AWS
Quick guide on aws for beginners Understanding network concepts in aws How to achieve CI/CD in aws CI/CD in aws managed resources with Jenkins Push Image to aws ECR Using GitHub Actions Setup an EventBridge Rule in aws How ECS & ECR works in aws EKS with Fargate Profile Launch EKS using eksctl in aws Container insight for EKS-Fargate in cloudwatch Deploy aws resources with CloudFormation AWS secrets scanning by GitHub Setup Site to Site VPN Connection in AWS
AZURE
Gateways in Azure Understanding network concepts in Azure Ingress in Azure Kubernetes Service
GCP
Architecting hybrid infrastructure with Anthos

ANSIBLE
Ansible a configuration management tool Runbook Automation tool for playbooks
DOCKER
Docker a containerization Tool Networking in Docker Multi-stage build in Docker what is docker-compose All about Docker swarm
GIT
CLI instruction to work with Git Integrating Jenkins with GitHub Secret detection in GitLab Push Image to ECR Using GitHub Actions
JENKINS
Jenkins a continuous integration tool Acheive CI/CD using Jenkins in AWS Configuring weblogic deployer plugin in Jenkins
KUBERNETES
Kubernetes an orchestration framework Launch kubernetes cluster in Different ways Debugging your kubernetes cluster Certificates renewal of kubernetes cluster Deploying application on Kubernetes cluster api versions to use in manifest file RBACs in Kubernetes Health check of containers in Kubernetes Rancher a cluster management platform Understanding ISTIO as a service mesh
TERRAFORM
Deploying IaC using Terraform Terraform module EKS cluster using Terraform

APACHE
Things to know in Apache How to Configure Apache-httpd Server Setup httpd as os-service on OL8 SiteMinder and its Integration with WebServer Apache SSL Installation Instructions NO_RESOURCES Errors in APACHE with WLS
WEBLOGIC
Installing WebLogic 12.1.3 without GUI WebLogic Server as a managed Azure service WLS domain extension to include JRF template All about OPatch in WLS How to define WorkManager in Weblogic Some known Weblogic exceptions Different OutOfMemory issues Some known Weblogic exceptions Play with WLST Persistent store in WLS Configuration of NodeManager

JAVA
JAVA_OPTIONS Study on JAVA_HEAP Native OOM in Java Heap Types of Threads Various Java-options to use in Java apps How to run Java Flight Recorder dbping a java-weblogic utility
SSL
When & why to use SSL certificates SSLv3 to TLS1.* SHA2 on Oracle https Server Weblogic SSL Renewal Steps
CHEATSHEETs
Linux Cheatsheet Linux Log parsing cheetsheet SSL Cheatsheet MySQL Cheatsheet PostgreSQL Cheatsheet WebLogic Cheatsheet Python Cheatsheet Kubernetes Cheatsheet Terraform Cheatsheet Hashicorp-vault Cheatsheet GCP Cheatsheet
OTHER
All about Messaging Queue small guide on Python WLSDM monitoring agent in WLS Register driver for MSSqlServer Understanding YAML Understanding Role of an API Gateway SonarQube code analysis

25 June 2015

SSL Cheatsheet

ORACLE-JRE

# to create a keystore.jks file (pair of keys)
$ keytool -genkey -keyalg RSA -alias benefits -keystore keystore.jks \ 
  -storepass 123456 -keysize 2048

# to export/store a certificate in a file 
$ keytool -export -alias benefits -file root.cer -keystore identity.jks -storepass mypass

# to import a certificate into keystore
$ keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 

# to create a csr request in form of myapp.csr file
$ keytool -certreq -alias benefits -keystore keystore.jks -file myapp.csr

# to generate the certificate as myapp.crt
$ keytool -exportcert -alias benefits -keystore keystore.jks -v -file myapp.crt


# command to convert .pfx to .jks
$ keytool -importkeystore -srckeystore abc.com.pfx \ 
  -destkeystore servercertstore.jks -srcstoretype PKCS12 \ 
  -deststoretype JKS -srcstorepass w3bl0g1c -deststorepass pa55w0rd -noprompt

# command to change alias name
$ keytool -changealias -alias "oldAlias" -destalias "newAlias" -keypass w3bl0g1c \ 
  -keystore servercertstore.jks -storepass pa55word

# command to delete a certificate from Keystore
$ keytool -delete -noprompt -alias ${cert.alias}  -keystore ${keystore.file}  -storepass ${keystore.pass}


IBM-JRE

 # to create jks type DB
 $ ikeycmd -keydb -create -db keystore.jks -pw password -type jks -expire 365

 # request for CSR
 $ ikeycmd -certreq -create -db keystore.jks -label mylabel \ 
   -dn "CN=mysite.com,O=cloudnetes,OU=IT,C=IN" -size 2048  -sig_alg SHA256_WITH_RSA -file mysite.com.csr

 # import certficates into DB
 $ ikeycmd -cert -add -db keystore.jks -label ca_intermediate -file ca-inter.crt
 $ ikeycmd -cert -add -db keystore.jks -label ca_root -file ca-root.crt

 # validate personal/end-entity cert
 $ ikeycmd -cert -receive -file mysite-identity.crt -db keystore.jks


IBM-MQ 

  # add a cert in cert-key DB
 $ runmqakm -cert -add -db keystore.kdb -stashed -label ca_root -file ca_root.crt

 # check all certs
 $ runmqakm -cert -list -db keystore.kdb -stashed

 # delete a cert
 $ runmqakm -cert  -delete  -label mylabel -db keystore.kdb -stashed

 # check cert expiry
 $ runmqakm -cert -details -db keystore.kdb -stashed  -label mylabel | grep -i "Not After"

CERTUTIL

# to view certificate installed on sunone instance
$ certutil -d -P https-pricer-pfix-wxvrw99a0016- -L -n Server-Cert

# to list certificate installed on sunone instance with alias name
$ certutil -d /opt/sunone617/suitespot/alias \ 
  -P https-saXXXit2.abc.com-wsszw2057- -L -n Server-Cert

# listing the details of Server-Cert
$ certutil -L -n Server-Cert -d /instance-name/ -P instance-name

# Generating a CSR & output it to the file serverCert.req
$ certutil -R -s "CN=abc.com,OU=IT, O=CTS, l=Bangalore, st=karnataka, c=IN" -o serverCert.req -a -d /instance_path/P instance -g 2048

# Deleting the existing cert with name Server-Cert
$ certutil -D -n Server-Cert -d /Instance-Name/ -P instance-name-

# Import the cert
$ certutil -A -n Server-Cert -t "u,u,u" -i /instance-path/instance.pem -d /instance-name -P https-instance

OPENSSL

# Decode a CSR
$ openssl req -in mycsr.csr -noout -text

# Decode a certificate
$ openssl x509 -in certificate.crt -text -noout

# Generate a key pair: (.key)
$ openssl genrsa -des3 -out |.key file name| 2048

# Generate self-signed certificate
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

# Generate CSR to request CA-signed certificate 
$ openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr


# Create certificates: (.pem)
$ openssl x509 -in name.crt -noout -text 

$ openssl x509 -subject -dates -issuer -noout -in name.crt

# To open key file and check modules
$ openssl rsa -noout -text -in application.key -modulus


CERTIFICATE CHECK/DETAILS 

openssl x509 -in certName.crt  -noout -text
$ openssl x509 -subject -dates -issuer -noout -in file

$ keytool -list -v -keystore keystoreName.jks

$ certutil -L -d certDbName-cert8.db

# Print available ciphers in any Linux host
openssl ciphers -v | awk '{print $2}' | sort | uniq


CURL WITH JAVA KEYSTORE

 Curl doesn't support Java Keystore file, so the file should be converted to a PEM format(PKCS12).

 It consists of the following 3/4 steps:

 STEP1 - Convert keystore to p12 file
 STEP2 - Convert p12 file to pem file
 STEP3 - Export Private key (valid for 2 way mTLS)
 STEP4 - Run curl command with pem files

 1way TLS/Authentication

 STEP1 - Convert keystore to p12 file
 keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pk12 -srcstoretype JKS -deststoretype PKCS12

 STEP2 - Convert P12 to pem file
 openssl pkcs12 -in truststore.pk12 -out trusted-certs.pem

 STEP3 - Run curl command with pem files ****************
 curl secret --cacert trusted-certs.pem https://localhost:8443/api/hello

 2way TLS/Authentication also known as Mutual Authentication

 STEP1 - Convert keystore to p12 file
 keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12

 STEP2 - Convert p12 file to pem file
 openssl pkcs12 -in identity.p12 -nokeys -out client-cert.pem
 openssl pkcs12 -in identity.p12 -nocerts -out client-key.pem

 STEP3 - Export Private key
 openssl pkcs12 -in truststore.pk12  -nodes -nocerts -out client-key.pem

 STEP4 - Run curl command with pem files
 curl --key client-key.pem --cert client-cert.pem --cacert trusted-certs.pem https://localhost:8443/api/hello


No comments:
Labels: ,