$ nc -zv 159.134.168.117 80 443
Connection to 159.134.168.117 80 port [tcp/http] succeeded!
Connection to 159.134.168.117 443 port [tcp/https] succeeded!
Monday 31 October 2016
quick way to check if a port is open linux
$ nc -zv 159.134.168.117 80 443
Connection to 159.134.168.117 80 port [tcp/http] succeeded!
Connection to 159.134.168.117 443 port [tcp/https] succeeded!
Monday 24 October 2016
setup DHCP on cisco ASA
dhcpd dns 10.30.0.1 10.30.0.2
dhcpd wins 10.32.0.1
dhcpd domain mydomain.com
dhcpd auto_config outside
dhcpd address 10.30.14.20-10.32.14.199 inside
dhcpd enable inside
dhcpd address 10.30.114.10-10.32.114.199 VOICE
dhcpd enable VOICE
dhcpd wins 10.32.0.1
dhcpd domain mydomain.com
dhcpd auto_config outside
dhcpd address 10.30.14.20-10.32.14.199 inside
dhcpd enable inside
dhcpd address 10.30.114.10-10.32.114.199 VOICE
dhcpd enable VOICE
DHCP options
dhcpd option [x] [ascii|hex|ip]
Default GW
dhcpd option 3 ip 10.30.0.254
New reservation command as of 9.13.1
dhcpd reserve-address 10.20.14.50 xxx.yyyy.zzzz inside
Show commands
show dhcpd binding
Clear commands
clear dhcpd binding all
clear dhcpd binding 10.30.14.20
Thursday 6 October 2016
checkpoint interface spoofing
use tracker to see the interface where the traffic is being dropped
Check what firewall and interface it was dropped on
Open the correct firewall policy in smart dashboard
Go to groups -> find the interface
add the network to the interface
Check what firewall and interface it was dropped on
Open the correct firewall policy in smart dashboard
Go to groups -> find the interface
add the network to the interface
Wednesday 5 October 2016
sample switch config
Setup a local user
username local-user privilege 15 password 0 P@55w0rd
username local-user privilege 15 password 0 P@55w0rd
username MYUSER privilege 15 algorithm-type scrypt secret P@55w0rd
Set the enable secret
enable secret s3cr3t
Save
write mem
Set hostname
hostname SITE-3650
Don't try to look up hostnames
no ip domain lookup
Set up the line settings
line con 0
logging synchronous
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Enable cdp
cdp run
set ntp server
ntp server 172.30.123.1
Set default gateway (L2)
ip default-gateway 172.30.1.1
Set banner
banner login ^
*** MY BANNER ***
^
Enable ip routing (L3 functions)
ip routing
Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249
Set domain name
ip domain-name mydomain.ie
Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048
Setup spanning tree
spanning-tree mode rapid-pvst
Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging
Set up AAA
aaa new-model
!
!
aaa group server radius NPS
server 172.16.50.1 auth-port 1645 acct-port 1646
server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common
Setup SVI on the switch
interface Vlan10
ip address 172.30.10.253 255.255.255.0
ip helper-address 172.16.1.50
Set management interface
interface Loopback100
description SWITCH MGMT
ip address 172.30.100.10 255.255.255.255
Setup so radius can come from the management IP
ip radius source-interface Loopback100
Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY
****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group
aaa group server radius NPS
server name NPS-1
server name NPS-2
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!
Setup your access ports
interface FastEthernet0/1
switchport mode access (set the port as an access port)
switchport access vlan 10 (data vlan for PC)
switchport voice vlan 200 (voice vlan for IP phone)
switchport port-security (turn on port security)
switchport port-security maximum 2 (max 2 MAC's phone and PC)
switchport port-security violation restrict (log and ignore the extra traffic)
spanning-tree portfast (don't wait 60 seconds to bring the port up)
spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
no shutdown (bring the port up)
Setup trunk ports
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
You may have to set tftp source interface
ip tftp source-interface
Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version : running VTP2
Configuration Revision : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs : 30
VTP Operating Mode : Client
VTP Domain Name : MYDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E
This one has ACL applied to SSH
line con 0
session-timeout 15
exec-timeout 0 0
logging synchronous
login authentication CON
history size 256
line vty 0 4
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
length 0
history size 256
transport input ssh
transport output ssh
line vty 5 15
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
history size 256
transport input ssh
transport output ssh
Setup port channel interface if needed
interface Port-channel40
description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 10.00
ip dhcp snooping trust
Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
description *** Link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
end
interface GigabitEthernet2/1/1
description *** link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)
Set the enable secret
enable secret s3cr3t
Save
write mem
Set hostname
hostname SITE-3650
Don't try to look up hostnames
no ip domain lookup
Set up the line settings
line con 0
logging synchronous
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Enable cdp
cdp run
set ntp server
ntp server 172.30.123.1
Set default gateway (L2)
ip default-gateway 172.30.1.1
Set banner
banner login ^
*** MY BANNER ***
^
Enable ip routing (L3 functions)
ip routing
Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249
Set domain name
ip domain-name mydomain.ie
Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048
Setup spanning tree
spanning-tree mode rapid-pvst
Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging
Set up AAA
aaa new-model
!
!
aaa group server radius NPS
server 172.16.50.1 auth-port 1645 acct-port 1646
server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common
Setup SVI on the switch
interface Vlan10
ip address 172.30.10.253 255.255.255.0
ip helper-address 172.16.1.50
Set management interface
interface Loopback100
description SWITCH MGMT
ip address 172.30.100.10 255.255.255.255
Setup so radius can come from the management IP
ip radius source-interface Loopback100
Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY
****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group
aaa group server radius NPS
server name NPS-1
server name NPS-2
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!
Setup your access ports
interface FastEthernet0/1
switchport mode access (set the port as an access port)
switchport access vlan 10 (data vlan for PC)
switchport voice vlan 200 (voice vlan for IP phone)
switchport port-security (turn on port security)
switchport port-security maximum 2 (max 2 MAC's phone and PC)
switchport port-security violation restrict (log and ignore the extra traffic)
spanning-tree portfast (don't wait 60 seconds to bring the port up)
spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
no shutdown (bring the port up)
Setup trunk ports
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
You may have to set tftp source interface
ip tftp source-interface
Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version : running VTP2
Configuration Revision : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs : 30
VTP Operating Mode : Client
VTP Domain Name : MYDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E
This one has ACL applied to SSH
line con 0
session-timeout 15
exec-timeout 0 0
logging synchronous
login authentication CON
history size 256
line vty 0 4
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
length 0
history size 256
transport input ssh
transport output ssh
line vty 5 15
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
history size 256
transport input ssh
transport output ssh
Setup port channel interface if needed
interface Port-channel40
description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 10.00
ip dhcp snooping trust
Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
description *** Link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
end
interface GigabitEthernet2/1/1
description *** link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)
installing certificates on the cisco ASA
Wildcard cert
This is the process of installing a wildcard cert if you have one:
https://www.tunnelsup.com/adding-a-wildcard-ssl-certificate-to-a-cisco-asa/
Get the following
The password used to export the certs (If password not setup – you can generate this by using OPENSSL app)
The certificate private key (pfx) file (in pem format)
The wildcard certificate (in pem format)
The intermediary certificate (in pem format)
Customer should have access to their Trusted root CA portal where you can download most files. The customer should have the private key (pfx) file and the password for it. The trusted root CA does not hold that. Its generated when the cert is used for the first time.
In the past we have found the customer import the private key onto a webserver but didn't save the private key. We were able to export the private key from the web server. Had to open mmc add certificate snap-in and add for the computer account.
Download and install win32/63 openssl to convert your cert into the correct format.
See https://support.citrix.com/article/CTX136444
Use openssl to create the pkcs12 file. This is done by bundling the private key + the wildcard cert.
Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12
GoDaddy steps
What you need
- Purchased wildcard cert
- Login details for godaddy site
- Access to public DNS provider to create URLs and TXT record
- Access to ASA/ASDM
- Access to domain controller/server where you can install openssl
Saving the private key
When setting up a new wildcard godaddy gives you the option to save the CSR and the private key. You should save these. Client might have created it already. You can look on the domain controller or email server for it and see if you can export it from mmc -> certificates snap in. If it can't be found or lost you can rekey the cert, contact godaddy for steps. I believe the rekey can cause issues if the cert is already installed somewhere as now the private key won't match. Try to avoid this.
DNS provider
You need to verify a wildcard with a DNS TXT record, need to contact DNS provider. Godaddy provide instructions.
You can check the TXT records here https://dnslookup.online/txt.html
Once the set is setup you can download the zip file. Choose the "other" option
You may need to get "vpn.domain.ie" pointing to public IP of ASA
Create combined PKCS12 / PFX file with Openssl
Now use openssl to bundle private key + wildcard cert into one file with a password.
You may need to install openssl (http://gnuwin32.sourceforge.net/summary.html)
Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12
You will be asked for password here, save this password.
Good idea to install the PFX on the customer domain controller for safe keeping.
Install as exportable
Choose the computer account
Choose the personal cert store.
You can find the cert later in start -> run -> mmc -> add certs snap-in.
ASA install
Now install the STAR_DOMAIN_COMBINED.p12 on cisco ASDM.
ASDM -> Configuration -> Certificate Management -> CA Certificates -> Add -> CA cert (from zip file downloaded from godaddy)
Now click on Identity Certs -> Add
Choose "Import the identity cert from a file (PKCS12)
Enter the password you entered at the openssl step
Select the STAR_DOMAIN_COMBINED.p12
Click "Add certificate"
Apply to interface.
Configuration -> Advanced -> SSL settings
Click on outside interface -> Edit button and select cert
Testing
Go to your anyconnect URL.
Confirm the cert is setup with chome -> developer tools -> security or this one:
https://www.sslshopper.com/ssl-checker.html
This is the process of installing a wildcard cert if you have one:
https://www.tunnelsup.com/adding-a-wildcard-ssl-certificate-to-a-cisco-asa/
Get the following
The password used to export the certs (If password not setup – you can generate this by using OPENSSL app)
The certificate private key (pfx) file (in pem format)
The wildcard certificate (in pem format)
The intermediary certificate (in pem format)
Customer should have access to their Trusted root CA portal where you can download most files. The customer should have the private key (pfx) file and the password for it. The trusted root CA does not hold that. Its generated when the cert is used for the first time.
In the past we have found the customer import the private key onto a webserver but didn't save the private key. We were able to export the private key from the web server. Had to open mmc add certificate snap-in and add for the computer account.
Download and install win32/63 openssl to convert your cert into the correct format.
See https://support.citrix.com/article/CTX136444
Use openssl to create the pkcs12 file. This is done by bundling the private key + the wildcard cert.
Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12
openssl pkcs12 -export -in CERT.crt -inkey PKEY.key -certfile sf_bundle-g2-g1.crt -out BUNDLE.pfx
Make sure to save the password you enter. Now this file can be imported into ASDM.
Can be done here https://www.sslshopper.com/ssl-converter.html
However its advised you don't upload your certs to a third party use openssl on your own PC
If you have an old/expired wildcard cert you can remove it now, otherwise you might get an error when trying to assign the new one to an interface.
Add the CA cert (pem - plain text BEGIN CERT etc)
Configuration > Device Management > Certificate Management > CA Certificates
Add the pkcs12 cert (pfx) with password
Configuration > Device Management > Certificate Management > Ident Certificates
Assign the cert to the interface (advanced -> SSL)
Configuration > Device Management > Advanced > SSL
This is the process of creating an ident cert and getting it signed by your CA, they send you a signed cert that you can install.
https://www.tunnelsup.com/adding-an-ssl-certificate-on-an-asa/
Ident certs
Create ident cert (config -> Firewall -> Advanced -> Certificate management -> Ident cert)
Add new (create a new key pair if you need to)
Click select button and fill in the details
In this example the url I have bought the cert for is is remote.domain.ie
subject-name CN=remote.domain.ie,OU=IT,O=Customer,C=IE,St=Leinster,L=Dublin
Export cert and send to CA
CA sends back signed cert
Install signed cert
Apply to interface.
After installing
Export the cert + key from ASDM and install the .pfx in their windows server so they don't lose it. Don't forget to record password.
More on certs
.csr
This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
.pem
Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
.pkcs12 .pfx .p12
Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
A few other formats that show up from time to time:
.der
A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
.cert .cer .crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
.p7b
Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
.p7s
Looks like this one is used for signing emails
.crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:
PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
PKCS7 An open standard used by Java and supported by Windows. Does not contain private key material.
PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.
Most common openssl commands
https://www.sslshopper.com/article-most-common-openssl-commands.html
Make sure to save the password you enter. Now this file can be imported into ASDM.
Can be done here https://www.sslshopper.com/ssl-converter.html
However its advised you don't upload your certs to a third party use openssl on your own PC
If you have an old/expired wildcard cert you can remove it now, otherwise you might get an error when trying to assign the new one to an interface.
Add the CA cert (pem - plain text BEGIN CERT etc)
Configuration > Device Management > Certificate Management > CA Certificates
Add the pkcs12 cert (pfx) with password
Configuration > Device Management > Certificate Management > Ident Certificates
Assign the cert to the interface (advanced -> SSL)
Configuration > Device Management > Advanced > SSL
This is the process of creating an ident cert and getting it signed by your CA, they send you a signed cert that you can install.
https://www.tunnelsup.com/adding-an-ssl-certificate-on-an-asa/
Ident certs
Create ident cert (config -> Firewall -> Advanced -> Certificate management -> Ident cert)
Add new (create a new key pair if you need to)
Click select button and fill in the details
In this example the url I have bought the cert for is is remote.domain.ie
subject-name CN=remote.domain.ie,OU=IT,O=Customer,C=IE,St=Leinster,L=Dublin
Export cert and send to CA
CA sends back signed cert
Install signed cert
Apply to interface.
After installing
Export the cert + key from ASDM and install the .pfx in their windows server so they don't lose it. Don't forget to record password.
More on certs
.csr
This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
.pem
Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
.pkcs12 .pfx .p12
Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
A few other formats that show up from time to time:
.der
A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
.cert .cer .crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
.p7b
Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
.p7s
Looks like this one is used for signing emails
.crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:
PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
PKCS7 An open standard used by Java and supported by Windows. Does not contain private key material.
PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.
Most common openssl commands
https://www.sslshopper.com/article-most-common-openssl-commands.html
cryptography, encryption and certificates
Cryptography, encryption and certificates
Data at rest (setting in memory or on hard disks)
Data in motion (moving through the network)
Managemnet plane - ASDM/web interface / CLI
Control Plane - Routing protocols, STP etc
Data plane - the packets passing etc
We need to protect both
Encryption - used to keep data confidential at rest or in motion
Keys - Data is encrypted with a key. The key is also used to decrypt the data.
Cipher text - data that has been encrypted
Clear text - the unencrypted data
Symmetrical vs Asymmetical
Symmetrical - 1 key is used to encrypt and decrypt the data (DES, 3DES, AES). Used for bulk encryption data on disks etc.
Asymmetrical - 2 keys known as a key-pair, higher CPU overhead, used with authentication.
data encrypted by key1 can only be decrypted by key2
data encrypted by key2 can only be decrypted by key1
key1 = private key
key2 = public key (public keys can be exchanged, then we encrypt with private key)
RSA, DSA
Hash/HMAC - Integrity, making sure it hasn't been manipulated along the way (MD5,SHA). We hash the data (math algorithm) which gives us a result known as a digest.
If we check the the hash and if it has been changed they will know. HMAC is used to secure the hash by putting a secret key in the HMAC. HMAC stops man in the middle attacks.
Digital signature - encrypted has of the private key is the digital signature
To digitaly sign you need public/private key pair setup
Data generate a hash
Encrypt the hash with the private key (digital signature)
Data+Encrypted hash is sent.
Data is hashed
Encrypted hash is decrypted with the public key from the sender
Compare the hash we calculated with the decrypted hash and make sure they match
pem format - files that end in the suffix ‘.pem’ or ‘.key’ or '.crt' usually are in this format. If you open the file in notepad it will have BEGIN CERT and END CERT and the top and bottom.
pkcs12 format - files often end in .pfx or .p12. The file will be unreadable by notepad (encrypted) it is created by combining the private key and the ca cert(intermediate) with a tool like openssl. Digicert prvides a tool for windows.
Data at rest (setting in memory or on hard disks)
Data in motion (moving through the network)
Managemnet plane - ASDM/web interface / CLI
Control Plane - Routing protocols, STP etc
Data plane - the packets passing etc
We need to protect both
Encryption - used to keep data confidential at rest or in motion
Keys - Data is encrypted with a key. The key is also used to decrypt the data.
Cipher text - data that has been encrypted
Clear text - the unencrypted data
Symmetrical vs Asymmetical
Symmetrical - 1 key is used to encrypt and decrypt the data (DES, 3DES, AES). Used for bulk encryption data on disks etc.
Asymmetrical - 2 keys known as a key-pair, higher CPU overhead, used with authentication.
data encrypted by key1 can only be decrypted by key2
data encrypted by key2 can only be decrypted by key1
key1 = private key
key2 = public key (public keys can be exchanged, then we encrypt with private key)
RSA, DSA
Hash/HMAC - Integrity, making sure it hasn't been manipulated along the way (MD5,SHA). We hash the data (math algorithm) which gives us a result known as a digest.
If we check the the hash and if it has been changed they will know. HMAC is used to secure the hash by putting a secret key in the HMAC. HMAC stops man in the middle attacks.
Digital signature - encrypted has of the private key is the digital signature
To digitaly sign you need public/private key pair setup
Data generate a hash
Encrypt the hash with the private key (digital signature)
Data+Encrypted hash is sent.
Data is hashed
Encrypted hash is decrypted with the public key from the sender
Compare the hash we calculated with the decrypted hash and make sure they match
pem format - files that end in the suffix ‘.pem’ or ‘.key’ or '.crt' usually are in this format. If you open the file in notepad it will have BEGIN CERT and END CERT and the top and bottom.
pkcs12 format - files often end in .pfx or .p12. The file will be unreadable by notepad (encrypted) it is created by combining the private key and the ca cert(intermediate) with a tool like openssl. Digicert prvides a tool for windows.
Subscribe to:
Posts (Atom)