Tag: OpenSSL

CategoriesWindows

How to start any program from the Command Prompt (cmd) or the Run dialog – “Sometimes My Genius… It’s Almost Frightening”

Posted on 2021-03-18by Andy Tja

We’ve all been here before. We installed some application e.g. OpenSSL and you want to start the application in a directory other than where the OpenSSL executable is actually located. Bam! Error. You can resolve this by adding the folder where the executable is located to the PATH environment variable.

Error: ‘applicationName’ is not recognized as an internal or external command, operable program or batch file.

PATH

PATH is an environment variable on Unix-like operating systems, DOS, OS/2, and Microsoft Windows, specifying a set of directories where executable programs are located. In general, each executing process or user session has its own PATH setting.

Wikipedia – PATH (variable)

Well, that’s still not very clear on what it does. Basically, a PATH is a variable that can be set to directories in which executable programs are located so that it can be started without specifying the entire path to the file. This will work in the Command Prompt (cmd) and in the Run dialog in the Start Menu.

To do this you will have to go to the Environment Variables dialog to add new directories to the PATH variable. You can open Control Panel > System > Advanced > Environment Variables or I prefer the more simple method of running the following command in the Run dialog:

%windir%\System32\rundll32.exe sysdm.cpl,EditEnvironmentVariables

Select the PATH variable in the User variables list and click on Edit…

Click on New and add the directory path of where the executable is located. We will use OpenSSL as an example.

Click on OK to finish.

And we’re done! You’ve successfully added the OpenSSL bin directory, where the OpenSSL executable is located, to the Path variable. Now we can start OpenSSL from the Command Prompt or the Run dialog without specifying the directory path.

OpenSSL is able to start because the directory of where the executable is located is added to the PATH variable
CategoriesSecurity

Creating a Certificate Signing Request (CSR) with multiple Subject Alternative Names (SAN) using OpenSSL – Wait, it’s all secure? Always has been.

Posted on 2020-07-27by Andy Tja

Introduction

When you want to use digital certificates (also known als public key certificate) to establish a secure connection between computers, you will need to create a certificate signing request. A certificate is most commonly used for SSL/TLS, which is to provide confidentiality and integrity between two communicating applications.

The Subject Alternative Name (SAN or subjectAltName) is a field which allows you to define additional host names to be secured by a single certificate (also known as a Multi-Domain Certificate). For example, this can be useful when you have many domains/subdomains that needs to be secured. In terms of finances and pragmatism, you may not want to purchase different certificates as this might get expensive or having multiple certificates can be bothersome to implement.

You might be thinking, this sounds like a wildcard certificate! You’re not wrong as both type of certificates are quite similar. Both SAN and wildcard certificates allows you to secure multiple (sub)domains. However, a wildcard certificate cannot protect both identandy.com and identandy.org as the top-level domain (TLD) is different. A wildcard certificate only protects the primary domain (as defined in the Common Name) and any subdomains. Plus, wildcard certificates shouldn’t be used anymore since it’s deprecated as shown in section 7.2 of RFC 6125.

7.2. Wildcard Certificates This document states that the wildcard character ‘*’ SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure).

Instructions

  1. Ensure that you have the latest version of OpenSSL installed.
  2. Create a new text file using your favorite simple text editor and name it request.config.
  3. Copy the following text to the request.config file and change the C\ST\L\O\OU\CN\DNS.* attributes accordingly. Go to chapter Definitions and Examples for more information regarding these attributes.

Syntax of a request.config file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <countryName>
ST = <stateOrProvinceName>
L = <localityName>
O = <organizationName>
OU = <organizationalUnit>
CN = <commonName>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostName>
DNS.2 = <hostName>

Example of a request.config file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = Noord-Holland
L = Amsterdam
O = Identandy
OU = Public Relations
CN = identandy.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = identandy.com
DNS.2 = subdomain.identandy.com
DNS.3 = identandy.net
  1. Ensure that there aren’t any whitespaces at the beginning or the end of the lines.
  2. Start the following command to create the certificate signing request.

Syntax of an OpenSSL command to create a CSR:

openssl req -new -out <csr_file> -newkey rsa:2048 -nodes -sha256 -keyout <private_key> -config <request.config>

Example of an OpenSSL command to create a CSR:

openssl req -new -out identandy_com.csr -newkey rsa:2048 -nodes -sha256 -keyout identandy_com_private.key -config request.config
  1. After executing the OpenSSL command you will be greeted with the following message and your CSR (identandy_com.csr) and private key (identandy_com_private.key) have been created.
Generating a RSA private key
....+++++
......+++++
writing new private key to 'identandy_com_private.key'
-----
  1. Start the following command to verify the certificate signing request
openssl req -text -noout -verify -in identandy_com.csr

verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = Identandy, OU = Public Relations, CN = identandy.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ba:9e:94:bc:0b:36:35:18:3c:1d:f8:9b:34:47:
                    a6:a0:05:6c:18:29:06:f8:5e:e4:0a:45:42:4b:db:
                    58:1e:56:dd:c5:cb:7b:e1:c8:3c:0b:89:f8:9c:dd:
                    9c:5a:bd:9e:8b:7c:4b:5e:00:cb:71:02:9f:78:af:
                    d5:de:41:d2:7e:97:36:08:28:75:b1:ff:5b:ac:87:
                    17:d3:4b:23:7f:27:42:7c:34:f5:d9:58:94:b6:f4:
                    42:06:02:27:61:ea:54:09:d5:b9:31:b0:72:a2:17:
                    a4:95:61:3d:e7:81:2f:cc:cf:52:f0:e9:05:89:3b:
                    68:59:4f:17:21:58:d1:e5:e0:32:1c:03:cb:43:25:
                    60:1f:a3:b7:49:c3:07:d5:0a:77:9a:fc:d5:02:32:
                    d8:18:d9:84:9c:e1:69:cd:b4:d3:6a:3c:6c:43:0d:
                    22:29:1e:f9:07:58:e0:0b:50:d1:77:04:41:bd:7c:
                    45:c7:ad:45:15:3e:b6:48:d7:bc:9b:b1:56:32:2e:
                    02:23:7a:c9:20:6c:f5:10:87:f6:e2:b7:2b:6a:a6:
                    9b:a0:3c:2e:49:87:8c:89:37:5b:8e:cf:e4:06:1f:
                    8e:dc:90:71:78:9d:2c:2c:1c:bd:dc:db:a7:64:ac:
                    7d:a6:1a:d9:f7:cc:78:69:13:f6:7f:98:52:97:65:
                    a5:4f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:identandy.com, DNS:subdomain.identandy.com, DNS:identandy.net
    Signature Algorithm: sha256WithRSAEncryption
         37:39:f8:4d:c2:71:c6:30:74:4f:de:dd:21:92:56:5e:55:bf:
         f4:80:cb:fa:0c:25:34:48:c5:be:77:5a:4e:f6:b7:3c:bf:40:
         8e:40:35:58:2a:e6:63:f6:5f:95:c8:bc:1b:c5:da:e2:d7:04:
         12:44:cd:0a:95:13:5b:87:a9:a4:d0:91:f8:d9:2f:e1:8e:a1:
         76:ea:60:cc:cd:a3:34:75:cb:ad:cd:f5:63:10:33:69:3a:fc:
         b4:4e:89:b8:e9:42:0b:af:62:4a:08:ac:0d:b8:fb:e1:3c:fe:
         ee:92:46:5e:e9:22:41:b0:68:93:a6:56:b1:6b:f4:c1:eb:54:
         a9:c9:5b:c7:e0:de:17:57:3e:79:90:eb:13:dd:12:c1:52:2c:
         75:e5:7f:13:73:8a:82:67:b2:66:3f:8a:fd:e6:04:4b:08:11:
         a2:b0:03:9f:cb:a8:41:fc:4a:ea:21:c7:1c:68:b9:65:6b:61:
         0a:b3:14:52:b5:c7:51:68:6f:d0:e8:f3:cf:cf:ff:af:27:7e:
         9b:ef:7a:10:ab:2e:48:4e:7a:49:4b:10:b7:6d:92:11:f2:e1:
         99:92:f1:c5:bc:6e:32:e7:d9:48:3a:66:f4:31:26:a2:e5:87:
         d9:de:39:0e:40:87:3c:b7:d3:e7:60:ca:9a:4f:1a:3d:f0:43:
         6f:32:f5:a5

And there you have it! That’s all you need to do to generate a CSR using OpenSSL. I hope that you have find it useful and if you have any questions leave a comment below.

Definitions and Examples

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it. Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. A wide range of security controls can provide protection for confidentiality, including, but not limited to, encryption, access controls, and steganography.

Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data. It ensures that data remains correct, unaltered, and preserved. Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes and oversights).

Country Name (CN) Use the two-letter country code based on ISO 3166-1 alpha-2. Example: NL

State or Province (S) Spell out the state completely; do not abbreviate the state or province name. Example: Noord-Holland

Locality or City (L) Spell out the city or town name completely; do not abbreviate the locality or city name. Example: Amsterdam

Organization (O) If the company or department has an &, @, or any other symbol, the symbol must be spelled out or omitted. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation. 

Organizational Unit (OU)  The Organizational Unit (OU) field is the name of the department or organization unit making the request.

Common Name (CN) The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name. Example: identandy.com