Re: https and self signed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> -----Original Message-----
> From: Warren Young
> Sent: Wednesday, June 15, 2016 10:26
> To: CentOS mailing list
> Subject: Re:  https and self signed
> 
> On Jun 15, 2016, at 7:47 AM, Jerry Geis <geisj@xxxxxxxxxxxxxxx> wrote:
> > 
> > Yes I can added the --insecure for curl - but - my other 
> app doesn't 

For the love of all that is holy, create your own CA and have your own PKI,
even for testing.

> > seem to work either - perhaps getting the same return 
> message instead 
> > of the actual file.
> 
...
> It's too bad, because self-signed certificates are only 
> unusual on the public Internet.  I wish the designers of TLS 
...
> self-signed cert that declares that it is for 172.16.69.42, 
> and that any host on 172.16.69.0/24 should trust it implicitly.

It is very easy to creat your own CA, to sign your own certs. There is no
need to support self signed "leaf nodes" of the PKI.

I have taken some liberties on this to save me time, you will need to change
config values to suit your needs.

$ mkdir -p CA/{private,certs}
$ cd CA
# copy the default openssl config
$ cp -v "$(openssl ca -verbose 2>&1 | head -n 1 | sed 's/Using configuration
from //')" .
$ sed -i 's/^\(\s*dir\s*=.*\)/#\1\ndir=./'
openssl.cnf
$ sed -i 's|^\(\s*certificate\s*=.*\)|#\1\ncertificate=$dir/CA.crt|'
openssl.cnf
$ sed -i 's|^\(\s*private_key\s*=.*\)|#\1\nprivate_key=$dir/private/CA.key|'
openssl.cnf
$ sed -i 's|^\(\s*new_certs_dir\s*=.*\)|#\1\nnew_certs_dir=$dir/newcerts|'
openssl.cnf
$ touch index.txt
# done setting up the file system
$ openssl req -config openssl.cnf -new -nodes -keyout private/CA.key -out
CA.csr
# answer the questions
$ openssl ca -config openssl.cnf -batch -in CA.csr -create_serial -selfsign
# there should only be one cert, the CA's self signed cert
$ cp certs/*.pem CA.crt
# done creating the CA


# now you can sign your server certificate signing requests (CSR)

# make a csr 

#sign server.csr
$ openssl ca -config openssl.cnf -batch -in server.csr

#files at end of email for understanding...


> 
> Such a cert could not be used to prove identity, prevent 
> spoofing, or prevent MITM attacks, but it would give a way to 
> set up encryption, which is often all you actually want.  
> MITM attacks could be largely prevented with certificate pinning.

And reducing the trusted CA set in your enterprise.



$ cat ./private/CA.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDEHcq8mOpHHD+H
/qDNPpsG2GkRyj8wt9LVIltmUqwqIBlNe3nlxHEHg9YJExPbTTXERehNkpF8HPtM
S2rfcYMz2Cjq8C8CzNlC/Ur2a8GKfOufZU9a+gv8I2CXzah6DLkdZqqCsnC/dTPL
bRLPBlmmwldl3pcOpF1hmMF1CzCwDAx2V31ZijLHlMfd+cRdssfYk1D4ntGRBK+0
78g2/nBOKQsD6ajTXHwaH7eeV7BRasjGodSud8cJ1uhD0E3QLpW466sYmM1SGdgy
1mbuJYGnfHVy4zScDy7yQb4EvoQZOYOMJymETCQfk86B43Sncs20TEpDW2N48N+O
pbqM0TAxAgMBAAECggEAIt45IXb+kE4RbZhz9one/kSTybnvqjXEomhNX8/rFEJI
vWHqtlNK1U83Sr29lgwQNylGuCQLAcoVU+dExR1lel5ASCUT9qd9KU/neBCIhJrZ
OanFhiNW5ilUDyldfvWsI/IQ9tPK//9SiiSGZ5B1eBStfUsqCExo3eVO4ARxT5tF
Fug/XgyV5vdUnUFC/axQPCWNfkFlm6mXNBcVO+D7/kweklrKLGqIFQTSv7mzL5ya
nTslER6dTu/2gva6cVAw3PN8FjgFa85ISpAWcyZ7ZBHd2evL46V1WsxFOsu5Ish+
e4SPP0xf4+8VggNvPruPb0T3gV8jHbN4fyPGqH7DwQKBgQDmbg2Mj69WN1jw1EpH
agv2xzVqTnjQSdbD2YBJ8ZJqIolAZigdrLTXp/P/pnOXe+3up1S+9OGbktQAc9DN
i9zf6Wn9NyZ323YEfL2MLE8pRrLsFFw1+fVG/BNcrHMOnt3rSQ7v2LhGe/kLCIQh
RKDSf83sEvAcfcSCpWeoZRlnxQKBgQDZ4PnrBpUVm86cq9/RV4Ax0NJ7+u+ybLj5
tKEeEDRlzTyNv2KIF7MOWoK6EMBw3N/YloSp41Zm7UXAdwjJHrxZ3GrlHvYqJDaW
cGX+GjncDpcM2GIh4tcuhnKTdUZc/eGWPZRA97EPdhqwHbDaPLSrQhtDmPDCWVNs
DqyWPFbBfQKBgH7tuEDpFOgk7LUb+x6DZ7uz19SLDTmOsuKG+IfCragRBhGXNBnE
fIkeVuVHxvx2o4WGXsQhF/UeV/E32piepjgg1uVIb8Qt+0BVhgOklKZj70LjpDeH
THihefjedTJkiFGGmNe9RSRuPay6MC4zI3NQOxoDBIhtLsXYXtT/e5MRAoGAY48t
RFsmptAikm7rgGJmftz4QZUCENsjj18dvHoVJ2uoPvF0WdHSjT2IvPNIrIoRc4wc
JPFwGupTVEZQam60DK/u3LHQNKOFmirUQE/FnqvAFCuQdAGO6IChPIZ7V6Tff2K2
KxXD/9etDEsU9DSHLjav9KyfX3+n4hm2fZQm5JUCgYB1tiDFrX4kgf671A9eMXHa
4RJKtvKdXEzw/a1uU82rvShZnlfIijHOHnOduwpFbtZRjvwREslBjwe0KXC5n4rN
ontb9cb94SmJlrYWj0ZYGbECB2nh1xBq2IeF7ly8t6Ky5xRc9hcACX5Z5G0QfHf8
liGhEmq+iGBkYtW6Jucvbg==
-----END PRIVATE KEY-----

$ cat ./certs/FC4B076EEDAC665F.pem
-----BEGIN CERTIFICATE-----
MIIELjCCAxagAwIBAgIJAPxLB27trGZfMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJp
dmF0ZSBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNv
bTAeFw0xNjA2MTUxNjI3MzBaFw0xNzA2MTUxNjI3MzBaMIGXMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJpdmF0ZSBS
b290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQdyryY6kccP4f+oM0+mwbYaRHK
PzC30tUiW2ZSrCogGU17eeXEcQeD1gkTE9tNNcRF6E2SkXwc+0xLat9xgzPYKOrw
LwLM2UL9SvZrwYp8659lT1r6C/wjYJfNqHoMuR1mqoKycL91M8ttEs8GWabCV2Xe
lw6kXWGYwXULMLAMDHZXfVmKMseUx935xF2yx9iTUPie0ZEEr7TvyDb+cE4pCwPp
qNNcfBoft55XsFFqyMah1K53xwnW6EPQTdAulbjrqxiYzVIZ2DLWZu4lgad8dXLj
NJwPLvJBvgS+hBk5g4wnKYRMJB+TzoHjdKdyzbRMSkNbY3jw346luozRMDECAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIO7y8JqSyD+EuhnoPYVNMKn0bsfMB8G
A1UdIwQYMBaAFIO7y8JqSyD+EuhnoPYVNMKn0bsfMA0GCSqGSIb3DQEBCwUAA4IB
AQBHNAQKoJ6+aToFbuDhHxBt0KBF0dJ3ZR6PbmI35zclwA7FIUWAzAfK71oBYGhT
3ALqU2Klc3CogacKD/lk18MvVLdyIKrZ7fx7gMzfmB9tqb1qRWr6AaoLRLUOXzBt
c6wHwwvKCNGyr28giQohPwa4YfdngFUI1uWr5SAeGlUoAPv23gJsN49aUu+nX6HU
lqwofRjikXtB+xlBYa3J8RYwv+Al7cCuAvWLU8coQ5NxxlfXGNzF+8kZNWcqu7xr
s6OKoO6t5rENhlIohI1Ijk0MLH5zKMgphn09m5aCiWdNu4lcfeI6lTSmpd8spGiD
vgREOnejICHw4IUIwRyqCT2g
-----END CERTIFICATE-----

$ cat ./certs/FC4B076EEDAC6660.pem
-----BEGIN CERTIFICATE-----
MIIEHzCCAwegAwIBAgIJAPxLB27trGZgMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJp
dmF0ZSBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNv
bTAeFw0xNjA2MTUxNjMwNTNaFw0xNzA2MTUxNjMwNTNaMIGIMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDEQMA4GA1UECwwHU2VydmVyczESMBAGA1UEAwwJMTI3LjAuMC4xMSMwIQYJKoZI
hvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMbCfmkw9xCxYOY7H51yKFsTB6A8WI1+NUqiCP7vAswXRkeh
ENKY5+hv2yUuRdbRJ9Or8bF3qaNyuWYm4xgCIN2hTwF9yk2egBvWt9gGMn7L/wTL
qTEC9M7dXDWkf0SAtIQ6H6ReQO2PkzGEHik3cyr/Ba91eP2rsGBjs5xh7Bax/iU2
nBvpZgEvQYaLFCm+5awwnzw7XaIWCs1EUa3gosOH1AuJXQTqGLYu9MWZ2rzWUFu9
XDmEwPqyl+fmnhg2Z90cUeZtdfxuhOOaUdEunbFxGpUDDYZrZ7FiMaKXMQae32zD
SOeEf1GzmxeuD0KuE4TSRRyiFn9HlivwJinze+sCAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFA+HggkRbrlN0jZH3yuUlpnE8m7DMB8GA1UdIwQYMBaAFIO7y8Jq
SyD+EuhnoPYVNMKn0bsfMA0GCSqGSIb3DQEBCwUAA4IBAQArsEuv2FLXED8bxFcQ
F6LWp1PltCmK45L4Pr+tTWooNhyKBOGQRm+ZwxfuQ7ASN/dachaTXCvmjlCQf7Xt
pqDWLX9i+yOYfX0bOn2AH/SVEncyH0pu7QIvHrnHanpwDaeBBpciagYfIKoFaBjU
gBHpFBBiQxU6NNlYCZmgvNSxeUQ6HjMOMYnr7++qmlAUnjcVwBB9MeQyrg+eSYk2
MSWFm+9ltx7RbChAA3ELFvHv5MzOKADobTzp5UDUQ+FOPty9ODnPGPeExXlsO9Yj
F9/uuqzKACOg4oOmh9s0V8GPCMGVuDgoxuxOjPuWuscYPaBSUsD2eEzdjdL82FtA
pGnp
-----END CERTIFICATE-----

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux