SSL

Allwyn
,
0

OpenSSL – WIndows Installation and Certificate Operation Commands

For some reason OpenSSL packages are hard to find, most of them have some missing binaries etc. and things don’t work correctly.

In the end I found a proper working installer here.

Using it from Windows Command Line CMD

Once installed, you should add it to your environmental variables so you can invoke it from CMD straight away.

Open Start -> System and environmental variables.

 

Windows openssl environmental variabled
Windows openssl environmental variables

OpenSSL Files Directory

If you create a new file with openssl it goes to your users directory on windows: C:\Users\<username> 

To output them to a specific folder you can add path with “path” like:

OpenSSL> genrsa -des -out "C:\anypath\testopenssl.key"

Certificate format change operations

One of the most common uses of having openssl installed is to convert and combine all those different(lord knows why there are no standards!) SSL certificates.

PFX to CRT and KEY

PFX/PKCS12 is a format which combines the certificate and the public key into one file with a .pfx extension. Microsoft AD CA gives you this file. You can divide into the cert and key with:

Then to extra the cert:

openssl pkcs12 -in yourfile.pfx -nokeys -out keyfile-encrypted.pem

To extract the key:

openssl pkcs12 -in yourfile.pfx -nocerts -out keyfile-encrypted.key

Once entered you need to type in the import password of the .pfx file.

This is the password that you used to protect your keypair when you created your .pfx file. If you cannot remember it anymore you can just throw your .pfx file away, cause you won’t be able to import it again, anywhere!.

Once you entered the import password OpenSSL requests you to type in another password, twice!. This new password will protect your .key file.

PEM (.pem, .crt, .cer) to PFX/PKCS12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more-int-certs.crt 

  • -certfile more-int-certs.crt  > optional, only required if you need to import intermediate certificates too. 

This will ask you for a password. To use no pass use:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -nopass

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

PKCS7 and PKCS12

These 

Testing Client based SSL auth with s_client

If you are using certificates to do client auth then you need to use:

openssl s_client -connect website:443 -cert user-cert.cert -key user-key.key 

If it fails then the you will see an error with the SSL Handshake failure. 

OpenSSL> s_client -connect auc.akmlab.local:443
CONNECTED(00000274)
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
8732:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1528:SSL alert number 40

Verifying Certificate Trust

Recently got a case where there seems to be confusion with user certificates and the signing CA certificate, so in these situations you can just quickly verify the trust instead of importing the certs to production only to find out they do not work. 

This also helps a lot with intermediate certificates in case you using those. 

To verify the trust between an intermediate and CA signing root cert:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK

If you using a user cert for SSL client auth along with an intermediate cert and root then use this to check the chain trust all the way to the root:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem" "C:<path>\user-cert.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK
C:<path>\user-cert.pem: OK

Notes:

  1. UPDATED: 23 Feb 2019
Allwyn
,
0

Blocking HTTPs websites without SSL inspection on Fortigate

One of my clients wanted to block facebook but without using SSL inspection as he didn’t want to install the cert to 100s of his staff computers.
I explained that with that there would be no other way to get it done. This coming from all of Fortinet’s own documentation obviously. 
Then to convince the client I opened a fortinet ticket and got the same response that this can’t be done without the ssl inspection and certificate installation.
Now this guy hired some other service provider and those guys simply blocked social media signatures in app control and applied it to the policy and IT HAS WORKED.
It doesn’t say “fortiguard blocked” but just keeps the loading icon spinning and facebook doesn’t load at all.
The whole situation turned pretty embarrassing for us.

 

The Confusion

 

Fortinet must spend some time on cleaning up its archives of posts and videos with outdated info i guess.

 

Here in this and this video its displayed how https is blocked seamlessly by just using the SSL inspection inspect all ports method without any importing any certificate. And nothing about SSL certificate warnings is touched upon which almost always pops up when using HTTPs inspection. The Fortinet TAC’s response was also appeared what I can call very non-committal, TAC simply told “you must install the certificate if you get any errors”, really now I doubt there’s ever a situation when you don’t get cert errors which ssl inspection on.