-----Original Message----- From: Warren Young Sent: Wednesday, June 15, 2016 10:26 To: CentOS mailing list Subject: Re: [CentOS] https and self signed
On Jun 15, 2016, at 7:47 AM, Jerry Geis geisj@pagestation.com wrote:
Yes I can added the --insecure for curl - but - my other
app doesn't
For the love of all that is holy, create your own CA and have your own PKI, even for testing.
seem to work either - perhaps getting the same return
message instead
of the actual file.
...
It's too bad, because self-signed certificates are only unusual on the public Internet. I wish the designers of TLS
...
self-signed cert that declares that it is for 172.16.69.42, and that any host on 172.16.69.0/24 should trust it implicitly.
It is very easy to creat your own CA, to sign your own certs. There is no need to support self signed "leaf nodes" of the PKI.
I have taken some liberties on this to save me time, you will need to change config values to suit your needs.
$ mkdir -p CA/{private,certs} $ cd CA # copy the default openssl config $ cp -v "$(openssl ca -verbose 2>&1 | head -n 1 | sed 's/Using configuration from //')" . $ sed -i 's/^(\s*dir\s*=.*)/#\1\ndir=./' openssl.cnf $ sed -i 's|^(\s*certificate\s*=.*)|#\1\ncertificate=$dir/CA.crt|' openssl.cnf $ sed -i 's|^(\s*private_key\s*=.*)|#\1\nprivate_key=$dir/private/CA.key|' openssl.cnf $ sed -i 's|^(\s*new_certs_dir\s*=.*)|#\1\nnew_certs_dir=$dir/newcerts|' openssl.cnf $ touch index.txt # done setting up the file system $ openssl req -config openssl.cnf -new -nodes -keyout private/CA.key -out CA.csr # answer the questions $ openssl ca -config openssl.cnf -batch -in CA.csr -create_serial -selfsign # there should only be one cert, the CA's self signed cert $ cp certs/*.pem CA.crt # done creating the CA
# now you can sign your server certificate signing requests (CSR)
# make a csr
#sign server.csr $ openssl ca -config openssl.cnf -batch -in server.csr
#files at end of email for understanding...
Such a cert could not be used to prove identity, prevent spoofing, or prevent MITM attacks, but it would give a way to set up encryption, which is often all you actually want. MITM attacks could be largely prevented with certificate pinning.
And reducing the trusted CA set in your enterprise.
$ cat ./private/CA.key -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDEHcq8mOpHHD+H /qDNPpsG2GkRyj8wt9LVIltmUqwqIBlNe3nlxHEHg9YJExPbTTXERehNkpF8HPtM S2rfcYMz2Cjq8C8CzNlC/Ur2a8GKfOufZU9a+gv8I2CXzah6DLkdZqqCsnC/dTPL bRLPBlmmwldl3pcOpF1hmMF1CzCwDAx2V31ZijLHlMfd+cRdssfYk1D4ntGRBK+0 78g2/nBOKQsD6ajTXHwaH7eeV7BRasjGodSud8cJ1uhD0E3QLpW466sYmM1SGdgy 1mbuJYGnfHVy4zScDy7yQb4EvoQZOYOMJymETCQfk86B43Sncs20TEpDW2N48N+O pbqM0TAxAgMBAAECggEAIt45IXb+kE4RbZhz9one/kSTybnvqjXEomhNX8/rFEJI vWHqtlNK1U83Sr29lgwQNylGuCQLAcoVU+dExR1lel5ASCUT9qd9KU/neBCIhJrZ OanFhiNW5ilUDyldfvWsI/IQ9tPK//9SiiSGZ5B1eBStfUsqCExo3eVO4ARxT5tF Fug/XgyV5vdUnUFC/axQPCWNfkFlm6mXNBcVO+D7/kweklrKLGqIFQTSv7mzL5ya nTslER6dTu/2gva6cVAw3PN8FjgFa85ISpAWcyZ7ZBHd2evL46V1WsxFOsu5Ish+ e4SPP0xf4+8VggNvPruPb0T3gV8jHbN4fyPGqH7DwQKBgQDmbg2Mj69WN1jw1EpH agv2xzVqTnjQSdbD2YBJ8ZJqIolAZigdrLTXp/P/pnOXe+3up1S+9OGbktQAc9DN i9zf6Wn9NyZ323YEfL2MLE8pRrLsFFw1+fVG/BNcrHMOnt3rSQ7v2LhGe/kLCIQh RKDSf83sEvAcfcSCpWeoZRlnxQKBgQDZ4PnrBpUVm86cq9/RV4Ax0NJ7+u+ybLj5 tKEeEDRlzTyNv2KIF7MOWoK6EMBw3N/YloSp41Zm7UXAdwjJHrxZ3GrlHvYqJDaW cGX+GjncDpcM2GIh4tcuhnKTdUZc/eGWPZRA97EPdhqwHbDaPLSrQhtDmPDCWVNs DqyWPFbBfQKBgH7tuEDpFOgk7LUb+x6DZ7uz19SLDTmOsuKG+IfCragRBhGXNBnE fIkeVuVHxvx2o4WGXsQhF/UeV/E32piepjgg1uVIb8Qt+0BVhgOklKZj70LjpDeH THihefjedTJkiFGGmNe9RSRuPay6MC4zI3NQOxoDBIhtLsXYXtT/e5MRAoGAY48t RFsmptAikm7rgGJmftz4QZUCENsjj18dvHoVJ2uoPvF0WdHSjT2IvPNIrIoRc4wc JPFwGupTVEZQam60DK/u3LHQNKOFmirUQE/FnqvAFCuQdAGO6IChPIZ7V6Tff2K2 KxXD/9etDEsU9DSHLjav9KyfX3+n4hm2fZQm5JUCgYB1tiDFrX4kgf671A9eMXHa 4RJKtvKdXEzw/a1uU82rvShZnlfIijHOHnOduwpFbtZRjvwREslBjwe0KXC5n4rN ontb9cb94SmJlrYWj0ZYGbECB2nh1xBq2IeF7ly8t6Ky5xRc9hcACX5Z5G0QfHf8 liGhEmq+iGBkYtW6Jucvbg== -----END PRIVATE KEY-----
$ cat ./certs/FC4B076EEDAC665F.pem -----BEGIN CERTIFICATE----- MIIELjCCAxagAwIBAgIJAPxLB27trGZfMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD VQQGEwJVUzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg UHR5IEx0ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJp dmF0ZSBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNv bTAeFw0xNjA2MTUxNjI3MzBaFw0xNzA2MTUxNjI3MzBaMIGXMQswCQYDVQQGEwJV UzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJpdmF0ZSBS b290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQdyryY6kccP4f+oM0+mwbYaRHK PzC30tUiW2ZSrCogGU17eeXEcQeD1gkTE9tNNcRF6E2SkXwc+0xLat9xgzPYKOrw LwLM2UL9SvZrwYp8659lT1r6C/wjYJfNqHoMuR1mqoKycL91M8ttEs8GWabCV2Xe lw6kXWGYwXULMLAMDHZXfVmKMseUx935xF2yx9iTUPie0ZEEr7TvyDb+cE4pCwPp qNNcfBoft55XsFFqyMah1K53xwnW6EPQTdAulbjrqxiYzVIZ2DLWZu4lgad8dXLj NJwPLvJBvgS+hBk5g4wnKYRMJB+TzoHjdKdyzbRMSkNbY3jw346luozRMDECAwEA AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIO7y8JqSyD+EuhnoPYVNMKn0bsfMB8G A1UdIwQYMBaAFIO7y8JqSyD+EuhnoPYVNMKn0bsfMA0GCSqGSIb3DQEBCwUAA4IB AQBHNAQKoJ6+aToFbuDhHxBt0KBF0dJ3ZR6PbmI35zclwA7FIUWAzAfK71oBYGhT 3ALqU2Klc3CogacKD/lk18MvVLdyIKrZ7fx7gMzfmB9tqb1qRWr6AaoLRLUOXzBt c6wHwwvKCNGyr28giQohPwa4YfdngFUI1uWr5SAeGlUoAPv23gJsN49aUu+nX6HU lqwofRjikXtB+xlBYa3J8RYwv+Al7cCuAvWLU8coQ5NxxlfXGNzF+8kZNWcqu7xr s6OKoO6t5rENhlIohI1Ijk0MLH5zKMgphn09m5aCiWdNu4lcfeI6lTSmpd8spGiD vgREOnejICHw4IUIwRyqCT2g -----END CERTIFICATE-----
$ cat ./certs/FC4B076EEDAC6660.pem -----BEGIN CERTIFICATE----- MIIEHzCCAwegAwIBAgIJAPxLB27trGZgMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD VQQGEwJVUzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg UHR5IEx0ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJp dmF0ZSBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNv bTAeFw0xNjA2MTUxNjMwNTNaFw0xNzA2MTUxNjMwNTNaMIGIMQswCQYDVQQGEwJV UzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 ZDEQMA4GA1UECwwHU2VydmVyczESMBAGA1UEAwwJMTI3LjAuMC4xMSMwIQYJKoZI hvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMbCfmkw9xCxYOY7H51yKFsTB6A8WI1+NUqiCP7vAswXRkeh ENKY5+hv2yUuRdbRJ9Or8bF3qaNyuWYm4xgCIN2hTwF9yk2egBvWt9gGMn7L/wTL qTEC9M7dXDWkf0SAtIQ6H6ReQO2PkzGEHik3cyr/Ba91eP2rsGBjs5xh7Bax/iU2 nBvpZgEvQYaLFCm+5awwnzw7XaIWCs1EUa3gosOH1AuJXQTqGLYu9MWZ2rzWUFu9 XDmEwPqyl+fmnhg2Z90cUeZtdfxuhOOaUdEunbFxGpUDDYZrZ7FiMaKXMQae32zD SOeEf1GzmxeuD0KuE4TSRRyiFn9HlivwJinze+sCAwEAAaN7MHkwCQYDVR0TBAIw ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFA+HggkRbrlN0jZH3yuUlpnE8m7DMB8GA1UdIwQYMBaAFIO7y8Jq SyD+EuhnoPYVNMKn0bsfMA0GCSqGSIb3DQEBCwUAA4IBAQArsEuv2FLXED8bxFcQ F6LWp1PltCmK45L4Pr+tTWooNhyKBOGQRm+ZwxfuQ7ASN/dachaTXCvmjlCQf7Xt pqDWLX9i+yOYfX0bOn2AH/SVEncyH0pu7QIvHrnHanpwDaeBBpciagYfIKoFaBjU gBHpFBBiQxU6NNlYCZmgvNSxeUQ6HjMOMYnr7++qmlAUnjcVwBB9MeQyrg+eSYk2 MSWFm+9ltx7RbChAA3ELFvHv5MzOKADobTzp5UDUQ+FOPty9ODnPGPeExXlsO9Yj F9/uuqzKACOg4oOmh9s0V8GPCMGVuDgoxuxOjPuWuscYPaBSUsD2eEzdjdL82FtA pGnp -----END CERTIFICATE-----