Security/Certificate: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(49 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Certificate » Password==
== Certificate » Password==
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
makepasswd --chars 16 --count 5 --crypt-md5
makepasswd --chars 16 --count 10 --crypt-md5
:'
:'
wWbe8SYNgJInuQP7   $1$m8dcnUOe$rAct5p.QDtm4gMejWDYf6.
wTwezXF4sNLoWBsI   $1$OCSDx0zn$U9WW0udI8pYfIrCCuz2Md1
C8f7a3gbf3tJEDp2   $1$V5xk4W7.$Xk/n4lWjgOg2JTvV4YI.Z1
pfHyhrtvHC4p3oW5  $1$6b/SQRXF$UwLDhHZMyWfsw/S0g6GgZ1
CS0TPHMRFR0QLEnB   $1$H5Nrr7yO$hxFOQ3da4RxG5Q/CPVur8.
WLNv9CD8XcR3poHp  $1$oVsmVh6Q$Vq4amLARt2iMezos.pT1N.
Cw9fxRFYQFJHvGwr   $1$Po8YI6OB$IeHUMu5RxKAm2S.LQN4NJ/
cCJvJU8rFeHbu4Ix  $1$qlaCpIFj$jWqjkdALO535Ww58k3KE2/
7Hs1mtzabuCY2WLx   $1$ABFsJCpY$DqAEA16G01i2BQjdSXte5/
7WeBH8nwMXR78Gdd  $1$afyCWr0p$6bMRrvCnrBeo/BdVJi70E1
IxGjQAogqv3e18rj   $1$60UWcAxR$bFfRlXHzVvZkjTripK9v..
JXveCv0LjsAix5cp  $1$FANZ3WNf$hq2BPd1SXdL.2yvKf0/.7/
eoFqedaFpKKDqVCw   $1$4TCNgJCv$v1z4Y8IR5a4Nan5VkAAe8/
9npSy42dxUH2w15y   $1$APixN7OV$XIe.K3qPi/aezzWyhf7F./
SuwCWQ39RNKUcKAM   $1$qnnfDUE1$ucuWcIpNBuCvCBjCiHaoG/
'
'
</syntaxhighlight>
== Certificate » RootCA==
<syntaxhighlight lang="bash">
ROOTCA_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${ROOTCA_CNF} >/dev/null
[ req ]
prompt                = no
distinguished_name    = dn
[ dn ]
C                      = BD
ST                    = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                    = Shahed_ECC_Root_CA_2025
CN                    = Shahed_ECC_Root_CA_2025
emailAddress          = info@shahed.biz
CNF
echo -n 'Password: ';read -s ROOTCA_PASS_PHRASE;export ROOTCA_PASS_PHRASE;echo
# Password: wTwezXF4sNLoWBsI
</syntaxhighlight>
===🟡 Certificate » RootCA » RSA===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm RSA  -out Shahed_RSA_Root_CA_2025.key -aes256 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes    -key Shahed_RSA_Root_CA_2025.key -sha256 -days 7305 -out Shahed_RSA_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
===🟢 Certificate » RootCA » EC » 256===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm EC  -out Shahed_ECC_Root_CA_2025.key -pkeyopt ec_paramgen_curve:P-256 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes    -key Shahed_ECC_Root_CA_2025.key -sha256 -days 7305 -out Shahed_ECC_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
===🟠 Certificate » RootCA » EC » 384===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm EC  -out Shahed_ECC_P384_Root_CA_2025.key -pkeyopt ec_paramgen_curve:P-384 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes    -key Shahed_ECC_P384_Root_CA_2025.key -sha384 -days 7305 -out Shahed_ECC_P384_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
== Certificate » RootCA » SubCA==
<syntaxhighlight lang="bash">
SUBCA_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${SUBCA_CNF} >/dev/null
[ req ]
prompt                = no
distinguished_name    = dn
attributes            = req_attrs
[ dn ]
C                      = BD
ST                    = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                    = Shahed_ECC_Sub_CA_2025
CN                    = Shahed_ECC_Sub_CA_2025
emailAddress          = info@shahed.biz
[ req_attrs ]
unstructuredName      = Shahed Academia, Inc.
CNF
SUBCA_EXT="$(mktemp -u)"
cat <<'EXT'|tee ${SUBCA_EXT} >/dev/null
subjectKeyIdentifier  = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints      = critical,CA:TRUE,pathlen:0
keyUsage              = critical,keyCertSign,cRLSign
EXT
echo -n 'Password: ';read -s SUBCA_PASS_PHRASE;export SUBCA_PASS_PHRASE;echo
# Password: pfHyhrtvHC4p3oW5
</syntaxhighlight>
===🟡 Certificate » RootCA » SubCA » RSA===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm RSA  -out  Shahed_RSA_Sub_CA_2025.key -aes256 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_RSA_Sub_CA_2025.key  -out  Shahed_RSA_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_RSA_Sub_CA_2025.csr  -CA  Shahed_RSA_Root_CA_2025.pem -CAkey  Shahed_RSA_Root_CA_2025.key    -CAcreateserial -out  Shahed_RSA_Sub_CA_2025.pem -days 2922 -sha256 -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
===🟢 Certificate » RootCA » SubCA » EC » 256===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm EC  -out  Shahed_ECC_Sub_CA_2025.key -pkeyopt ec_paramgen_curve:P-256 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_ECC_Sub_CA_2025.key  -out  Shahed_ECC_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_ECC_Sub_CA_2025.csr  -CA  Shahed_ECC_Root_CA_2025.pem -CAkey  Shahed_ECC_Root_CA_2025.key    -CAcreateserial -out  Shahed_ECC_Sub_CA_2025.pem -days 2922 -sha256 -extfile ${SUBCA_EXT} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
===🟠 Certificate » RootCA » SubCA » EC » 384===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm EC  -out  Shahed_ECC_P384_Sub_CA_2025.key -pkeyopt ec_paramgen_curve:P-384 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_ECC_P384_Sub_CA_2025.key  -out  Shahed_ECC_P384_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_ECC_P384_Sub_CA_2025.csr  -CA  Shahed_ECC_P384_Root_CA_2025.pem -CAkey  Shahed_ECC_P384_Root_CA_2025.key    -CAcreateserial -out  Shahed_ECC_P384_Sub_CA_2025.pem -days 2922 -sha384 -extfile ${SUBCA_EXT} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")
</syntaxhighlight>
== Certificate » RootCA » SubCA » Server==
<syntaxhighlight lang="bash">
SERVER_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${SERVER_CNF} >/dev/null
[ req ]
prompt                = no
distinguished_name    = dn
req_extensions        = req_ext
attributes            = req_attrs
[ dn ]
C                      = BD
ST                    = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                    = aa.shahed.shahed.biz
CN                    = aa.shahed.shahed.biz
emailAddress          = info@shahed.biz
[ req_ext ]
subjectAltName        = @alt_names
[ req_attrs ]
unstructuredName      = Shahed Academia, Inc.
[ alt_names ]
IP.1                  = 10.20.30.1
IP.2                  = 10.20.40.1
DNS.1                  = aa.shahed.shahed.biz
CNF
SERVER_EXT="$(mktemp -u)"
cat <<'CNF'|tee ${SERVER_EXT} >/dev/null
basicConstraints      = CA:FALSE
subjectAltName        = @alt_names
extendedKeyUsage      = serverAuth,clientAuth
keyUsage              = digitalSignature,keyEncipherment
[ alt_names ]
IP.1                  = 10.20.30.1
IP.2                  = 10.20.40.1
DNS.1                  = aa.shahed.shahed.biz
CNF
echo -n 'Password: ';read -s SUBCA_PASS_PHRASE;export SUBCA_PASS_PHRASE;echo
# Password: pfHyhrtvHC4p3oW5
</syntaxhighlight>
===🟡 Certificate » RootCA » SubCA » Server » RSA===
----
<syntaxhighlight lang="bash">
openssl genpkey  -algorithm  RSA -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in  aa.shahed.shahed.biz.csr -CA  Shahed_RSA_Sub_CA_2025.pem  -CAkey  Shahed_RSA_Sub_CA_2025.key    -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha256 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat Shahed_RSA_Sub_CA_2025.pem          Shahed_RSA_Root_CA_2025.pem    > Shahed_RSA_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_RSA_CA_2025.ca-chain.pem > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key        > aa.shahed.shahed.biz.pem
</syntaxhighlight>
===🟢 Certificate » RootCA » SubCA » Server » EC » 256===
----
<syntaxhighlight lang="bash">
openssl ecparam  -name prime256v1 -genkey  -noout -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in  aa.shahed.shahed.biz.csr -CA  Shahed_ECC_Sub_CA_2025.pem  -CAkey  Shahed_ECC_Sub_CA_2025.key    -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha256 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat Shahed_ECC_Sub_CA_2025.pem          Shahed_ECC_Root_CA_2025.pem    > Shahed_ECC_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_ECC_CA_2025.ca-chain.pem > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key        > aa.shahed.shahed.biz.pem
</syntaxhighlight>
===🟠 Certificate » RootCA » SubCA » Server » EC » 384===
----
<syntaxhighlight lang="bash">
openssl ecparam  -name  secp384r1 -genkey  -noout -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in  aa.shahed.shahed.biz.csr -CA  Shahed_ECC_P384_Sub_CA_2025.pem  -CAkey  Shahed_ECC_P384_Sub_CA_2025.key    -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha384 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat Shahed_ECC_P384_Sub_CA_2025.pem    Shahed_ECC_P384_Root_CA_2025.pem      > Shahed_ECC_P384_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_ECC_P384_CA_2025.ca-chain.pem  > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key              > aa.shahed.shahed.biz.pem
</syntaxhighlight>
</syntaxhighlight>


==Playground==
==Playground==
{|
{|
|valign='top'|
<syntaxhighlight lang="bash">
ls -alh *.{crt,csr,key,pem,srl}
rm -rf  *.{crt,csr,key,pem,srl}
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
rm -rf  ${SUBCA_CNF}
rm -rf ${SERVER_CNF}
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 51: Line 267:
makepasswd --chars 12 --count 5
makepasswd --chars 12 --count 5
makepasswd --chars 12
makepasswd --chars 12
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
openssl s_client -tls1  -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_2 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_3 -connect cid.chorke.org:443 </dev/null
</syntaxhighlight>
| valign="top" colspan="2" |
<syntaxhighlight lang="bash">
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.aa.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ab.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ac.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ad.shahed.shahed.biz &>/dev/null &
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
</syntaxhighlight>
|}
|}
Line 57: Line 309:
{|
{|
|valign='top'|
|valign='top'|
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]
* [[Apache Basic Authentication|Security » HTTP » Basic Authentication]]
* [[Apache Basic Authentication|Security » HTTP » Basic Authentication]]
* [[OpenLDAP/BackSQL|Security » OpenLDAP » BackSQL]]
* [[OpenLDAP/BackSQL|Security » OpenLDAP » BackSQL]]
* [[Java Key Store|Security » Java » Key Store]]
* [[Java Mail API|Security » Java » Mail API]]
* [[Security/Password|Security » Password]]
* [[Security/Password|Security » Password]]
* [[ZA Proxy|Security » ZA Proxy]]
* [[ZA Proxy|Security » ZA Proxy]]
* [[Security/Domain|Security » Domain]]
* [[Spring Security|Security » Spring]]
* [[Spring Security|Security » Spring]]
* [[HTTP Security|Security » HTTP]]
* [[HTTP Security|Security » HTTP]]
Line 67: Line 321:


|valign='top'|
|valign='top'|
* [https://ssl-config.mozilla.org/ Security » Certificate » TLS » Configuration Generator]
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]
* [[Security/Container/Snyk|Security » Container » Snyk]]
* [[Security/Container/Trivy|Security » Container » Trivy]]
* [[Security/Container/Cosign|Security » Container » Sign]]
* [[Security/Certificate/TLS|Security » Certificate » TLS]]
* [[Helm/Sign|Security » Helm » Sign]]
* [https://askubuntu.com/questions/700712/how-to-install-wireshark Security » Wireshark]
* [[Jasypt|Security » Jasypt]]


|valign='top'|
|valign='top'|

Latest revision as of 02:19, 24 August 2025

Certificate » Password

makepasswd --chars 16 --count 10 --crypt-md5
:'
wTwezXF4sNLoWBsI   $1$OCSDx0zn$U9WW0udI8pYfIrCCuz2Md1
pfHyhrtvHC4p3oW5   $1$6b/SQRXF$UwLDhHZMyWfsw/S0g6GgZ1
WLNv9CD8XcR3poHp   $1$oVsmVh6Q$Vq4amLARt2iMezos.pT1N.
cCJvJU8rFeHbu4Ix   $1$qlaCpIFj$jWqjkdALO535Ww58k3KE2/
7WeBH8nwMXR78Gdd   $1$afyCWr0p$6bMRrvCnrBeo/BdVJi70E1
IxGjQAogqv3e18rj   $1$60UWcAxR$bFfRlXHzVvZkjTripK9v..
JXveCv0LjsAix5cp   $1$FANZ3WNf$hq2BPd1SXdL.2yvKf0/.7/
eoFqedaFpKKDqVCw   $1$4TCNgJCv$v1z4Y8IR5a4Nan5VkAAe8/
9npSy42dxUH2w15y   $1$APixN7OV$XIe.K3qPi/aezzWyhf7F./
SuwCWQ39RNKUcKAM   $1$qnnfDUE1$ucuWcIpNBuCvCBjCiHaoG/
'

Certificate » RootCA

ROOTCA_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${ROOTCA_CNF} >/dev/null
[ req ]
prompt                 = no
distinguished_name     = dn

[ dn ]
C                      = BD
ST                     = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                     = Shahed_ECC_Root_CA_2025
CN                     = Shahed_ECC_Root_CA_2025
emailAddress           = info@shahed.biz
CNF

echo -n 'Password: ';read -s ROOTCA_PASS_PHRASE;export ROOTCA_PASS_PHRASE;echo
# Password: wTwezXF4sNLoWBsI

🟡 Certificate » RootCA » RSA

openssl genpkey   -algorithm RSA  -out Shahed_RSA_Root_CA_2025.key -aes256 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes     -key Shahed_RSA_Root_CA_2025.key -sha256 -days 7305 -out Shahed_RSA_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

🟢 Certificate » RootCA » EC » 256

openssl genpkey   -algorithm EC   -out Shahed_ECC_Root_CA_2025.key -pkeyopt ec_paramgen_curve:P-256 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes     -key Shahed_ECC_Root_CA_2025.key -sha256 -days 7305 -out Shahed_ECC_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

🟠 Certificate » RootCA » EC » 384

openssl genpkey   -algorithm EC   -out Shahed_ECC_P384_Root_CA_2025.key -pkeyopt ec_paramgen_curve:P-384 -pass file:<(echo "${ROOTCA_PASS_PHRASE}")
openssl req -x509 -new -nodes     -key Shahed_ECC_P384_Root_CA_2025.key -sha384 -days 7305 -out Shahed_ECC_P384_Root_CA_2025.pem -config ${ROOTCA_CNF} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

Certificate » RootCA » SubCA

SUBCA_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${SUBCA_CNF} >/dev/null
[ req ]
prompt                 = no
distinguished_name     = dn
attributes             = req_attrs

[ dn ]
C                      = BD
ST                     = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                     = Shahed_ECC_Sub_CA_2025
CN                     = Shahed_ECC_Sub_CA_2025
emailAddress           = info@shahed.biz

[ req_attrs ]
unstructuredName       = Shahed Academia, Inc.
CNF

SUBCA_EXT="$(mktemp -u)"
cat <<'EXT'|tee ${SUBCA_EXT} >/dev/null
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = critical,CA:TRUE,pathlen:0
keyUsage               = critical,keyCertSign,cRLSign
EXT

echo -n 'Password: ';read -s SUBCA_PASS_PHRASE;export SUBCA_PASS_PHRASE;echo
# Password: pfHyhrtvHC4p3oW5

🟡 Certificate » RootCA » SubCA » RSA

openssl genpkey   -algorithm RSA  -out  Shahed_RSA_Sub_CA_2025.key -aes256 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_RSA_Sub_CA_2025.key  -out  Shahed_RSA_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_RSA_Sub_CA_2025.csr  -CA  Shahed_RSA_Root_CA_2025.pem -CAkey  Shahed_RSA_Root_CA_2025.key    -CAcreateserial -out  Shahed_RSA_Sub_CA_2025.pem -days 2922 -sha256 -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

🟢 Certificate » RootCA » SubCA » EC » 256

openssl genpkey   -algorithm EC   -out  Shahed_ECC_Sub_CA_2025.key -pkeyopt ec_paramgen_curve:P-256 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_ECC_Sub_CA_2025.key  -out  Shahed_ECC_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_ECC_Sub_CA_2025.csr  -CA  Shahed_ECC_Root_CA_2025.pem -CAkey  Shahed_ECC_Root_CA_2025.key    -CAcreateserial -out  Shahed_ECC_Sub_CA_2025.pem -days 2922 -sha256 -extfile ${SUBCA_EXT} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

🟠 Certificate » RootCA » SubCA » EC » 384

openssl genpkey   -algorithm EC   -out  Shahed_ECC_P384_Sub_CA_2025.key -pkeyopt ec_paramgen_curve:P-384 -pass file:<(echo  "${SUBCA_PASS_PHRASE}")
openssl req -new  -key Shahed_ECC_P384_Sub_CA_2025.key  -out  Shahed_ECC_P384_Sub_CA_2025.csr -config ${SUBCA_CNF}  -passin file:<(echo "$SUBCA_PASS_PHRASE")
openssl x509 -req -in  Shahed_ECC_P384_Sub_CA_2025.csr  -CA  Shahed_ECC_P384_Root_CA_2025.pem -CAkey  Shahed_ECC_P384_Root_CA_2025.key    -CAcreateserial -out  Shahed_ECC_P384_Sub_CA_2025.pem -days 2922 -sha384 -extfile ${SUBCA_EXT} -passin file:<(echo "${ROOTCA_PASS_PHRASE}")

Certificate » RootCA » SubCA » Server

SERVER_CNF="$(mktemp -u)"
cat <<'CNF'|tee ${SERVER_CNF} >/dev/null
[ req ]
prompt                 = no
distinguished_name     = dn
req_extensions         = req_ext
attributes             = req_attrs

[ dn ]
C                      = BD
ST                     = Dhaka
L                      = Munshiganj
O                      = Shahed, Inc.
OU                     = aa.shahed.shahed.biz
CN                     = aa.shahed.shahed.biz
emailAddress           = info@shahed.biz

[ req_ext ]
subjectAltName         = @alt_names

[ req_attrs ]
unstructuredName       = Shahed Academia, Inc.

[ alt_names ]
IP.1                   = 10.20.30.1
IP.2                   = 10.20.40.1
DNS.1                  = aa.shahed.shahed.biz
CNF

SERVER_EXT="$(mktemp -u)"
cat <<'CNF'|tee ${SERVER_EXT} >/dev/null
basicConstraints       = CA:FALSE
subjectAltName         = @alt_names
extendedKeyUsage       = serverAuth,clientAuth
keyUsage               = digitalSignature,keyEncipherment

[ alt_names ]
IP.1                   = 10.20.30.1
IP.2                   = 10.20.40.1
DNS.1                  = aa.shahed.shahed.biz
CNF

echo -n 'Password: ';read -s SUBCA_PASS_PHRASE;export SUBCA_PASS_PHRASE;echo
# Password: pfHyhrtvHC4p3oW5

🟡 Certificate » RootCA » SubCA » Server » RSA

openssl genpkey   -algorithm   RSA -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in   aa.shahed.shahed.biz.csr -CA  Shahed_RSA_Sub_CA_2025.pem  -CAkey  Shahed_RSA_Sub_CA_2025.key     -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha256 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")

cat Shahed_RSA_Sub_CA_2025.pem          Shahed_RSA_Root_CA_2025.pem     > Shahed_RSA_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_RSA_CA_2025.ca-chain.pem > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key        > aa.shahed.shahed.biz.pem

🟢 Certificate » RootCA » SubCA » Server » EC » 256

openssl ecparam   -name prime256v1 -genkey  -noout -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in   aa.shahed.shahed.biz.csr -CA  Shahed_ECC_Sub_CA_2025.pem  -CAkey  Shahed_ECC_Sub_CA_2025.key     -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha256 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")

cat Shahed_ECC_Sub_CA_2025.pem          Shahed_ECC_Root_CA_2025.pem     > Shahed_ECC_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_ECC_CA_2025.ca-chain.pem > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key        > aa.shahed.shahed.biz.pem

🟠 Certificate » RootCA » SubCA » Server » EC » 384

openssl ecparam   -name  secp384r1 -genkey  -noout -out aa.shahed.shahed.biz.key
openssl req -new  -key  aa.shahed.shahed.biz.key -out aa.shahed.shahed.biz.csr -config ${SERVER_CNF}
openssl x509 -req -in   aa.shahed.shahed.biz.csr -CA  Shahed_ECC_P384_Sub_CA_2025.pem  -CAkey  Shahed_ECC_P384_Sub_CA_2025.key     -CAcreateserial -out aa.shahed.shahed.biz.crt -days 1461 -sha384 -passin file:<(echo  "${SUBCA_PASS_PHRASE}")

cat Shahed_ECC_P384_Sub_CA_2025.pem     Shahed_ECC_P384_Root_CA_2025.pem      > Shahed_ECC_P384_CA_2025.ca-chain.pem
cat aa.shahed.shahed.biz.crt            Shahed_ECC_P384_CA_2025.ca-chain.pem  > aa.shahed.shahed.biz.fullchain.pem
cat aa.shahed.shahed.biz.fullchain.pem  aa.shahed.shahed.biz.key              > aa.shahed.shahed.biz.pem

Playground

ls -alh *.{crt,csr,key,pem,srl}
rm -rf  *.{crt,csr,key,pem,srl}

rm -rf  ${SUBCA_CNF}
rm -rf ${SERVER_CNF}

nmap vpn.shahed.biz --reason -Pn --top 20
nmap vpn.shahed.biz --reason -Pn -p25,465,587,993

sudo tail -n100 -f /var/log/auth.log
sudo tail -n100 -f /var/log/kern.log

sudo cat /etc/shadow|grep nobody
last

sudo apt-get install makepasswd
echo 'sadaqah!'|makepasswd --crypt-md5 --clearfrom=-

makepasswd --chars 12 --count 5 --crypt-md5
makepasswd --chars 12 --count 5 --crypt

makepasswd --chars 12 --count 5
makepasswd --chars 12

openssl s_client -tls1   -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_2 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_3 -connect cid.chorke.org:443 </dev/null

xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.aa.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ab.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ac.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ad.shahed.shahed.biz &>/dev/null &

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Certificate&oldid=15611"