21/22]: configuring httpd to start on boot[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd[1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'ipa1.ipa.tomdus.lab' as master peer.
Configuring ipa-custodia[1/4]: Generating ipa-custodia config file[2/4]: Generating ipa-custodia keys[3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)[1/2]: configure certmonger for renewals[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds[1/10]: stopping directory server[2/10]: saving configuration[3/10]: disabling listeners[4/10]: enabling DS global lock[5/10]: disabling Schema Compat[6/10]: starting directory server[7/10]: upgrading server[8/10]: stopping directory server[9/10]: restoring configuration[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)[1/8]: generating rndc key file[2/8]: setting up our own record[3/8]: adding NS record to the zones[4/8]: setting up kerberos principal[5/8]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'[6/8]: setting up server configuration[7/8]: configuring named to start on boot[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)[1/7]: checking status[2/7]: setting up bind-dyndb-ldap working directory[3/7]: setting up kerberos principal[4/7]: setting up SoftHSM[5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)[6/7]: creating replica keys[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is not empty
The following configuration options override local settings in named.conf:

API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.245
Forward policy: first
IPA DNS servers: ipa1.ipa.tomdus.lab, ipa2.ipa.tomdus.lab

Configuring SID generation[1/7]: creating samba domain object
Samba domain object already exists[2/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do[3/7]: adding RID bases
RID bases already set, nothing to do[4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.[5/7]: activating sidgen task[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account[7/7]: adding fallback group
Fallback group already set, nothing to do
Done.

WARNING: The CA service is only installed on one server (ipa1.ipa.tomdus.lab).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

The ipa-replica-install command was successful

Enable firewall

sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

4. Install ca certificates on ipa3

[tomas@ipa3 ~]$ sudo ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes[1/28]: creating certificate server db[2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/28]: creating ACIs for admin
...[26/28]: importing IPA certificate profiles[27/28]: configuring certmonger renewal for lightweight CAs[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Updating DNS system records








Create Toolchain with ptxdist

This is a small introduction to create a toolchain with ptxdist (Version ptxdist-2019.08.0.tar.bz2)

 

sudo apt install libncurses5-dev python-dev

cd
mkdir ptxdist
cd ptxdist
wget http://public.pengutronix.de/software/ptxdist/ptxdist-2019.08.0.tar.bz2
tar -xjf ptxdist-2019.08.0.tar.bz2
cd ptxdist-2019.08.0
./configure --prefix /home/tomas/ptxdist/install
make
make install
cd /home/tomas/ptxdist/install/bin/
./ptxdist setup

Create your own toolchain

sudo apt install python3-dev
cd /home/tomas/ptxdist
wget https://public.pengutronix.de/oselas/toolchain/OSELAS.Toolchain-2018.12.0.tar.bz2
tar -xjf OSELAS.Toolchain-2018.12.0.tar.bz2
cd OSELAS.Toolchain-2018.12.0/
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 select ptxconfigs/i686-atom-linux-gnu_gcc-8.2.1_glibc-2.28_binutils-2.31.1_kernel-4.19-sanitized.ptxconfig
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 migrate
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 go

change in selected_ptxconfig from PTXCONF_PREFIX=“/opt“ to PTXCONF_PREFIX=“/home/tomas/ptxdist/toolchain“

How To Setup and Orange PI One

This is a small introduction to setup orange pi one

Format and prepare SD Card

Prepare 32GB SD Card, thus Orange Pi One can boot from up to 32GB SD Card. I am using SDCard Formatter,

Install Linux image on SD Card

Download image, e.g Debian Buster based version from https://www.armbian.com/orange-pi-one/.

Use e.g. Etcher to flash linux image to SD Card:

First time boot

Insert an SD Card into Orange Pi One and connect power supply

Connect to MySQL with python

The mysql libraries are not per see installed with python, thus:

sudo apt-get install python-mysql

Script:


#!/usr/bin/python
import MySQLdb

db = MySQLdb.connect(host="localhost", # your host, usually localhost
    user="tomas", # your username
    passwd="tomas1234", # your password
    db="test") # name of the data base

# Create a cursor object that executes all required queries
cur = db.cursor()

# create sample table
cur.execute("CREATE TABLE IF NOT EXISTS tomastest(id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, data VARCHAR(100))")

# create sample data
cur.execute("INSERT INTO tomastest(data) VALUES('Test data'); commit;")

# execute select sql
cur.execute("SELECT * FROM tomastest")

# Get the number of rows in the resultset
numrows = cur.rowcount
print "Rows count: ",numrows
for row in cur.fetchall():
    print row[0], row[1]
db.close()

If not providede, thus create test mysql db (sMySQL Docs)

mysql> CREATE DATABASE test;
mysql> use test

If not already exist create user (MySQL Docs)

mysql> CREATE USER 'tomas'@'localhost' IDENTIFIED BY 'tomas1234';
mysql> GRANT ALL ON test.* TO 'tomas'@'localhost';

Convert PFX certificate to crt and key for apache httpd

How to convert PFX certificate to .crt and .key to use with apache httpd

Certificate in PFX format are commonly exported from MS Active Directory Using OpenSSL Command in Linux System:

openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts

server.key

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIl4COeWKpJooCAggA
MBQGCCqGSIb3DQMHBAhzLEVbvIcuIASCBMhLiTd6/n6feWfBNRPDpeQl4oecUt6Q
nQrGbtcbDlPaMcCjSrquZO3MCfwstPhv3kyk6ntc8A6MJZCALvAdf6g0xetNb4L0
ThoJ5IfsVM4K7SRy/Q4JxR6OWhdTVNSinc4aPncjJClImPmFc+QOrHuFY19Z9kTW
nVsWOg3CG4tx2HfNVLrH3ZQJ7bM0Imohw464wGLf2k+l5/+XEnqqHfJLazx67GbP
KGdq7YnZLWXv8j6E4ZLrxpEx+KyGgSqB8vcVMttpjM07iVTKD7ig0FwRaN2TlPeT
FiK7n0y/UCIpH4KRFtJIgJfWuGkKUJFQVs+eiD8xZRM6sl6KvkebG4O4vEtJS2PF
cXNfVxtbmhroOjRrP9Wjd0K9tZQ+zBGnhoF2fo5T8LCyeTRPeECFCiRoGmW2QF3y
8QHz017qw4CwfSPMQRf6Y6gTlvg9tFmuIHgA9YGSGXYgqNXYtkw7dxR40LsbKYTb
y81j5EjT0Whn6dQYhYx4dSWGcx/m7Ybzlka9ftkrV+E9KvBh1eg8vjrU/VSAAFHo
BmDCK3dxQNt5gDqlbjX5d/cmd9eu1oYGqZKkhC1fN0TRK7XmnPEZ8bHc+YCDzeHb
yAEgETngSm2AOTFRd7TMpzHOaMJUMnFqX4QYeQfuerPkF3lvIf/OOi9UKdcYkY3Y
97zFqZny2rFVmaCiFk/a8X+Ecwn4xm9RZHeibo1dCTrZ54BIzO7bBaae7HOjxwwH
ZqWCfLeFboZ2GoQ3zAhIOF3h8jL+UVHJRDKlJJix9i0uyOm0JmIzFyx7k1b1lr66
zxfQbl2H5up3GU2dzRRdNOfFefOmDqwSyJ6ZThzpSyhvqmDWlRdRoRQ105G+8OrP
dj+Y/Kxm1znucHUHuaKrIOiwrHtXIX3Lfmp66/Azmw2TBBV/4sv5+lKwewXbPuSq
34lAXHYIw1/v85/KlAE3fr0O/u0ROofzpUKlhdCJ4c/1VrWvfdCmbbxjsXTIzLrY
cvzT7FPo8avVE6jfgVKt9Y4Q8pmS2ZjvHmmB7HwwOpR/jDJwuvTRAly5s1rdrkW9
0sU3jrujY0zyV/oPyuBdJBmixFOrZx8jaYyoC6wgRzlfXBxi0wCIvOLRZE305co6
qFN1zRYjL8Hv1rj3kI+oRtGgg/al8/WItBG28l+N4Q3qucG3+fXZ7sTULHV5TIVp
Ud6PjkstveK+3oosBxwkDqXtC4gdRSzjtnUHEWwE+Df2pqQGDEK0kLxisgorGaDz
0P4eYHce8y14UZty0y2KioyUW7nlunwsPAvResyNjqjgxJ7USaurRCspkIDDXrim
C0c3Xj7J6F8wNakHCzX9cJamV9I0rYGDEEwM29MtS3W8UU03YeeAdGxbmZRXyOH8
xYZdHxCdh3QKxf3+U19LRdUEUdTWpa96yp4lcTZyvEK6AODjzY8Qg9PhZqAH1L1T
6HePzR70udLzEXiUci4H0oLqMtHJOhLfhsFZFiO0Std+nKUSJu5KdsXzxIhRAYCu
3oxhAGc8QaYruZ0qx2VZ3ujIcD+CzezqzXzjeKWrjP6dKEKx3uEP8qIRPnrkDX9d
GpjKRI3ATOt8ojzgdreGv3Hg9qSAHXVl23ocTCl18HPRLzaF9TZrVhiuferQHO5k
M3U=
-----END ENCRYPTED PRIVATE KEY-----

openssl pkcs12 -in server.pfx -out server.crt -clcerts
server.crt

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAOu8IGet1qEEMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzA2MTE1MTAxWhcNMTgwNzA2MTE1MTAxWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtM/17uVeeUsFzt0QL8OhoIbma5l6gpqRGZOPcbAMBmdVFcOgouwe8DLF
Jt+2yZMnHbjdEMArgcDFOZW+jJKJiI7vV/fvMB5Ey50A57P4IADrwZN4nAHVqDD6
1v1ZwI9hintyUs+Mke1fDl++Q9D4eFfv36VEx6IV+xWdEREbJZPqxzQCNUDQhSwg
Tsr/mWUKvwomY0Dt8l6BWPKIzlx0hOZFsz7mAc1FlRRodt0GaUtVJskPjjJ3WDsW
zmk/RGViGKSpFyz8Dk9Sc7+lElCas39Yx8869DIRSdcgw0DU0kORZsIH4OJUUBn/
A8/CEkDOi1/2tYjnnzg7YUqjrDrDXQIDAQABo1AwTjAdBgNVHQ4EFgQUcR0veqM0
EAIVawdoqhln/mvEYFQwHwYDVR0jBBgwFoAUcR0veqM0EAIVawdoqhln/mvEYFQw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEArPZNXaa7EG1tm4P65Mis
2u/Bf5qa8ylgJVKUfEvz6SQRKq+5NV7FE/CyVRGinkmNKy37G3IUV7J+UkaPx+Rz
7CwGQC3yIWOA/ASClTs4P/56sLZ5RxtzAdJ/bZZUKx4HhfkkWYFUEM1PCl8ZXJQq
uWliKzF6Id/HdsgJtH7vBFyp0yuKoKrB2msRdPWK99D7ir6T2PZ457OqpQtJhGYW
R9AvftZUG0QfsSSAOa942ItnPW7kgoU/pgV88zkvUYnAhEQ98NFSgTSQa83eaBXz
id8lrrea7Yi5TXkArgh9kMQbuTWBbyJCAKKeBNV6nt7ZVLcTn22Xjkat+33BgaFh
4g==
-----END CERTIFICATE-----

Zertifikats Inhalts auslesen

Wie lese ich den Inhalt des Zertifikates (*.pem oder *.crt) aus?

Der Inhalt des Zertifikates kann mit OpenSSL ausgelesen werden:

openssl x509 -in ZERTIFIKAT.CRT -text -noout

openssl x509 -in ZERTIFIKAT.PEM -text -noout

Beispiele

openssl x509 -in /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem -text -noout

openssl x509 -in/etc/pki/tls/certs/localhost.crt -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 18473 (0x4829)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=centos1.localdomain/emailAddress=root@centos1.localdomain
Validity
Not Before: Oct 6 14:49:10 2016 GMT
Not After : Oct 6 14:49:10 2017 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=centos1.localdomain/emailAddress=root@centos1.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:0d:b0:20:81:73:a4:3f:d2:09:33:bd:5f:3d:
42:d8:4f:0e:11:86:ad:6d:84:93:55:5c:9c:b6:00:
4e:a0:35:a9:72:68:0e:f7:3d:9f:7d:b7:73:a3:30:
a5:d1:ea:c8:c3:6c:96:46:f2:9e:8c:d2:2c:5f:44:
4d:2b:07:35:f7:92:4e:48:80:a3:5f:d4:5f:16:82:
83:a5:f2:09:9e:74:b8:95:8f:55:13:1e:3d:a1:07:
c7:11:24:f3:e7:75:3e:e5:da:4e:85:dd:b6:b9:b5:
e3:32:8d:ec:23:08:bf:22:7c:c0:55:27:07:36:f2:
b3:18:5a:6b:62:0d:9a:a4:d0:4a:e0:3a:ea:b6:31:
d2:06:52:46:8a:6e:16:aa:cb:fe:bc:8a:f8:c8:94:
0f:ca:e1:78:a6:f9:b3:b6:69:07:0d:18:97:b1:60:
6e:24:4b:df:bf:ba:67:42:3e:2d:81:cf:f7:55:ed:
47:15:a0:00:b9:26:36:56:d3:29:d6:9e:bf:99:6d:
0f:a9:63:b8:4a:9f:f4:e0:f8:98:e5:ab:2e:81:9c:
f3:eb:a3:0a:27:dd:4f:70:e9:3b:e2:c1:1f:07:fe:
cb:1c:ee:5b:74:e9:31:b8:e8:5e:80:30:28:e6:e1:
7a:16:ac:25:d0:39:50:08:ff:db:71:5d:46:87:49:
47:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
37:e0:e1:92:2a:cc:51:8a:4c:d4:31:91:20:f4:f3:72:b2:bb:
34:82:5c:e0:b1:29:33:b5:6d:c5:3b:42:50:8b:49:2b:cc:8c:
72:57:c3:ff:92:00:f4:cb:7e:00:34:86:88:ed:38:ea:10:57:
8d:43:fc:9d:ae:5c:9d:87:4f:73:c0:8d:79:e4:a3:44:de:b1:
27:6c:93:f3:c9:d1:b3:4c:df:6c:5f:0b:1e:19:e9:51:69:68:
af:fb:47:45:85:03:64:04:a9:47:24:3a:8d:8b:b5:4f:0c:25:
44:e2:10:a8:58:6a:f9:8d:5d:3f:2f:9f:41:75:f5:04:47:a4:
e1:90:53:a1:dc:a1:fa:20:5b:d5:41:79:cb:f5:47:66:1b:02:
dd:94:bb:52:69:00:2c:3a:d5:44:0a:a4:15:23:36:fb:5c:aa:
fa:28:af:89:17:fb:f4:c6:d7:8b:1b:14:d2:7d:6b:01:d2:33:
eb:43:62:c0:bd:88:b9:31:86:ed:e7:28:11:b4:b2:9e:b3:1e:
c6:3e:bd:54:8b:f9:53:ed:0d:c3:ea:1d:c2:54:53:b5:d5:83:
30:58:6e:37:87:9f:d8:cf:44:3f:29:90:0c:84:b7:9f:cb:4f:
11:f5:d0:a3:6e:ea:22:87:eb:9b:63:b9:9c:46:99:32:6d:a7:
42:3c:e8:a0