| Follow me on:

Cygwin with OpenSSL for CSR generation

September 18th, 2008 | 1 Comment

A lot of services, which are published to the Internet, are secured with SSL certificates. A lot of times we use SSL certificates to secure communications when implementing ISA reverse proxy servers, Citrix Secure Gateway servers and/or Cisco WebVPN portals.

When you want to secure a connection with a SSL certificate you have to create a Certificate Signing Request (CSR) and get the CSR signed by a Certificate Authority (CA). This can be done by a “real” CA, like GeoTrust or Verisign, or you can configure your own CA and sign your own CSR.

There are a lot of ways for generating CSR’s. In first I always used what the customers could offer me. This could be the Cisco ASA firewall, a Windows server with IIS or the Juniper SA appliance. Sometimes could take a couple of hours before I could finally generate a CSR. While generating a CSR, a private key is also generated. When using customer equipment for generating the CSR, it could happen that the customer deletes the private key, which makes the CSR useless.

A colleague of mine often has the same problems and he started using Cygwin with OpenSSL under Windows. I have to say, GREAT. I started using it myself. A great advantage is that I can use my own laptop and I don’t have to depend on the customers equipments. Furthermore, and maybe the most important, I know what I am doing during the generation and signing of certificates, so I will never delete the wrong files.

Normally I generate a new private key per certificate and I use the following commands for generating the private key, CSR and the actual certificate.

1. Generate a private key

openssl.exe genrsa -out private-www-booches-nl.key 2048

2. Generate the CSR, fill in the required information (common name is the most important)

openssl.exe req -new -key private-www-booches-nl.key -out csr-www-booches-nl.csr

3. The CSR is uploaded to the CA. The CA sends you the SSL certificate, which I save as www-booches-nl.crt

4. Create the actual SSL certificate

openssl.exe pkcs12 -export -out www-booches-nl.pfx -inkey private-www-booches-nl.key -in www-booches-nl.crt

When using an Open Source web server you have to use a certificate with a DER format. The first 3 steps, as shown above, are still the same. You can use the following steps to create a DER file.

4. Put the key file code at the end of the crt file

cat private-www-booches-nl.key >> www-booches-nl.crt

5. Create the DER file

openssl.exe x509 -in www-booches-nl.crt -inform PEM -out www-booches-nl.der -outform DER

It is also possible that you need a PEM certificate instead of a PFX certificate. Below you see the command to create a PEM certificate from a PFX certificate.

6. Create the PEM file

openssl.exe pkcs12 -in www-booches-nl.pfx -out www-booches-nl.pem -nodes

Using Cygwin with OpenSSL really makes it easier when working with CSR’s and certificates. A very usefull website with “The Most Common OpenSSL Commands” can be found here.

Secure Copy Server Cisco ASA

September 16th, 2008 | No Comments

Lately there are a lot of changes in the firmware and the ASDM for the Cisco ASA firewalls. This means a lot of copying from files to the flash memory of the specific appliances. Normally when upgrading the software from an appliance I use a computer on the customer network. This could be my own laptop or I take over a computer remotely.

Using my own laptop is never a problem, but when I would like to upgrade a firewall remotely I first have to build a VPN tunnel. Take over a computer, download the specific software for the appliance. Install some kind of FTP or TFTP service and start the upload procedure.

A couple of weeks ago a friend of mine brought up the Secure Copy Server feature for Cisco ASA appliance. This features gives to the ability to securely upload files remotely to the flash memory of the appliance. Secure copy is a often used feature in the open source community and the usage is simple. It is a very powerful tool, but it never crossed my mind to use it in conjunction with the ASA appliances.

The Secure Copy Server is enabled with the following command:

ssh scopy enable

After enabling the Secure Copy Server you have the ability to securely copy files to the flash memory of the ASA appliance. Linux or Mac OS X users normally use some kind of terminal to establish a secure copy connection. Windows users could use PuttySCP for uploading files to the flash memory. The syntax for using PuttySCP is in general the same as using a Linux shell. The syntax looks like:

pscp.exe <source> <user>@<destination host>:<flash file name>

An example would be:

pscp.exe asa804-k8.bin rene@asa.booches.nl:asa804-k8.bin

I guess I will use this feature more often from now on.

Newer Entries »

  • my Tweetz

    • Going to install new PacketShaper licenses in an hour. The installation steps from BlueCoat are very clear... hope the installation is too 1 week ago
    • Just met some former class mates from 15 years ago. It's funny to hear what everbody is doing nowadays 1 week ago
    • Mysteryland is over. We had a great time. We saw great dj's and herad some good sets. And only 2 drops of rain!!! 1 week ago
    • We arrived at Mysteryland. The party can begin http://moby.to/22oq2q 1 week ago
    • Online mysteryland in de zwembroek ciao 1 week ago
    • More updates...

    Powered by Twitter Tools

  • Advertisements