D90 Tools & Techniques

"So I can remember how I did stuff in the future…"

• Home
• About

Topics

• Auditing
• General Security
• Linux
• Networking
• Sysadmin Tools
• Uncategorized
• Web Hosting Tools
  • Lighttpd
  • Squid
• Windows

Archives

• November 2010
• October 2010
• February 2010
• January 2010
• December 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• March 2009
• February 2009
• December 2008
• November 2008
• October 2008
• July 2008
• May 2008
• April 2008
• January 2008
• December 2007
• October 2007
• September 2007

Handy References

• (Draft)
• SED One Liners
• Advanced Bash
• Advaned Bash (D90 Archive)
• ASCII Table
• Windows ALT Codes
• XHTML Codes
• CSS Codes
• SQL Reference
• Country / Language Codes
• CISCO IOS Reference

Search

Quick Reference Posts

• Favorite Commands
• Terms & Speeds
• Pre-press & Media
• Security Articles

Handy Services

• Whois
• IP Lookup
• MAC Address Lookup
• DIG
• Internet Traceroute
• MX Record Lookup
• File Transfer Speed
• Mac Address Lookup
• chmod calculator
• Internet Latency
• Akami Internet Visualization
• Unit Convertor
• Reverse Hash Database

Some Favorite Sites

• Schneier on Security
• Krebs on Security
• MalwareInt Blog
• CSO Online
• The Register
• Internet Storm Center
• Chronology of Data Breaches
• SANS Forensics Blog

More Favorite Posts

• Baloney Detector
• Default Passwords
• Data Center Naming
• Whole Building Design Guide

How do I do that again?

• Interpreting TOP
• Yahoo's Website Optimization Rules

Security Resources

• Professional Security Testers
• Open Source Security Test Methodology
• ISO 17799
• NIST Security Assessment Framework
• CERT OCTAVE Assessment Framework
• NSA System Hardening Guidelines
• Microsoft Baseline Security Analyzer, Other Tools, and Frameworks
• WebGoat Web Vulnerability Practice
• OWASP Web Application Vulnerabilities
• CyberCrime.gov Updated list of incidents
• Information Systems Audit Methodology
• Terry Ritter's Guideline for safe PC Banking
• Open Source Forensics

Forensic Resources

• Sleuth Kit

More Security Resources

• Typo Squatting

« Sun Java 5 & Fedora Core 6 | Main | My Favorite Commands… »

Creating & Debugging SSL Certificates

By Matt | October 3, 2007

Generating a public SSL certificate:

Information Needed:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (e.g., city) [ ]:
Organization Name (e.g., company) [Internet Widgets Pty Ltd]:
Organizational Unit Name (e.g., section) [ ]:
Common Name (e.g., YOUR name) [ ]: (See my email...)
Email Address [ ]:

Generate a CSR from an existing private key:

 openssl req -new -key private-key.pem -out /home/rfagundo/csr_2007.pem

==========================================
Some handy commands:

View the key:
openssl rsa -noout -text -in name.key

View the CSR:
openssl req -noout -text -in name.csr

View the Certificate:
openssl x509 -noout -text -in name.crt

Modulus (+ Exponent) should match between the key and the others…otherwise you get a key mismatch

==========================================
Squid Reverse Proxy & SSL:

Squid can’t handle seperate chainfiles.  But it’s a pretty easy fix.

Use this sample for an Apache conf file for a site being moved to Squid:

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/mysite/www.mysite.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/mysite/mysite.key
SSLCertificateChainFile /etc/httpd/ssl/mysite/sf_intermediate.crt

This process certainly can be modified / simplified as needed:
Copy the www.mysite.com.crt to squid_www.mysite.com.crt
Copy the text from sf_intermediate.crt and paste it to the bottom of squid_www.mysite.com.crt.

Here’s the Squid SSL line that uses those:

https_port 8081 cert=/etc/httpd/ssl/mysite/squid_www.mysite.com.crt key=/etc/httpd/ssl/mysite/mysite.key vhost defaultsite=www.mysite.com

BTW, in the above sample…
public ip:443 = Apache running SSL
public ip:8081 = Squid running SSL, which then connects to 127.0.0.1:8080 on Apache *not* running SSL.

In production, you take public ip:443 off apache, and have Squid listen on public ip:443 instead.

Topics: Web Hosting Tools | No Comments »

Comments

You must be logged in to post a comment.

D90 Tools & Techniques is proudly powered by WordPress - Designed by RFDN
Entries (RSS) and Comments (RSS)