Contents:
Certificate Signing Request
Environment:
Any virtual machine (VirtualBox, LXC, etc.) running Ubuntu 16.04 server.
<![CDATA[
openssl req -nodes -days 10 -newkey rsa:2048 -keyout keyfile.pem -out certfile.pem
openssl req -in certfile.pem -noout -verify -key keyfile.pem
openssl req -in certfile.pem -noout -text
]]>
Create a Private Certificate Authority
<![CDATA[
mkdir ~/my-ca
cd ~/my-ca
mkdir signedcerts private
ls
echo '01' > serial
touch index.txt
nano caconfig.cnf
export OPENSSL_CONF=~/my-ca/caconfig.cnf
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
ls
cd private
ls
nano testserver.cnf
export OPENSSL_CONF=~/my-ca/testserver.cnf
openssl req -newkey rsa:2048 -keyout basekey.pem -keyform PEM -out basereq.pem -outform PEM
export OPENSSL_CONF=~/my-ca/caconfig.cnf
openssl ca -in basereq.pem -out server_crt.pem
cd signedcerts
ls
cat 01.pem
cd ..
ls
]]>
Contents of caconfig.cnf:
<![CDATA[
# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /home/ubuntu/my-ca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = sha1
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#
#
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
basicConstraints = CA:false
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 2048
default_keyfile = /home/ubuntu/my-ca/private/cakey.pem
default_md = sha1
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = stuff.com
stateOrProvinceName = Ontario
countryName = CA
emailAddress = info@bootstrap-it.com
organizationName = Bootstrap IT
organizationalUnitName = Tech
#
[ root_ca_extensions ]
basicConstraints = CA:true
]]>
Contents of testserver.cnf:
<![CDATA[
#
# testserver.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
[ server_distinguished_name ]
commonName = stuff.com
stateOrProvinceName = Ontario
countryName = CA
emailAddress = info@bootstrap-it.com
organizationName = Bootstrap IT
organizationalUnitName = IT
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = www.stuff.com
DNS.1 = 10.0.3.63
]]>
Revoking Certificates
<![CDATA[
mkdir revoked
openssl ca -gencrl -config ~/my-ca/caconfig.cnf -out revoked/crl.pem
openssl crl -in revoked/crl.pem -noout -text
[create second cert to revoke]
openssl ca -config caconfig.cnf -revoke signedcerts/02.pem
openssl ca -gencrl -config ~/my-ca/caconfig.cnf -out revoked/crl.pem
openssl crl -in revoked/crl.pem -noout -text
Note: to generate a new certificate (so you can turn around and revoke it), you'll need to create a new testserver2.cnf file whose contents point to a new URL (I used morestuff.com rather than stuff.com). Then run these commands to create and sign the certificate.
export OPENSSL_CONF=~/my-ca/testserver2.cnf
openssl req -newkey rsa:2048 -keyout basekey2.pem -keyform PEM -out basereq2.pem -outform PEM
export OPENSSL_CONF=~/my-ca/caconfig.cnf
openssl ca -in basereq2.pem -out server2_crt.pem
]]>
Configure Apache for SSL
<![CDATA[
[lxc]
sudo a2enmod ssl
sudo a2ensite default-ssl
cd /etc/apache2/sites-available
ls
sudo nano default-ssl.conf
SSLCertificateFile /home/ubuntu/my-ca/server_crt.pem
SSLCertificateKeyFile /home/ubuntu/my-ca/basekey.pem
cd ..
ls
sudo nano /etc/apache2/apache2.conf
ServerName stuff.com [in Global section]
sudo systemctl restart apache2
sudo systemctl status apache2
]]>
Importing SSL Certificates to Browsers
Environment:
Use this command to prepare the package for your client browser:
<![CDATA[
cd ~/my-ca
openssl pkcs12 -export -in server_crt.pem -inkey basekey.pem -out browser.p1
]]>
Testing SSL Configurations
Environment:
Run the first command from "inside" the server and the second command from anywhere else on the Internet.
<![CDATA[
openssl s_client -CApath /home/ubuntu/.getssl/certs -connect bootstrap-it.com:443
openssl s_client -connect pluralsight.com:443
]]>
HSTS
Environment:
Add the first entry to the
tag to deploys HSTS. Substitute the second entry to add Preload.
<![CDATA[
Header always set Strict-Transport-Security: max-age=31536000; includeSubDomains
Header always set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
]]>
Ecryptfs
Environment:
From a VirtualBox instance.
<![CDATA[
sudo modprobe ecryptfs
sudo apt install ecryptfs-utils
sudo adduser mydata
sudo ecryptfs-migrate-home -u mydata
su mydata
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
ecryptfs-mount-private
cd /home/mydata
touch newfile
ls
cd /home
ls
diff mydata mydata.h0q-gaF6
sudo rm -r mydata.h9q0gaF6
ecryptfs-setup-swap
cd /home/mydata/.ecryptfs
ls
cat Private.mnt
sudo adduser newacc
su newacc
cd ~
ecryptfs-setup-private
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
touch newfile
ls
sudo mount -t ecryptfs /home/.ecryptfs/mydata/.Private /home/mydata
mount | grep ecrypt
sudo umount.ecryptfs /home/mydata
mount | grep ecrypt
su mydata
cd /home/.ecryptfs/mydata/.ecryptfs
ls
cd /etc/pam.d
less common-auth
less common-session
]]>
Cryptsetup
Environment:
From VirtualBox instance.
<![CDATA[
lsblk
sudo dd if=/dev/zero of=/dev/sdb bs=4096
sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdb
sudo cryptsetup luksOpen /dev/sdb MyArchive
sudo mkfs.ext4 /dev/mapper/MyArchive
sudo mkdir /home/archive
sudo mount /dev/mapper/MyArchive /home/archive
sudo cryptsetup -v status MyArchive
sudo cryptsetup luksDump /dev/sdb
cd /home/archive
sudo nano stuff
[Move drive to workstation and it should mount automatically, prompting for authentication.]
]]>
Setting up BIND
Environment:
Launch a web server running CentOS 7 in Virtual Box VM on 192.168.0.127 and mapped to stuff.com in /etc/hosts on my physical workstation. The BIND server is a separate VM also running on VirtualBox.
<![CDATA[
yum install bind bind-utils
nano /etc/named.conf [show file location settings in "options"]
comment out "Listen on port 53"
set dnssec-enable and dnssec-validation to "yes"
dnssec-lookaside to "auto"
recursion to "no".
enter stuff.com as zone name
confirm that this is a master server
/var/named/stuff.com.zone
systemctl restart named
systemctl status named
cd /lib/systemd/system
ls | grep named
nano named.service
$OPTIONS -4 [add to ExecStart line]
systemctl restart named
systemctl deamon-reload
systemctl restart named
systemctl status named
systemctl enable named
cd /var/bind
nano stuff.com.zone
]]>
Contents of /var/named/stuff.com.zone:
<![CDATA[
$TTL 86400
@ IN SOA ns1.stuff.com. root.stuff.com. (
2013042201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
; Specify nameserver address(es)
IN NS ns1.stuff.com.
; Resolve nameserver hostname(s) to IP
ns1 IN A 192.168.0.126
; Define hostname -> IP pairs which you wish to resolve
@ IN A 192.168.0.124
www IN A 192.168.0.124
]]>
Generating DNSSEC Keys
Environment:
Any VM (VirualBox, LXC, etc.) running CentOS 7.
<![CDATA[
yum install epel-release
yum install haveged
haveged -r 0
cd /var/named
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE stuff.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE stuff.com
ls
echo Kstuff.com.+007+36723.key >> stuff.com.zone
echo Kstuff.com.+007+58553.key
nano stuff.com.zone
add $INCLUDE (x2)
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o stuff.com -t stuff.com.zone
ls
nano /etc/named.conf
edit to: stuff.com.zone.signed
systemctl restart named
dig DNSKEY stuff.com @localhost +multiline
dig A stuff.com. @localhost +noadditional +dnssec +multiline
delv +vtrace ANY google.com
cat dsset-stuff.com
]]>
DNSSEC Administration
Environment:
To avoid confusion, use a new directory that doesn't already contain certificates or keys.
<![CDATA[
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -P +1d -A +4d -I +34d -D +44d stuff.com
dnssec-settime -p all <keyname>
dnssec-settime -I +2mo -D +10w keyname
dnssec-settime -p all keyname
systemctl restart named
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST tsigkey
cat Ktsigkey.+157+09285.private [copy value of key]
cd /etc
nano named.conf
key tsigkey {
algorithm hmac-md5;
secret "EZRYlo6bgDcwl0ZlYlfgJw==";
};
[zone:]
allow-update { key tsigkey ; } ;
named-checkconf
systemctl restart named
systemctl status named
nano named.conf
controls {
inet 127.0.0.1 allow { localhost; }
keys { tsigkey; };
};
nano rndc.conf [copy key section from named.conf]
key tsigkey {
algorithm hmac-md5;
secret "EZRYlo6bgDcwl0ZlYlfgJw==";
};
---
options {
default-server localhost;
default-key "tsigkey";
};
chmod 600 rndc.conf
systenctl restart named
systemctl status named
rndc
rndc status
rndc reload
]]>
