If you need a way to simply encrypt and decrypt files or strings with a symmetric key (same password for encryption and decryption), openssl provides this functionality. Be sure to avoid weak ciphers such as 3DES, and employ salt as well as PBKDF2 iterations to reduce vulnerability to brute force attacks. Here is a simple … Linux: using openssl to encrypt and decrypt files and strings
In environments where certificates are manually deployed, reloading TLS certs is often only done annually when the certificate is near expiration. This long lapse in time often means that someone else has inherited the task of renewal, and the original key in use may even be in question. Luckily, openssl provides a way to validate … Linux: openssl to validate whether private key and TLS certificate match
YAML is a popular syntax for configuration, and it is common to have certificate definitions embedded in these files. But since the cert is typically Base64 PEM encoded, it means you can’t easily view its attributes (subject, expiration date, etc) and so you are left with the manual task of copy-pasting it out, saving as … Bash: Examining each certificate in a yaml file using sed and openssl
Especially with private git repositories that may be self-signed or have private CA, you may get the following error from the git client after a certificate has been updated: fatal: unable to access ‘https://git.mycompany.com/myuser/myrepo.git/’: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none This means that the git client cannot verify the integrity of the certificate … Git: client error, server certificate verification failed
There are numerous articles I’ve written where a certificate is a prerequisite for deploying a piece of infrastructure. This article will guide you through generating a self-signed certificate with SAN (Subject Alternative Name) and SAN wildcard entries, replacing the deprecated usage of CN=<FQDN>. In addition to the operational benefits of managing SAN, it is also … Ubuntu: Creating a self-signed SAN certificate using OpenSSL
There are numerous articles I’ve written where a certificate is a prerequisite for deploying a piece of infrastructure. This article will guide you through creating a trusted CA (Certificate Authority), and then using that to sign a server certificate that supports SAN (Subject Alternative Name). Operationally, having your own trusted CA is advantageous over a … Ubuntu: Creating a trusted CA and SAN certificate using OpenSSL
SMTP mail relays exposed to the internet typically use a combination of SSL and authenticated SMTP to avoid abuse by malicious actors. This is an excellent choice from a security perspective, but makes smoke testing a bit more complex than just opening telnet.
There are numerous articles I’ve written where a certificate is a prerequisite for deploying a piece of infrastructure. Here are the quick steps for installing a simple self-signed certificate on an Ubuntu server. If you instead need to create a certificate with SAN (Subject Alternative Name) support, read my article here. Some of you will … Ubuntu: Creating a self-signed certificate using OpenSSL on Ubuntu
The PingFederate server provides best-in-class Identity Management and SSO. However, due to US laws governing export of cryptography, the default SSL protocols and cipher suites need to be configured to harden the solution. Below are the steps involved with making these post-installation changes.
Update Feb 2023: enumerating the secure protocols and ciphers of a remote site can be done more efficiently by nmap, as described in my other article here. While enabling HTTPS is a important step in securing your web application, it is critical that you take steps to disable legacy protocols and low strength ciphers that … OpenSSL: Using OpenSSL to enumerate protocols and ciphers in use by web applications