Showing posts with label openssl. Show all posts
Showing posts with label openssl. Show all posts

Thursday, 1 July 2021

Testing 2 way ssl with openssl s_client

The intent of this post is to learn how to use openssl s_client program to test 2 way ssl between client & server.

Here I am assumig you have configured your server for 2 way SSL & you have generated or gathered the required certifcates.

List of files required;

a) client certificate
b) client private key -> if passphrase is used you must know that
c) root ca public certificate -> i.e the ca authorty who has signed the server certificate that you will get while handshaking.


Openssl s_client - 2 way ssl test

bash> openssl s_client -connect abc.com -CAfile ca.cert.pem  -key client_key.pem -cert client_cert.pem -tls1_2 -state -quiet
Enter pass phrase for client_key.pem:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = abc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = ca.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify

Note: ca.cert.pem is the root ca public certificate while other 2 are the client cert & client private key which is having passphrase.


Hope this helps :-)
Enjoy :-)

Creating user certificates with encrypted private key using openssl

The intent of this post is to list the steps to generate a self signed user certificate that has an encrypted private key with a passphrase.


Generate private key with passphrase

bash> openssl genrsa -des3 -passout pass:1234 -out client_key.pem 2048
(it has to be atleast 4 characters long)

To verify that this is encrypted private key, easy step is to open this private key in an editor & it will have content like;

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,974D80EBEF938726

hWANCxIG3lT1qaoTqza84pk10JeGD2vUXoVRj92WI2k+eYJvVhnW/tz5cZzNeozu
............................................
............................................
............................................
-----END RSA PRIVATE KEY-----

Generate csr using above generated private key

bash> openssl req -out client.csr -new -nodes -key client_key.pem -sha256
(to proceed, it will ask you for the private key passphrase)


Self Sign the user certifcate with Root CA

bash> openssl x509 -req -days 360 -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client_cert.pem -sha256
(you will be asked for ca cert key password)



Hope this helps :-)
Enjoy :-)

Wednesday, 14 December 2016

Enabling OCSP Validation using X.509 Authentication Scheme

Assumptions:

  • You have already configured & tested the X.509 authentication use case. And now we are enabling certificate validation using OCSP Server.
  • To setup OCSP we will be using 'openssl'. So before proceeding check if you installed openssl or not. If not go get it first.
  • You have imported the user certificate in your browser as part of X.509 Authentication.

Brief about OCSP Server:

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

Steps to perform:


1) To setup OCSP Server: Steps to setup OCSP
2) Once you have setup OCSP, you will be having the following items with you;
  • CA Authority certificate (self signed) - ca.pem
  • CA private key - ca-key.pem
  • OCSP Server URL -> i.e. host and port details http://abc.us.oracle.com:6060
  • index.txt -> basically this is the file having the user certificates details which will be checked by the OCSP server for the received cert request. Based on this OCSP will respond 'good', 'revoked' or 'unknown'. It returns 'unknown' in case the cert entry is missing from the file.
    • This file name could be any name of your choice.

a) OCSP server files;

 b) Staring OCSP server


2) Goto Access Manager Configuration Settings: Select Certificate Validation



3) Select OCSP/CDP Settings:


  •  Enter OCSP Url
  •  Provide the OCSP CA Authority Certificate Subject
  • Apply the changes
4)  Now goto Authentication Scheme

5) Select X509Scheme

 6) Provide the details as required for enabling OCSP Validation

7) Now goto Authn Module

8) Select X509 Module

9) Remember to enable Cert Validation & OCSP. Provide the required details.


10) Now we need to attach the X509Scheme in our webgate profile Protected  Resource Policy.





11) Now when you fire a request from your browser, you will be asked for the user cert to be used for authentication. And if this user is not present in OCSP database i.e. the index.txt file or it is been revoked than you should get 'Authentication Failed' message.

12) To implement a use case to check certificate revocation:
Execute this command:
./openssl ca -revoke <user certificate name>
Eg: 
bash-3.2$ ./openssl ca -revoke user1\@oracle.com.crt
Using configuration from /scratch/ckukreja/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate BE.
Data Base Updated

  •  Here i have copied the cakey.pem, ca.pem & index.txt to 'demoCA' folder. Basically openssl refer to this folder as it is configured in my openssl.cnf file.
  • After this your index.txt gets updated and you can actually see the difference as well. Now when you try to access the protected resource with the user cert who has been revoked in OCSP databse, so this time OCSP will say 'revoked' to OAM server. And hence you will get authentication failed message.

Note: Important points to help you debug;

a) Always check if the log.txt file provided with OCSP server startup is getting populated with request or not.
b) If request is landing on OCSP and its a good cert request but still it is failing to authenticate than check OAM server diagnostic logs. You must be getting an exception there.


Important Informative Links:

Managing Common Services and Certificate Validation
X.509 Certificate Revocation Checking Using OCSP protocol with Oracle WebLogic Server 12c
How to set up OCSP using OpenSSL - I-Space Research Labs



That's All Guys......
Enjoy :-)