%%bash
mkdir -p {rootCA,subCA}/{db,certs} server klient{A,B}
mkdir -p -m 0700 {root,sub}CA/private
touch {root,sub}CA/db/index
%%bash
openssl rand -hex 16 >"rootCA/db/serial"
openssl rand -hex 16 >"subCA/db/serial"
echo 1001 >"rootCA/db/crlnumber"
echo 1001 >"subCA/db/crlnumber"
%%bash
tree
. ├── CA.ipynb ├── klientA ├── klientB ├── rootCA │ ├── certs │ ├── db │ │ ├── crlnumber │ │ ├── index │ │ └── serial │ └── private ├── server └── subCA ├── certs ├── db │ ├── crlnumber │ ├── index │ └── serial └── private 11 directories, 7 files
%%bash
wget https://ics.upjs.sk/~rkb/ops1/ca-conf.tgz
tar -xzf ca-conf.tgz
--2020-05-01 05:40:07-- https://ics.upjs.sk/~rkb/ops1/ca-conf.tgz Resolving ics.upjs.sk (ics.upjs.sk)... 158.197.62.49 Connecting to ics.upjs.sk (ics.upjs.sk)|158.197.62.49|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1313 (1.3K) [application/x-gzip] Saving to: ‘ca-conf.tgz’ 0K . 100% 37.7M=0s 2020-05-01 05:40:08 (37.7 MB/s) - ‘ca-conf.tgz’ saved [1313/1313]
%%bash
openssl req -new -config "rootCA.conf" -out "rootCA/ca.csr" -keyout "rootCA/private/ca.key"
Generating a RSA private key ......................................................................................++++ ............................................................................................................................................................................................++++ writing new private key to 'rootCA/private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----
%%bash
openssl ca -selfsign -config "rootCA.conf" -in "rootCA/ca.csr" -out "rootCA/ca.crt" -extensions ca_ext
Using configuration from rootCA.conf Enter pass phrase for rootCA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 29:10:e7:1d:a3:9d:98:5f:e5:7c:a6:00:70:f5:46:45 Issuer: countryName = SK organizationName = UPJS commonName = SKB Root CA Validity Not Before: May 1 09:49:58 2020 GMT Not After : Apr 29 09:49:58 2030 GMT Subject: countryName = SK organizationName = UPJS commonName = SKB Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:be:cc:63:cf:c7:12:d0:20:89:eb:f2:25:59:34: 52:76:49:e8:2b:fd:2a:77:d4:df:7e:13:a5:f5:6b: aa:f2:a7:65:4a:23:4c:1b:b0:84:95:02:5e:6b:d0: 41:62:0b:02:55:23:af:3c:dd:dd:44:77:97:84:83: ea:e4:57:26:a9:c2:ea:a9:be:d2:32:d6:c9:f9:7e: 13:56:81:19:08:7d:79:cd:58:9f:f8:3a:af:2a:35: 93:67:78:5e:14:99:f7:fb:43:e0:80:2a:1c:64:8f: fe:d6:a2:da:6a:64:6b:95:20:f0:29:29:00:4e:98: 30:0a:e9:4c:3f:d3:67:35:44:be:43:6d:e1:38:57: ce:b1:63:b8:cc:ac:3a:85:b5:d2:72:7a:74:16:8b: 51:95:55:a1:37:d7:96:2f:7e:dd:c8:2b:66:2f:18: 3f:f2:b6:5b:a4:78:b6:97:60:42:df:31:a7:c1:6a: 2e:d5:50:6e:cd:09:44:7d:8c:7f:25:18:17:9d:df: 6c:76:fd:dc:f6:ed:47:9e:7a:ab:b3:7b:98:ec:e0: c6:2d:49:78:29:8b:1b:a6:74:30:2f:15:05:c5:d7: 59:ac:54:89:c6:d8:ba:cd:bf:29:ce:a9:1f:bd:9c: 8a:58:25:82:b0:7e:71:79:36:c6:2c:3a:e9:fa:7c: 5d:e0:bb:56:55:49:91:83:77:10:64:5a:30:57:e2: 91:e7:d1:96:64:70:c0:23:78:a4:56:c8:02:0f:53: d3:0c:a6:73:6d:f5:8e:a9:0b:cd:36:ff:9e:86:9d: 71:79:a7:e8:ec:da:77:6a:85:2f:8b:24:ec:2f:77: 90:d6:e4:73:a1:1e:15:66:04:62:86:7a:63:af:3e: f2:19:25:49:ff:90:bc:31:be:c3:cd:3b:7b:80:84: 8a:09:75:ae:0f:08:ea:dc:f3:cc:3e:19:7e:ca:cc: 4a:23:df:30:12:34:c0:44:60:96:33:7d:b6:6b:08: e2:4a:96:b4:be:57:88:e3:1a:19:a6:08:c8:7d:d0: cb:7e:3e:40:c2:e3:6a:0c:11:2f:57:65:ec:3f:c1: 45:35:3d:6b:0f:f3:1e:89:63:e7:08:34:cc:d0:8a: ef:2f:46:2b:6c:52:d5:57:66:af:1e:77:14:81:da: d5:a1:26:c3:28:c4:b6:7c:2a:76:ac:f8:3e:5d:be: 17:f0:f1:eb:20:5f:dd:56:c5:ff:74:a9:43:49:89: 5b:94:65:1a:12:c3:4e:52:df:24:e7:97:21:bb:78: 44:f2:f8:66:e5:dc:02:4e:4f:91:8a:b7:fa:91:be: 15:7e:03:7d:a0:5a:25:7f:85:75:99:54:16:81:46: 0b:c8:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: AE:3B:DF:B2:6A:93:12:37:1F:E2:74:ED:00:43:37:E9:89:4A:91:61 Certificate is to be certified until Apr 29 09:49:58 2030 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated
%%bash
openssl req -new -config "subCA.conf" -out "subCA/ca.csr" -keyout "subCA/private/ca.key"
Generating a RSA private key .............................................................++++ ......................................++++ writing new private key to 'subCA/private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----
%%bash
openssl ca -config "rootCA.conf" -in "subCA/ca.csr" -out "subCA/ca.crt" -extensions sub_ca_ext
Using configuration from rootCA.conf Enter pass phrase for rootCA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 29:10:e7:1d:a3:9d:98:5f:e5:7c:a6:00:70:f5:46:46 Issuer: countryName = SK organizationName = UPJS commonName = SKB Root CA Validity Not Before: May 1 09:53:28 2020 GMT Not After : Apr 29 09:53:28 2030 GMT Subject: countryName = SK organizationName = UPJS commonName = SKB Level 1 CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:d2:a1:6b:d0:bd:0e:66:0d:74:cd:7a:47:a5:a9: ae:38:19:2f:a4:34:af:01:e4:c6:87:0a:9c:24:60: 59:39:de:fe:70:a2:d7:05:01:3a:60:af:6e:69:c2: b5:67:a1:b0:f2:63:06:34:bf:38:85:76:e8:40:af: 84:30:f4:30:1d:87:1f:23:bb:6e:92:f1:61:63:ed: 79:70:c6:4f:bc:57:f7:f6:70:34:b5:d8:08:d9:20: fc:1e:65:a5:72:74:36:3f:43:56:4d:90:01:25:43: d8:ae:82:5c:90:07:05:ab:15:65:19:63:25:be:06: e0:c3:e9:79:bd:e3:ce:c1:be:4a:33:4e:d2:b5:0a: 18:89:3e:15:26:f5:75:21:b3:1d:f9:2c:00:c5:20: 87:c2:f7:42:f2:9e:c6:b5:71:41:19:4d:9b:46:ba: 78:38:be:db:4f:67:06:72:40:95:75:7a:00:1e:95: b1:4f:7f:7d:ad:02:7b:dd:d1:3f:6b:73:02:be:36: 4b:ba:d6:7c:2d:8e:95:91:57:b6:53:37:d9:00:99: c0:9d:19:6e:c2:9c:d9:a6:03:c6:87:e6:99:df:a8: 3d:00:6a:be:29:3d:c2:e1:55:c7:3f:9c:ab:4c:4a: 54:78:35:37:fa:b1:90:6e:10:64:2b:f6:bd:51:37: 4b:bf:3d:6f:49:06:5f:81:fe:ad:8e:60:ed:90:39: 99:b7:f0:d6:32:0e:15:d6:d4:e8:85:ac:67:00:5d: 16:ea:db:ad:32:fa:9f:43:90:fb:78:c7:b2:31:92: f8:48:bf:1b:a3:2d:64:05:85:7e:bb:53:69:13:3f: 80:59:64:a4:22:5d:a2:3d:14:84:13:f8:46:55:85: 9b:9d:e1:f0:04:15:9b:7c:04:b1:c5:a3:91:24:4a: 3a:b8:8e:82:a3:57:cd:99:13:f4:56:ba:4b:f7:88: cb:d1:73:d3:37:59:58:f6:5e:e5:7f:b7:56:a0:28: 62:07:33:e3:e3:0d:9d:be:dd:d9:5d:38:e5:f5:d2: e5:80:52:12:e4:7f:67:52:b0:63:1b:1c:2a:71:61: 8b:ed:dd:d4:3c:ee:8c:70:6f:94:8d:70:8a:07:56: 58:5d:4b:7a:6a:da:98:db:2a:f8:97:e3:3c:ce:65: 57:ab:84:54:25:0c:0a:97:95:56:62:2a:48:45:ab: f5:d3:0c:af:da:d3:60:c6:e6:62:5d:cd:99:18:81: 70:90:5c:d3:e2:58:c5:cd:0f:ec:fc:52:54:87:9a: 7f:32:2c:d8:99:fc:ca:2d:b6:af:ca:d3:a1:70:74: 40:1c:8e:21:a7:da:49:a0:48:00:ed:44:7a:ef:5e: e8:9f:bb Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.skb.upjs.sk/root-ca.crt OCSP - URI:http://ocsp.root-ca.skb.upjs.sk:9080 X509v3 Authority Key Identifier: keyid:AE:3B:DF:B2:6A:93:12:37:1F:E2:74:ED:00:43:37:E9:89:4A:91:61 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.skb.upjs.sk/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Name Constraints: Permitted: DNS:skb.upjs.sk Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 X509v3 Subject Key Identifier: 2B:44:9B:54:A6:81:A3:4B:DA:08:EE:62:20:F6:E3:17:30:93:90:73 Certificate is to be certified until Apr 29 09:53:28 2030 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated
%%bash
openssl req -new -config "server.conf" -out "server/server.csr" -keyout "server/server.key"
Generating a RSA private key ......................................++++ ......................................++++ writing new private key to 'server/server.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----
%%bash
openssl ca -config "subCA.conf" -in "server/server.csr" -out "server/server.crt" -extensions server_ext
Using configuration from subCA.conf Enter pass phrase for subCA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: ee:b8:5b:87:f8:d0:05:c5:1c:6e:98:81:4a:b3:e3:3c Issuer: countryName = SK organizationName = UPJS commonName = SKB Level 1 CA Validity Not Before: May 1 09:58:23 2020 GMT Not After : Apr 29 09:58:23 2030 GMT Subject: countryName = SK organizationName = UPJS commonName = www.skb.upjs.sk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:c0:19:94:51:68:4d:10:e3:81:c3:8f:80:cf:d3: 07:27:ef:9f:11:c5:d6:f8:ab:d0:06:a4:6d:a5:45: ca:a7:2c:22:24:ce:37:d6:96:6c:08:db:62:9f:bc: 09:fc:4b:0e:f0:6c:86:ee:b4:23:5c:b1:41:e4:24: 49:52:15:c9:a2:5c:58:ba:1d:80:70:ea:90:82:cb: 5a:d7:a2:36:66:d2:54:7e:c3:e9:4a:13:83:86:4e: 4b:9a:96:09:c2:58:60:f4:ed:dd:43:73:9e:f4:01: 06:2a:f4:35:67:73:5f:6e:e5:0c:8b:4a:67:73:3d: b8:07:80:a9:77:31:86:eb:f7:c6:39:3d:45:1a:75: ac:62:f7:3a:0a:45:dd:d8:85:50:05:5a:29:27:f9: c5:aa:27:94:e7:60:46:cf:0f:d0:c3:6c:0f:83:f5: f2:51:6f:ef:9e:13:ff:bc:0d:4e:9c:80:fd:b1:11: d0:02:65:11:ea:93:2e:e5:9f:18:43:b3:0b:46:20: 57:29:8f:26:80:c6:41:a0:d3:ec:00:63:2a:fd:44: 9d:90:15:c8:1c:cb:20:d6:0a:43:60:46:f7:09:ef: bb:eb:f7:d3:98:7c:f1:71:d3:86:8d:5b:59:00:ed: f5:0d:37:75:c7:66:4e:bd:9c:2d:78:58:90:43:69: 88:96:85:89:4c:13:b4:1e:18:5b:a9:bd:a1:92:bd: 0e:3b:f0:8c:01:2d:40:f0:6b:d1:23:d4:39:7e:23: 02:03:40:d6:32:7b:20:e7:56:82:e6:b8:43:e0:63: 4c:c6:80:90:d4:7a:74:97:88:88:ac:45:af:b5:14: 08:b2:e5:b8:a4:89:50:9d:fd:59:21:3e:f9:1c:d7: 5e:4e:34:f0:f8:a7:f1:a2:b1:77:2b:c5:f0:dc:76: ba:02:c8:4d:37:4d:ed:4b:6c:f0:6f:68:1d:40:bb: d5:65:9c:76:c1:46:a0:07:a3:cd:e8:31:7a:f3:6a: 98:62:81:a8:d2:61:85:81:52:7a:9f:22:2e:2c:c3: f5:15:2f:31:8e:32:99:8f:c3:22:16:8c:38:ca:4f: 5f:f2:2d:2b:a1:f5:2f:a7:23:27:2b:a3:5e:d1:dc: 78:32:67:f7:91:7e:56:76:cf:58:5a:b2:97:3e:50: 43:02:42:42:cf:88:ef:d5:71:df:0a:49:61:36:ca: bb:99:b2:ea:3c:9f:1a:65:f7:d9:8e:8b:ac:20:e9: f3:22:26:ef:de:41:8d:48:89:70:9d:7e:20:96:90: d8:49:f1:05:aa:f6:da:b6:2f:fa:e5:fe:8e:cf:d8: d2:7c:9e:37:06:7b:89:47:79:1e:0b:c2:7c:6f:55: 34:ee:57 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.skb.upjs.sk/root-ca.crt OCSP - URI:http://ocsp.root-ca.skb.upjs.sk:9080 X509v3 Authority Key Identifier: keyid:2B:44:9B:54:A6:81:A3:4B:DA:08:EE:62:20:F6:E3:17:30:93:90:73 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.skb.upjs.sk/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: B3:08:C4:CC:65:07:29:C4:58:EF:8C:B5:B8:F7:78:1D:45:3C:05:7E Certificate is to be certified until Apr 29 09:58:23 2030 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated
%%bash
cat "server/server.crt" {sub,root}CA/ca.crt | sed -n '/-----BEGIN/,/-----END/{p}' | tee "server/chain.crt"
-----BEGIN CERTIFICATE----- MIIGKDCCBBCgAwIBAgIRAO64W4f40AXFHG6YgUqz4zwwDQYJKoZIhvcNAQELBQAw NTELMAkGA1UEBhMCU0sxDTALBgNVBAoMBFVQSlMxFzAVBgNVBAMMDlNLQiBMZXZl bCAxIENBMB4XDTIwMDUwMTA5NTgyM1oXDTMwMDQyOTA5NTgyM1owNjELMAkGA1UE BhMCU0sxDTALBgNVBAoMBFVQSlMxGDAWBgNVBAMMD3d3dy5za2IudXBqcy5zazCC AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMAZlFFoTRDjgcOPgM/TByfv nxHF1vir0AakbaVFyqcsIiTON9aWbAjbYp+8CfxLDvBshu60I1yxQeQkSVIVyaJc WLodgHDqkILLWteiNmbSVH7D6UoTg4ZOS5qWCcJYYPTt3UNznvQBBir0NWdzX27l DItKZ3M9uAeAqXcxhuv3xjk9RRp1rGL3OgpF3diFUAVaKSf5xaonlOdgRs8P0MNs D4P18lFv754T/7wNTpyA/bER0AJlEeqTLuWfGEOzC0YgVymPJoDGQaDT7ABjKv1E nZAVyBzLINYKQ2BG9wnvu+v305h88XHTho1bWQDt9Q03dcdmTr2cLXhYkENpiJaF iUwTtB4YW6m9oZK9DjvwjAEtQPBr0SPUOX4jAgNA1jJ7IOdWgua4Q+BjTMaAkNR6 dJeIiKxFr7UUCLLluKSJUJ39WSE++RzXXk408Pin8aKxdyvF8Nx2ugLITTdN7Uts 8G9oHUC71WWcdsFGoAejzegxevNqmGKBqNJhhYFSep8iLizD9RUvMY4ymY/DIhaM OMpPX/ItK6H1L6cjJyujXtHceDJn95F+VnbPWFqylz5QQwJCQs+I79Vx3wpJYTbK u5my6jyfGmX32Y6LrCDp8yIm795BjUiJcJ1+IJaQ2EnxBar22rYv+uX+js/Y0nye NwZ7iUd5HgvCfG9VNO5XAgMBAAGjggEwMIIBLDB0BggrBgEFBQcBAQRoMGYwMgYI KwYBBQUHMAKGJmh0dHA6Ly9yb290LWNhLnNrYi51cGpzLnNrL3Jvb3QtY2EuY3J0 MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5yb290LWNhLnNrYi51cGpzLnNrOjkw ODAwHwYDVR0jBBgwFoAUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDAYDVR0TAQH/BAIw ADA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9y b290LWNhLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0P AQH/BAQDAgWgMB0GA1UdDgQWBBSzCMTMZQcpxFjvjLW493gdRTwFfjANBgkqhkiG 9w0BAQsFAAOCAgEADQ79bj84UWlD0CzhjPOEGDqlLtzsi/JJQYNb4KC4+65kZ48T U/s0qX2zZotZatF2FNc5PvjEz8C14TolPeKki7IaDzoaX34q/P5z/5vrUsNdIkAQ ZwzRCMs7yGflrY9UmqmCpZW9UcxVpKM233uHDNGs0AkzA24R/dN/fY5y1GraorHe 7Mo6Tm3I88RcJtwEhgT4TQQMl6WOvZbumC3RiXJ7QEZDhb5rT2fZz5vLAq/WVIJx 2t2SAm7CcUyl/Rxr+v+Mo0znYuRLME0MxEk6GJ3GIz0uNHhjyuiqHPBZtO5BeAjE 9+2TxaHpWUgYi8XvzePKJejQgjjWm8i4k+ApRME2FL914Ye4wdVhZcPMOusrJDAv MXvHAoTfVPeYcjVDgEr8PnIM0zNXFm4TpfjxANEQF9OKew5HHDBspkCgtBXYRQ2o TUIkkEO/fiQixO45DF7Gk+2DyKiBAmLg6DHtmja2WmT6voREGMILaD9JyXlrhIi6 uG40zQfIKd9i+MIRhqE4vA73pwG8VwRc6FM+0LrFrXey0GlAjWEK5opR0KBvGjGO bZB//WtmNG6HjZkhPX8h+PqWJ8FDj77YiYZqguxt2Lhoy2J9CjpszvleM59OAp0L 83eDQEVTQqG/1+iRZqzGjbcxv03/Epcg1mlv6FWB//is6v7oEEYVkFymyuY= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGdzCCBF+gAwIBAgIQKRDnHaOdmF/lfKYAcPVGRjANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk1MzI4WhcNMzAwNDI5MDk1MzI4WjA1MQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEXMBUGA1UEAwwOU0tCIExldmVsIDEgQ0EwggIiMA0G CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSoWvQvQ5mDXTNekelqa44GS+kNK8B 5MaHCpwkYFk53v5wotcFATpgr25pwrVnobDyYwY0vziFduhAr4Qw9DAdhx8ju26S 8WFj7Xlwxk+8V/f2cDS12AjZIPweZaVydDY/Q1ZNkAElQ9iuglyQBwWrFWUZYyW+ BuDD6Xm9487BvkozTtK1ChiJPhUm9XUhsx35LADFIIfC90Lynsa1cUEZTZtGung4 vttPZwZyQJV1egAelbFPf32tAnvd0T9rcwK+Nku61nwtjpWRV7ZTN9kAmcCdGW7C nNmmA8aH5pnfqD0Aar4pPcLhVcc/nKtMSlR4NTf6sZBuEGQr9r1RN0u/PW9JBl+B /q2OYO2QOZm38NYyDhXW1OiFrGcAXRbq260y+p9DkPt4x7IxkvhIvxujLWQFhX67 U2kTP4BZZKQiXaI9FIQT+EZVhZud4fAEFZt8BLHFo5EkSjq4joKjV82ZE/RWukv3 iMvRc9M3WVj2XuV/t1agKGIHM+PjDZ2+3dldOOX10uWAUhLkf2dSsGMbHCpxYYvt 3dQ87oxwb5SNcIoHVlhdS3pq2pjbKviX4zzOZVerhFQlDAqXlVZiKkhFq/XTDK/a 02DG5mJdzZkYgXCQXNPiWMXND+z8UlSHmn8yLNiZ/Mottq/K06FwdEAcjiGn2kmg SADtRHrvXuifuwIDAQABo4IBhDCCAYAwdAYIKwYBBQUHAQEEaDBmMDIGCCsGAQUF BzAChiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9yb290LWNhLmNydDAwBggr BgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC1jYS5za2IudXBqcy5zazo5MDgwMB8G A1UdIwQYMBaAFK4737JqkxI3H+J07QBDN+mJSpFhMBIGA1UdEwEB/wQIMAYBAf8C AQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL3Jvb3QtY2Euc2tiLnVwanMuc2sv cm9vdC1jYS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1Ud DwEB/wQEAwIBBjBMBgNVHR4ERTBDoA8wDYILc2tiLnVwanMuc2uhMDAKhwgAAAAA AAAAADAihyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4E FgQUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDQYJKoZIhvcNAQELBQADggIBAAhWvJfi xBmSIyis/IZAXw9DjNvfutuXHPeFYQCFSby/u4TVwxlRAJ238UBjSr+uz/AUCznh i/g/8em9mU+ZZ4yx0bFUN/4+VJ2zOV0cv+RyLGKPboW87TzSgco95JsQROy85BVi vP81FcgN7bJuatgkvshlGCmn8kofmIH/Ckvf6BPamZrx1STbziahc7EdatTiofIP G4tPja1xpsmp7A5oceMpX83mz494yQ9hjG+dNl8daljpIbjjFRJ52ZTLQfq1AHOj Y3CLB2wL5RUjp9bqrUNtR+9N4O26QNCLUFZ5GpadmU5g7qhO74nCPLoOIMXivdmn naMOXJ7ll8ZZpWTa68Qd/yLwNB/nbriBXi2WO0WLludq/UYS/2iqT/S7dzE73VoC zOz0CrhZPzpNfGBGqi5vKGqrsQaSnAflcmBf+nLUSt0io9DvYq8eL4IUI4hYLLwH UxG9cdzJhXR8WV+/dBLTN8Z1GV+PNH8WzBlS2mbiJ1nXB6Q4TZDhLpg2InCSvaUP z1e6CcsxkXS9srLi6veL/CQf8BBVtfnMwbEQE0QOE+I7iunf/mjUzTZYMekGqK/i aXQqzE36Wk5BpPsA/scl0cCkqoCsBan7Nvrmtm/7KlJ7OetcHufbbOqOvS9g3edw VT/LoEYWq6RCZ8n1QBKfc5r/xaCxH/268HH7 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFMDCCAxigAwIBAgIQKRDnHaOdmF/lfKYAcPVGRTANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk0OTU4WhcNMzAwNDI5MDk0OTU4WjAyMQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3QgQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC+zGPPxxLQIInr8iVZNFJ2Segr/Sp31N9+ E6X1a6ryp2VKI0wbsISVAl5r0EFiCwJVI6883d1Ed5eEg+rkVyapwuqpvtIy1sn5 fhNWgRkIfXnNWJ/4Oq8qNZNneF4Umff7Q+CAKhxkj/7WotpqZGuVIPApKQBOmDAK 6Uw/02c1RL5DbeE4V86xY7jMrDqFtdJyenQWi1GVVaE315Yvft3IK2YvGD/ytluk eLaXYELfMafBai7VUG7NCUR9jH8lGBed32x2/dz27Ueeequze5js4MYtSXgpixum dDAvFQXF11msVInG2LrNvynOqR+9nIpYJYKwfnF5NsYsOun6fF3gu1ZVSZGDdxBk WjBX4pHn0ZZkcMAjeKRWyAIPU9MMpnNt9Y6pC802/56GnXF5p+js2ndqhS+LJOwv d5DW5HOhHhVmBGKGemOvPvIZJUn/kLwxvsPNO3uAhIoJda4PCOrc88w+GX7KzEoj 3zASNMBEYJYzfbZrCOJKlrS+V4jjGhmmCMh90Mt+PkDC42oMES9XZew/wUU1PWsP 8x6JY+cINMzQiu8vRitsUtVXZq8edxSB2tWhJsMoxLZ8Knas+D5dvhfw8esgX91W xf90qUNJiVuUZRoSw05S3yTnlyG7eETy+Gbl3AJOT5GKt/qRvhV+A32gWiV/hXWZ VBaBRgvI6QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB BjAdBgNVHQ4EFgQUrjvfsmqTEjcf4nTtAEM36YlKkWEwDQYJKoZIhvcNAQELBQAD ggIBAGsxB85hgPq8uZ+j+BhlnsR+iLKIpMfHx6XjuCiJNQf4Syn3f1CLxF6PD3Dn Y6T2rkMg28icG9Xg9n1LUXHbDZwP+KI/DAT4LUrQAadsCc6EBmwik7D8iFPJvtG9 FSxg95Vi7x/F1/32Gh1vjYzIWlMgy+fwgcp49dJ5E7KGasc6jjjAeT250PthTk3N 9ov7rSMdLa9xYaZehJnikGhTB4dh1PvOHBzW3gZgSznp9HKoSiVfuG48KNn2SuZ/ Er5OPsWgVwwmcA2WZNqUUty/u5Fj8y+O1BpvlJJ+4u7Mn+lb9bpTAgpwezm7Ek1c q5kHXvkRhmJe5M57nLvFtPqEpD/0VTD/FqQyPX7QxVqqKPeSKU/F7A14LAwHueCS O6l+L/huSjvc86aVzg0/F+Wg2s1ZzxUg+/CGsEQ6o+dhUxUMyNtTzia8ZV5qtv+X 1SGSEejCf1qxr2vrlTxK/aBqYtRkkFeUcSfQpD/GuMwc30UkhmYWCpULBjBZAkvQ TMe7WNo37NRr26PTUeIk6g5Ikc6cDUdAX72BGmiJbbUR/5h0Fbze3j/qf0ee4UgA cuFkx+DAaSozQXvxGne+1v81yuhS2ZD8Dubu34Aaj+erEcC1tPRUe+rVbxJR8Vcg LUsNLvsq8k4KG9KTOjZyxA5NPKikdqcAjSkIlAqPuUlE5SOm -----END CERTIFICATE-----
%%bash
openssl req -new -config "client.conf" -out "klientA/client.csr" -keyout "klientA/client.key"
Generating a RSA private key .........................................................................................................................................++++ ...................................................................++++ writing new private key to 'klientA/client.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Krajina [SK]:Organizacia [UPJS]:Pouzivatel [Rastislav Krivos-Bellus]:
%%bash
openssl ca -config "subCA.conf" -in "klientA/client.csr" -out "klientA/client.crt" -extensions client_ext
Using configuration from subCA.conf Enter pass phrase for subCA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: ee:b8:5b:87:f8:d0:05:c5:1c:6e:98:81:4a:b3:e3:3d Issuer: countryName = SK organizationName = UPJS commonName = SKB Level 1 CA Validity Not Before: May 1 10:02:44 2020 GMT Not After : Apr 29 10:02:44 2030 GMT Subject: countryName = SK organizationName = UPJS commonName = Rastislav Krivos-Bellus Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b2:67:a1:fc:e4:8f:d0:e5:ca:52:f6:b0:96:3c: 6f:85:33:57:86:61:c1:14:30:48:f4:da:1f:fd:90: 7a:ae:32:51:f0:00:bb:f2:71:46:68:13:b1:4a:98: 40:a6:95:20:5d:f0:05:9f:c0:d0:de:a0:56:45:c2: 5b:c4:06:c6:1b:df:c5:98:66:f9:38:2a:92:93:bf: b2:2a:61:68:6b:4e:ba:da:66:2f:0a:ec:20:4e:91: 77:a7:45:c2:9a:ee:31:11:0d:d4:49:07:10:83:ba: eb:26:50:11:71:83:a8:cf:8c:07:bc:5f:b5:75:d4: 3c:15:08:c2:bc:ad:22:9c:d8:d0:68:2f:02:63:7e: 49:1a:5b:73:a7:de:88:4b:0b:aa:c3:20:70:9f:64: 3c:66:c2:82:d5:69:1b:2d:63:59:d2:f8:b1:fe:20: c0:1a:e0:9e:56:b4:c3:03:19:bc:09:1b:43:a9:81: c9:36:e2:84:dd:d5:a2:ae:00:8a:20:91:e0:6b:4b: 9b:57:68:e8:3b:95:1e:28:98:ae:48:26:73:5a:d5: 9e:d0:65:ea:b8:33:09:51:68:5f:a0:7c:ff:e3:87: 6d:8e:c3:7f:84:24:c1:37:4c:20:13:00:c1:f8:78: a9:cf:19:e5:d5:fe:4a:22:6b:bc:c8:b8:52:fd:c5: ea:9d:50:71:9f:fc:2e:e4:6f:1e:d4:cc:0e:70:d8: 59:81:69:e7:12:b6:2a:87:ad:ab:45:7d:64:05:0f: 22:47:9b:2c:11:84:bf:16:68:67:c9:66:fa:8b:81: 0a:91:5d:db:c8:a0:48:83:80:3a:ba:86:c8:6b:3d: e4:6e:db:e5:ca:57:29:41:80:16:ca:c1:ed:d9:a9: 09:22:95:7a:17:41:f2:7c:d3:f3:80:3d:06:34:a9: a2:cf:c6:5e:6c:5c:22:c3:a0:d1:d7:8e:96:ed:f9: 30:99:de:96:45:e9:f6:5c:48:ec:42:2a:db:4e:37: 36:32:69:68:8a:f8:eb:8c:f8:4f:fc:19:72:c9:67: bb:fc:48:c3:f5:6f:15:6e:f4:bd:08:c4:94:12:61: d5:55:8f:e9:53:93:c7:36:b3:20:d0:1d:d5:be:74: 78:62:4b:44:25:7e:97:4a:e9:30:21:f2:a1:d9:81: e9:48:cb:ed:27:d3:cd:3b:eb:e2:f9:0a:a2:72:41: c0:ba:91:99:f5:51:bd:73:e6:a6:06:76:5d:ff:f9: 43:30:66:dc:6d:17:f1:b7:b0:bf:ac:6c:5d:d2:88: 74:38:d7:b8:42:d3:52:26:d2:b9:60:1e:bc:6d:ac: f7:64:4a:54:13:35:77:d6:6f:b5:87:15:72:83:d6: cb:dd:9b Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.skb.upjs.sk/root-ca.crt OCSP - URI:http://ocsp.root-ca.skb.upjs.sk:9080 X509v3 Authority Key Identifier: keyid:2B:44:9B:54:A6:81:A3:4B:DA:08:EE:62:20:F6:E3:17:30:93:90:73 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.skb.upjs.sk/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 84:B4:C2:34:E8:58:F1:5F:A0:9C:D1:2E:8B:66:3F:B6:EE:B9:83:79 Certificate is to be certified until Apr 29 10:02:44 2030 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated
%%bash
openssl ca -config "subCA.conf" -in "klientB/client.csr" -out "klientB/client.crt" -extensions client_ext
Using configuration from subCA.conf Enter pass phrase for subCA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: ee:b8:5b:87:f8:d0:05:c5:1c:6e:98:81:4a:b3:e3:3e Issuer: countryName = SK organizationName = UPJS commonName = SKB Level 1 CA Validity Not Before: May 1 10:04:07 2020 GMT Not After : Apr 29 10:04:07 2030 GMT Subject: countryName = SK organizationName = UPJS commonName = Pavol Jozef Safarik Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b0:95:47:c4:75:7e:fd:15:97:9b:93:16:d8:88: 8b:36:1a:0b:cc:fc:13:40:d3:71:c2:9e:2f:02:c6: 44:31:52:bf:91:83:c5:c3:64:c1:20:08:a2:f2:a2: e8:1f:3c:7d:c1:08:05:c3:c6:61:16:33:e0:f9:f0: 3b:28:f7:f8:ab:40:24:cb:fa:b4:b0:6d:9a:0d:0f: ec:a8:19:b8:e4:15:f1:99:6a:8f:8e:b7:bb:23:11: 69:74:bf:8c:6e:fe:cf:9a:51:53:69:5e:7c:93:a5: cd:36:88:7b:5c:cb:2c:5f:77:e3:62:ee:5b:71:6b: 95:ae:2d:98:5b:33:ea:79:77:16:e5:8d:90:65:e9: 04:0f:a4:a5:34:70:8c:db:6b:77:6f:0c:be:2a:82: af:1b:e4:fa:2a:b6:ae:73:fa:56:a3:6c:d7:44:63: 7b:33:6e:54:e3:6a:02:f4:60:db:d2:bf:ba:8c:38: b7:58:f3:c6:86:87:c9:f6:5f:b9:69:ce:4d:9f:6d: ec:1c:15:61:49:e9:1a:6e:5c:78:49:bc:e6:12:ed: eb:39:5d:25:27:c1:f1:9b:bc:97:c9:3b:79:90:4e: 62:38:8b:96:42:36:4f:f6:fb:4d:56:a1:fa:a8:6e: ae:70:63:84:2e:4b:3d:d4:99:97:02:9a:52:91:95: 06:13:2c:55:d9:60:f0:82:cc:24:8f:b5:79:14:86: d3:bb:04:c8:c7:c0:5c:31:37:39:6b:a1:3c:c9:91: cf:7e:8c:40:89:9d:7a:ca:69:6c:39:c3:f4:9d:9d: bd:2e:7d:91:13:b9:75:fa:07:ab:f0:ec:d9:85:f3: 45:8e:6d:2d:e6:d7:0b:e2:ce:9e:79:8e:4a:2d:8b: 41:90:15:01:2c:74:cf:68:7c:fe:cd:6c:8d:47:4d: 36:fc:de:43:5f:9e:08:4b:01:06:e6:d7:91:d3:8b: 0b:b6:7e:2e:77:69:d5:dd:2c:e5:63:63:4f:b5:c1: ab:aa:4a:2f:67:35:9d:52:04:81:df:a6:e5:b5:db: 40:a3:fc:9e:80:28:9d:8f:82:12:fc:dc:3b:c1:0e: 6b:5d:a1:02:f5:9c:50:76:03:59:89:ce:b9:25:c6: 5b:61:e8:de:bf:7f:d4:e8:78:1f:f8:4e:1f:c0:05: 82:cf:d1:9d:d0:a9:9e:2e:fc:76:7b:97:63:34:3c: d1:a5:b5:41:17:b6:66:02:ca:68:e3:98:0d:14:d8: 6b:6b:37:c0:ac:c2:8e:9b:01:2a:c0:be:b5:76:84: ca:9a:b0:c3:06:b3:ee:bb:b1:ba:20:1d:c5:60:d3: 35:57:17:d8:b6:1a:17:a4:93:6f:04:ba:64:c4:ac: d2:b2:a9 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.skb.upjs.sk/root-ca.crt OCSP - URI:http://ocsp.root-ca.skb.upjs.sk:9080 X509v3 Authority Key Identifier: keyid:2B:44:9B:54:A6:81:A3:4B:DA:08:EE:62:20:F6:E3:17:30:93:90:73 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.skb.upjs.sk/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 97:A4:5F:E9:1D:1F:36:79:85:D6:4B:D7:25:56:50:F7:FC:D6:5C:DF Certificate is to be certified until Apr 29 10:04:07 2030 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries Data Base Updated
%%bash
tree
. ├── ca-conf.tgz ├── ca-conf.zip ├── CA.ipynb ├── client.conf ├── klientA │ ├── client.crt │ ├── client.csr │ └── client.key ├── klientB │ ├── client.crt │ ├── client.csr │ └── client.key ├── rootCA │ ├── ca.crt │ ├── ca.csr │ ├── certs │ │ ├── 2910E71DA39D985FE57CA60070F54645.pem │ │ └── 2910E71DA39D985FE57CA60070F54646.pem │ ├── db │ │ ├── crlnumber │ │ ├── index │ │ ├── index.attr │ │ ├── index.attr.old │ │ ├── index.old │ │ ├── serial │ │ └── serial.old │ └── private │ └── ca.key ├── rootCA.conf ├── server │ ├── chain.crt │ ├── server.crt │ ├── server.csr │ └── server.key ├── server.conf ├── subCA │ ├── ca.crt │ ├── ca.csr │ ├── certs │ │ ├── EEB85B87F8D005C51C6E98814AB3E33C.pem │ │ ├── EEB85B87F8D005C51C6E98814AB3E33D.pem │ │ └── EEB85B87F8D005C51C6E98814AB3E33E.pem │ ├── db │ │ ├── crlnumber │ │ ├── index │ │ ├── index.attr │ │ ├── index.attr.old │ │ ├── index.old │ │ ├── serial │ │ └── serial.old │ └── private │ └── ca.key └── subCA.conf 11 directories, 42 files
!cat rootCA/db/index
V 300429094958Z 2910E71DA39D985FE57CA60070F54645 unknown /C=SK/O=UPJS/CN=SKB Root CA V 300429095328Z 2910E71DA39D985FE57CA60070F54646 unknown /C=SK/O=UPJS/CN=SKB Level 1 CA
!cat subCA/db/index
V 300429095823Z EEB85B87F8D005C51C6E98814AB3E33C unknown /C=SK/O=UPJS/CN=www.skb.upjs.sk V 300429100244Z EEB85B87F8D005C51C6E98814AB3E33D unknown /C=SK/O=UPJS/CN=Rastislav Krivos-Bellus V 300429100407Z EEB85B87F8D005C51C6E98814AB3E33E unknown /C=SK/O=UPJS/CN=Pavol Jozef Safarik
/etc/apache2/sites-available/default-ssl
:
SSLCertificateFile /home/kali/CA/server/chain.crt
SSLCertificateKeyFile /home/kali/CA/server/server.key
%%bash
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo service apache2 restart
sudo a2enmod ssl sudo a2ensite default-ssl sudo service apache2 restart
!openssl s_client -showcerts www.skb.upjs.sk:443
CONNECTED(00000003) depth=2 C = SK, O = UPJS, CN = SKB Root CA verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 C = SK, O = UPJS, CN = SKB Root CA verify return:1 depth=1 C = SK, O = UPJS, CN = SKB Level 1 CA verify return:1 depth=0 C = SK, O = UPJS, CN = www.skb.upjs.sk verify return:1 --- Certificate chain 0 s:C = SK, O = UPJS, CN = www.skb.upjs.sk i:C = SK, O = UPJS, CN = SKB Level 1 CA -----BEGIN CERTIFICATE----- MIIGKDCCBBCgAwIBAgIRAO64W4f40AXFHG6YgUqz4zwwDQYJKoZIhvcNAQELBQAw NTELMAkGA1UEBhMCU0sxDTALBgNVBAoMBFVQSlMxFzAVBgNVBAMMDlNLQiBMZXZl bCAxIENBMB4XDTIwMDUwMTA5NTgyM1oXDTMwMDQyOTA5NTgyM1owNjELMAkGA1UE BhMCU0sxDTALBgNVBAoMBFVQSlMxGDAWBgNVBAMMD3d3dy5za2IudXBqcy5zazCC AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMAZlFFoTRDjgcOPgM/TByfv nxHF1vir0AakbaVFyqcsIiTON9aWbAjbYp+8CfxLDvBshu60I1yxQeQkSVIVyaJc WLodgHDqkILLWteiNmbSVH7D6UoTg4ZOS5qWCcJYYPTt3UNznvQBBir0NWdzX27l DItKZ3M9uAeAqXcxhuv3xjk9RRp1rGL3OgpF3diFUAVaKSf5xaonlOdgRs8P0MNs D4P18lFv754T/7wNTpyA/bER0AJlEeqTLuWfGEOzC0YgVymPJoDGQaDT7ABjKv1E nZAVyBzLINYKQ2BG9wnvu+v305h88XHTho1bWQDt9Q03dcdmTr2cLXhYkENpiJaF iUwTtB4YW6m9oZK9DjvwjAEtQPBr0SPUOX4jAgNA1jJ7IOdWgua4Q+BjTMaAkNR6 dJeIiKxFr7UUCLLluKSJUJ39WSE++RzXXk408Pin8aKxdyvF8Nx2ugLITTdN7Uts 8G9oHUC71WWcdsFGoAejzegxevNqmGKBqNJhhYFSep8iLizD9RUvMY4ymY/DIhaM OMpPX/ItK6H1L6cjJyujXtHceDJn95F+VnbPWFqylz5QQwJCQs+I79Vx3wpJYTbK u5my6jyfGmX32Y6LrCDp8yIm795BjUiJcJ1+IJaQ2EnxBar22rYv+uX+js/Y0nye NwZ7iUd5HgvCfG9VNO5XAgMBAAGjggEwMIIBLDB0BggrBgEFBQcBAQRoMGYwMgYI KwYBBQUHMAKGJmh0dHA6Ly9yb290LWNhLnNrYi51cGpzLnNrL3Jvb3QtY2EuY3J0 MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5yb290LWNhLnNrYi51cGpzLnNrOjkw ODAwHwYDVR0jBBgwFoAUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDAYDVR0TAQH/BAIw ADA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9y b290LWNhLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0P AQH/BAQDAgWgMB0GA1UdDgQWBBSzCMTMZQcpxFjvjLW493gdRTwFfjANBgkqhkiG 9w0BAQsFAAOCAgEADQ79bj84UWlD0CzhjPOEGDqlLtzsi/JJQYNb4KC4+65kZ48T U/s0qX2zZotZatF2FNc5PvjEz8C14TolPeKki7IaDzoaX34q/P5z/5vrUsNdIkAQ ZwzRCMs7yGflrY9UmqmCpZW9UcxVpKM233uHDNGs0AkzA24R/dN/fY5y1GraorHe 7Mo6Tm3I88RcJtwEhgT4TQQMl6WOvZbumC3RiXJ7QEZDhb5rT2fZz5vLAq/WVIJx 2t2SAm7CcUyl/Rxr+v+Mo0znYuRLME0MxEk6GJ3GIz0uNHhjyuiqHPBZtO5BeAjE 9+2TxaHpWUgYi8XvzePKJejQgjjWm8i4k+ApRME2FL914Ye4wdVhZcPMOusrJDAv MXvHAoTfVPeYcjVDgEr8PnIM0zNXFm4TpfjxANEQF9OKew5HHDBspkCgtBXYRQ2o TUIkkEO/fiQixO45DF7Gk+2DyKiBAmLg6DHtmja2WmT6voREGMILaD9JyXlrhIi6 uG40zQfIKd9i+MIRhqE4vA73pwG8VwRc6FM+0LrFrXey0GlAjWEK5opR0KBvGjGO bZB//WtmNG6HjZkhPX8h+PqWJ8FDj77YiYZqguxt2Lhoy2J9CjpszvleM59OAp0L 83eDQEVTQqG/1+iRZqzGjbcxv03/Epcg1mlv6FWB//is6v7oEEYVkFymyuY= -----END CERTIFICATE----- 1 s:C = SK, O = UPJS, CN = SKB Level 1 CA i:C = SK, O = UPJS, CN = SKB Root CA -----BEGIN CERTIFICATE----- MIIGdzCCBF+gAwIBAgIQKRDnHaOdmF/lfKYAcPVGRjANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk1MzI4WhcNMzAwNDI5MDk1MzI4WjA1MQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEXMBUGA1UEAwwOU0tCIExldmVsIDEgQ0EwggIiMA0G CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSoWvQvQ5mDXTNekelqa44GS+kNK8B 5MaHCpwkYFk53v5wotcFATpgr25pwrVnobDyYwY0vziFduhAr4Qw9DAdhx8ju26S 8WFj7Xlwxk+8V/f2cDS12AjZIPweZaVydDY/Q1ZNkAElQ9iuglyQBwWrFWUZYyW+ BuDD6Xm9487BvkozTtK1ChiJPhUm9XUhsx35LADFIIfC90Lynsa1cUEZTZtGung4 vttPZwZyQJV1egAelbFPf32tAnvd0T9rcwK+Nku61nwtjpWRV7ZTN9kAmcCdGW7C nNmmA8aH5pnfqD0Aar4pPcLhVcc/nKtMSlR4NTf6sZBuEGQr9r1RN0u/PW9JBl+B /q2OYO2QOZm38NYyDhXW1OiFrGcAXRbq260y+p9DkPt4x7IxkvhIvxujLWQFhX67 U2kTP4BZZKQiXaI9FIQT+EZVhZud4fAEFZt8BLHFo5EkSjq4joKjV82ZE/RWukv3 iMvRc9M3WVj2XuV/t1agKGIHM+PjDZ2+3dldOOX10uWAUhLkf2dSsGMbHCpxYYvt 3dQ87oxwb5SNcIoHVlhdS3pq2pjbKviX4zzOZVerhFQlDAqXlVZiKkhFq/XTDK/a 02DG5mJdzZkYgXCQXNPiWMXND+z8UlSHmn8yLNiZ/Mottq/K06FwdEAcjiGn2kmg SADtRHrvXuifuwIDAQABo4IBhDCCAYAwdAYIKwYBBQUHAQEEaDBmMDIGCCsGAQUF BzAChiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9yb290LWNhLmNydDAwBggr BgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC1jYS5za2IudXBqcy5zazo5MDgwMB8G A1UdIwQYMBaAFK4737JqkxI3H+J07QBDN+mJSpFhMBIGA1UdEwEB/wQIMAYBAf8C AQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL3Jvb3QtY2Euc2tiLnVwanMuc2sv cm9vdC1jYS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1Ud DwEB/wQEAwIBBjBMBgNVHR4ERTBDoA8wDYILc2tiLnVwanMuc2uhMDAKhwgAAAAA AAAAADAihyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4E FgQUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDQYJKoZIhvcNAQELBQADggIBAAhWvJfi xBmSIyis/IZAXw9DjNvfutuXHPeFYQCFSby/u4TVwxlRAJ238UBjSr+uz/AUCznh i/g/8em9mU+ZZ4yx0bFUN/4+VJ2zOV0cv+RyLGKPboW87TzSgco95JsQROy85BVi vP81FcgN7bJuatgkvshlGCmn8kofmIH/Ckvf6BPamZrx1STbziahc7EdatTiofIP G4tPja1xpsmp7A5oceMpX83mz494yQ9hjG+dNl8daljpIbjjFRJ52ZTLQfq1AHOj Y3CLB2wL5RUjp9bqrUNtR+9N4O26QNCLUFZ5GpadmU5g7qhO74nCPLoOIMXivdmn naMOXJ7ll8ZZpWTa68Qd/yLwNB/nbriBXi2WO0WLludq/UYS/2iqT/S7dzE73VoC zOz0CrhZPzpNfGBGqi5vKGqrsQaSnAflcmBf+nLUSt0io9DvYq8eL4IUI4hYLLwH UxG9cdzJhXR8WV+/dBLTN8Z1GV+PNH8WzBlS2mbiJ1nXB6Q4TZDhLpg2InCSvaUP z1e6CcsxkXS9srLi6veL/CQf8BBVtfnMwbEQE0QOE+I7iunf/mjUzTZYMekGqK/i aXQqzE36Wk5BpPsA/scl0cCkqoCsBan7Nvrmtm/7KlJ7OetcHufbbOqOvS9g3edw VT/LoEYWq6RCZ8n1QBKfc5r/xaCxH/268HH7 -----END CERTIFICATE----- 2 s:C = SK, O = UPJS, CN = SKB Root CA i:C = SK, O = UPJS, CN = SKB Root CA -----BEGIN CERTIFICATE----- MIIFMDCCAxigAwIBAgIQKRDnHaOdmF/lfKYAcPVGRTANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk0OTU4WhcNMzAwNDI5MDk0OTU4WjAyMQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3QgQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC+zGPPxxLQIInr8iVZNFJ2Segr/Sp31N9+ E6X1a6ryp2VKI0wbsISVAl5r0EFiCwJVI6883d1Ed5eEg+rkVyapwuqpvtIy1sn5 fhNWgRkIfXnNWJ/4Oq8qNZNneF4Umff7Q+CAKhxkj/7WotpqZGuVIPApKQBOmDAK 6Uw/02c1RL5DbeE4V86xY7jMrDqFtdJyenQWi1GVVaE315Yvft3IK2YvGD/ytluk eLaXYELfMafBai7VUG7NCUR9jH8lGBed32x2/dz27Ueeequze5js4MYtSXgpixum dDAvFQXF11msVInG2LrNvynOqR+9nIpYJYKwfnF5NsYsOun6fF3gu1ZVSZGDdxBk WjBX4pHn0ZZkcMAjeKRWyAIPU9MMpnNt9Y6pC802/56GnXF5p+js2ndqhS+LJOwv d5DW5HOhHhVmBGKGemOvPvIZJUn/kLwxvsPNO3uAhIoJda4PCOrc88w+GX7KzEoj 3zASNMBEYJYzfbZrCOJKlrS+V4jjGhmmCMh90Mt+PkDC42oMES9XZew/wUU1PWsP 8x6JY+cINMzQiu8vRitsUtVXZq8edxSB2tWhJsMoxLZ8Knas+D5dvhfw8esgX91W xf90qUNJiVuUZRoSw05S3yTnlyG7eETy+Gbl3AJOT5GKt/qRvhV+A32gWiV/hXWZ VBaBRgvI6QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB BjAdBgNVHQ4EFgQUrjvfsmqTEjcf4nTtAEM36YlKkWEwDQYJKoZIhvcNAQELBQAD ggIBAGsxB85hgPq8uZ+j+BhlnsR+iLKIpMfHx6XjuCiJNQf4Syn3f1CLxF6PD3Dn Y6T2rkMg28icG9Xg9n1LUXHbDZwP+KI/DAT4LUrQAadsCc6EBmwik7D8iFPJvtG9 FSxg95Vi7x/F1/32Gh1vjYzIWlMgy+fwgcp49dJ5E7KGasc6jjjAeT250PthTk3N 9ov7rSMdLa9xYaZehJnikGhTB4dh1PvOHBzW3gZgSznp9HKoSiVfuG48KNn2SuZ/ Er5OPsWgVwwmcA2WZNqUUty/u5Fj8y+O1BpvlJJ+4u7Mn+lb9bpTAgpwezm7Ek1c q5kHXvkRhmJe5M57nLvFtPqEpD/0VTD/FqQyPX7QxVqqKPeSKU/F7A14LAwHueCS O6l+L/huSjvc86aVzg0/F+Wg2s1ZzxUg+/CGsEQ6o+dhUxUMyNtTzia8ZV5qtv+X 1SGSEejCf1qxr2vrlTxK/aBqYtRkkFeUcSfQpD/GuMwc30UkhmYWCpULBjBZAkvQ TMe7WNo37NRr26PTUeIk6g5Ikc6cDUdAX72BGmiJbbUR/5h0Fbze3j/qf0ee4UgA cuFkx+DAaSozQXvxGne+1v81yuhS2ZD8Dubu34Aaj+erEcC1tPRUe+rVbxJR8Vcg LUsNLvsq8k4KG9KTOjZyxA5NPKikdqcAjSkIlAqPuUlE5SOm -----END CERTIFICATE----- --- Server certificate subject=C = SK, O = UPJS, CN = www.skb.upjs.sk issuer=C = SK, O = UPJS, CN = SKB Level 1 CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5393 bytes and written 387 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A5D1F413F1283AD0678C5A00B7E86B75D87D97DD63B6FCE59459E2600DB65343 Session-ID-ctx: Resumption PSK: 4D34DABAABCFF22EEA465C6F12FB6FE509DC836D27807F9235121212318DAF41FFD8E2D399CEDA272B1F2D68ED5053CA PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 77 dd ee 74 52 44 23 a0-9b 56 75 31 16 d6 6d 07 w..tRD#..Vu1..m. 0010 - af 50 51 50 62 3f 63 a7-89 4f c0 c9 0a 35 eb a9 .PQPb?c..O...5.. 0020 - a9 9d 6e 88 50 c5 af f9-cc 03 8e f7 c2 87 02 65 ..n.P..........e 0030 - cc 41 90 c7 3b b5 d6 44-d7 c7 4f 5e 93 4a c1 52 .A..;..D..O^.J.R 0040 - 21 4b a7 f9 45 ed 16 96-7e da 07 da 86 c9 41 61 !K..E...~.....Aa 0050 - ea fe a7 e5 f5 e2 1a 01-2f 9d 80 ff 5b 57 6a 03 ......../...[Wj. 0060 - db 1e 51 b6 4f 4a 95 f7-dd 6e 6f eb 61 c5 3f d9 ..Q.OJ...no.a.?. 0070 - a5 b3 46 c6 b9 29 b3 e2-a7 a3 87 84 03 f2 0b 63 ..F..).........c 0080 - 6e c6 53 72 3c 40 10 cf-58 1b d9 ea 93 e2 d6 aa n.Sr<@..X....... 0090 - 5c 0c 7f ac dd 9d 3f c7-ac 2e a1 8f ed 15 9a 9e \.....?......... 00a0 - 71 47 f8 e3 20 0d 72 8e-fc 26 7d 85 3a 70 ae aa qG.. .r..&}.:p.. 00b0 - f1 0d f9 a4 ae 3d 1b 89-b5 c0 37 11 9e 85 a5 2e .....=....7..... 00c0 - c8 95 e6 8d 89 d0 3c aa-ce 7b 57 a9 f9 2a 22 c7 ......<..{W..*". 00d0 - b6 9c 1a 2b 55 d4 c8 d4-fa 58 73 23 86 11 89 f6 ...+U....Xs#.... Start Time: 1588330068 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D80EAF2CBB63C0F25917CD23EA1F36D4339AABF4E3450A37827EAD9D57715F76 Session-ID-ctx: Resumption PSK: 896D4179CC30969C2E8B351B251C76BCC01A35C78ACC15E5C164ED80548AFCA02ADCC9DCFF8682DDB4A5E6D48C65FF9A PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 77 dd ee 74 52 44 23 a0-9b 56 75 31 16 d6 6d 07 w..tRD#..Vu1..m. 0010 - 37 31 9f b9 ac ee a9 52-9a 9e de 1f f6 61 a3 4d 71.....R.....a.M 0020 - a4 18 97 04 0f fc 55 93-77 4c 7a 87 b2 33 a5 39 ......U.wLz..3.9 0030 - ba e6 64 05 66 cf 0f 7b-c8 b3 9b 18 8e 8a ca 0f ..d.f..{........ 0040 - 09 50 a8 c1 ef cb ef 70-3a 25 dd 2a 54 16 bd 57 .P.....p:%.*T..W 0050 - d4 6e b4 ba 7e d0 94 c0-d1 7c 83 c3 3a 91 ff 1b .n..~....|..:... 0060 - 1f dc 2c 12 2e cf dc b2-da 19 4c c1 08 d8 e7 cd ..,.......L..... 0070 - 35 36 f1 6e 81 db 35 61-00 7b 42 37 97 ae d3 c6 56.n..5a.{B7.... 0080 - f7 33 01 c8 d3 7c d4 71-20 d5 05 6e f8 a8 9a a6 .3...|.q ..n.... 0090 - 3d 44 30 a6 10 21 f1 90-b7 b6 94 26 5b 56 1c 9d =D0..!.....&[V.. 00a0 - 13 07 69 bd 0d 5c a0 21-15 bf 59 d0 d6 e6 92 f3 ..i..\.!..Y..... 00b0 - 07 6e 1c 05 e9 9d a6 c6-93 fa 87 dd bf 58 c5 89 .n...........X.. 00c0 - 54 9b 13 24 36 49 13 66-22 51 a1 65 90 cd bd 87 T..$6I.f"Q.e.... 00d0 - 88 d0 c9 f3 7b a3 09 ac-1a bb ba 21 73 11 2a 36 ....{......!s.*6 Start Time: 1588330068 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCK closed
/etc/apache2/hosts-available/default-ssl.conf
:
SSLClientVerify require
SSLVerifyDepth 2
SSLCACertificateFile /home/kali/CA/subCA/chain.crt
%%bash
cat {sub,root}CA/ca.crt | sed -n '/-----BEGIN/,/-----END/{p}' | tee "subCA/chain.crt"
-----BEGIN CERTIFICATE----- MIIGdzCCBF+gAwIBAgIQKRDnHaOdmF/lfKYAcPVGRjANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk1MzI4WhcNMzAwNDI5MDk1MzI4WjA1MQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEXMBUGA1UEAwwOU0tCIExldmVsIDEgQ0EwggIiMA0G CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSoWvQvQ5mDXTNekelqa44GS+kNK8B 5MaHCpwkYFk53v5wotcFATpgr25pwrVnobDyYwY0vziFduhAr4Qw9DAdhx8ju26S 8WFj7Xlwxk+8V/f2cDS12AjZIPweZaVydDY/Q1ZNkAElQ9iuglyQBwWrFWUZYyW+ BuDD6Xm9487BvkozTtK1ChiJPhUm9XUhsx35LADFIIfC90Lynsa1cUEZTZtGung4 vttPZwZyQJV1egAelbFPf32tAnvd0T9rcwK+Nku61nwtjpWRV7ZTN9kAmcCdGW7C nNmmA8aH5pnfqD0Aar4pPcLhVcc/nKtMSlR4NTf6sZBuEGQr9r1RN0u/PW9JBl+B /q2OYO2QOZm38NYyDhXW1OiFrGcAXRbq260y+p9DkPt4x7IxkvhIvxujLWQFhX67 U2kTP4BZZKQiXaI9FIQT+EZVhZud4fAEFZt8BLHFo5EkSjq4joKjV82ZE/RWukv3 iMvRc9M3WVj2XuV/t1agKGIHM+PjDZ2+3dldOOX10uWAUhLkf2dSsGMbHCpxYYvt 3dQ87oxwb5SNcIoHVlhdS3pq2pjbKviX4zzOZVerhFQlDAqXlVZiKkhFq/XTDK/a 02DG5mJdzZkYgXCQXNPiWMXND+z8UlSHmn8yLNiZ/Mottq/K06FwdEAcjiGn2kmg SADtRHrvXuifuwIDAQABo4IBhDCCAYAwdAYIKwYBBQUHAQEEaDBmMDIGCCsGAQUF BzAChiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9yb290LWNhLmNydDAwBggr BgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC1jYS5za2IudXBqcy5zazo5MDgwMB8G A1UdIwQYMBaAFK4737JqkxI3H+J07QBDN+mJSpFhMBIGA1UdEwEB/wQIMAYBAf8C AQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL3Jvb3QtY2Euc2tiLnVwanMuc2sv cm9vdC1jYS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1Ud DwEB/wQEAwIBBjBMBgNVHR4ERTBDoA8wDYILc2tiLnVwanMuc2uhMDAKhwgAAAAA AAAAADAihyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4E FgQUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDQYJKoZIhvcNAQELBQADggIBAAhWvJfi xBmSIyis/IZAXw9DjNvfutuXHPeFYQCFSby/u4TVwxlRAJ238UBjSr+uz/AUCznh i/g/8em9mU+ZZ4yx0bFUN/4+VJ2zOV0cv+RyLGKPboW87TzSgco95JsQROy85BVi vP81FcgN7bJuatgkvshlGCmn8kofmIH/Ckvf6BPamZrx1STbziahc7EdatTiofIP G4tPja1xpsmp7A5oceMpX83mz494yQ9hjG+dNl8daljpIbjjFRJ52ZTLQfq1AHOj Y3CLB2wL5RUjp9bqrUNtR+9N4O26QNCLUFZ5GpadmU5g7qhO74nCPLoOIMXivdmn naMOXJ7ll8ZZpWTa68Qd/yLwNB/nbriBXi2WO0WLludq/UYS/2iqT/S7dzE73VoC zOz0CrhZPzpNfGBGqi5vKGqrsQaSnAflcmBf+nLUSt0io9DvYq8eL4IUI4hYLLwH UxG9cdzJhXR8WV+/dBLTN8Z1GV+PNH8WzBlS2mbiJ1nXB6Q4TZDhLpg2InCSvaUP z1e6CcsxkXS9srLi6veL/CQf8BBVtfnMwbEQE0QOE+I7iunf/mjUzTZYMekGqK/i aXQqzE36Wk5BpPsA/scl0cCkqoCsBan7Nvrmtm/7KlJ7OetcHufbbOqOvS9g3edw VT/LoEYWq6RCZ8n1QBKfc5r/xaCxH/268HH7 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFMDCCAxigAwIBAgIQKRDnHaOdmF/lfKYAcPVGRTANBgkqhkiG9w0BAQsFADAy MQswCQYDVQQGEwJTSzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3Qg Q0EwHhcNMjAwNTAxMDk0OTU4WhcNMzAwNDI5MDk0OTU4WjAyMQswCQYDVQQGEwJT SzENMAsGA1UECgwEVVBKUzEUMBIGA1UEAwwLU0tCIFJvb3QgQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC+zGPPxxLQIInr8iVZNFJ2Segr/Sp31N9+ E6X1a6ryp2VKI0wbsISVAl5r0EFiCwJVI6883d1Ed5eEg+rkVyapwuqpvtIy1sn5 fhNWgRkIfXnNWJ/4Oq8qNZNneF4Umff7Q+CAKhxkj/7WotpqZGuVIPApKQBOmDAK 6Uw/02c1RL5DbeE4V86xY7jMrDqFtdJyenQWi1GVVaE315Yvft3IK2YvGD/ytluk eLaXYELfMafBai7VUG7NCUR9jH8lGBed32x2/dz27Ueeequze5js4MYtSXgpixum dDAvFQXF11msVInG2LrNvynOqR+9nIpYJYKwfnF5NsYsOun6fF3gu1ZVSZGDdxBk WjBX4pHn0ZZkcMAjeKRWyAIPU9MMpnNt9Y6pC802/56GnXF5p+js2ndqhS+LJOwv d5DW5HOhHhVmBGKGemOvPvIZJUn/kLwxvsPNO3uAhIoJda4PCOrc88w+GX7KzEoj 3zASNMBEYJYzfbZrCOJKlrS+V4jjGhmmCMh90Mt+PkDC42oMES9XZew/wUU1PWsP 8x6JY+cINMzQiu8vRitsUtVXZq8edxSB2tWhJsMoxLZ8Knas+D5dvhfw8esgX91W xf90qUNJiVuUZRoSw05S3yTnlyG7eETy+Gbl3AJOT5GKt/qRvhV+A32gWiV/hXWZ VBaBRgvI6QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB BjAdBgNVHQ4EFgQUrjvfsmqTEjcf4nTtAEM36YlKkWEwDQYJKoZIhvcNAQELBQAD ggIBAGsxB85hgPq8uZ+j+BhlnsR+iLKIpMfHx6XjuCiJNQf4Syn3f1CLxF6PD3Dn Y6T2rkMg28icG9Xg9n1LUXHbDZwP+KI/DAT4LUrQAadsCc6EBmwik7D8iFPJvtG9 FSxg95Vi7x/F1/32Gh1vjYzIWlMgy+fwgcp49dJ5E7KGasc6jjjAeT250PthTk3N 9ov7rSMdLa9xYaZehJnikGhTB4dh1PvOHBzW3gZgSznp9HKoSiVfuG48KNn2SuZ/ Er5OPsWgVwwmcA2WZNqUUty/u5Fj8y+O1BpvlJJ+4u7Mn+lb9bpTAgpwezm7Ek1c q5kHXvkRhmJe5M57nLvFtPqEpD/0VTD/FqQyPX7QxVqqKPeSKU/F7A14LAwHueCS O6l+L/huSjvc86aVzg0/F+Wg2s1ZzxUg+/CGsEQ6o+dhUxUMyNtTzia8ZV5qtv+X 1SGSEejCf1qxr2vrlTxK/aBqYtRkkFeUcSfQpD/GuMwc30UkhmYWCpULBjBZAkvQ TMe7WNo37NRr26PTUeIk6g5Ikc6cDUdAX72BGmiJbbUR/5h0Fbze3j/qf0ee4UgA cuFkx+DAaSozQXvxGne+1v81yuhS2ZD8Dubu34Aaj+erEcC1tPRUe+rVbxJR8Vcg LUsNLvsq8k4KG9KTOjZyxA5NPKikdqcAjSkIlAqPuUlE5SOm -----END CERTIFICATE-----
%%bash
openssl s_client -connect www.skb.upjs.sk:443 -cert "klientA/client.crt" -key "klientA/client.key" -CAfile "rootCA/ca.crt"
CONNECTED(00000003) --- Certificate chain 0 s:C = SK, O = UPJS, CN = www.skb.upjs.sk i:C = SK, O = UPJS, CN = SKB Level 1 CA 1 s:C = SK, O = UPJS, CN = SKB Level 1 CA i:C = SK, O = UPJS, CN = SKB Root CA 2 s:C = SK, O = UPJS, CN = SKB Root CA i:C = SK, O = UPJS, CN = SKB Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGKDCCBBCgAwIBAgIRAO64W4f40AXFHG6YgUqz4zwwDQYJKoZIhvcNAQELBQAw NTELMAkGA1UEBhMCU0sxDTALBgNVBAoMBFVQSlMxFzAVBgNVBAMMDlNLQiBMZXZl bCAxIENBMB4XDTIwMDUwMTA5NTgyM1oXDTMwMDQyOTA5NTgyM1owNjELMAkGA1UE BhMCU0sxDTALBgNVBAoMBFVQSlMxGDAWBgNVBAMMD3d3dy5za2IudXBqcy5zazCC AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMAZlFFoTRDjgcOPgM/TByfv nxHF1vir0AakbaVFyqcsIiTON9aWbAjbYp+8CfxLDvBshu60I1yxQeQkSVIVyaJc WLodgHDqkILLWteiNmbSVH7D6UoTg4ZOS5qWCcJYYPTt3UNznvQBBir0NWdzX27l DItKZ3M9uAeAqXcxhuv3xjk9RRp1rGL3OgpF3diFUAVaKSf5xaonlOdgRs8P0MNs D4P18lFv754T/7wNTpyA/bER0AJlEeqTLuWfGEOzC0YgVymPJoDGQaDT7ABjKv1E nZAVyBzLINYKQ2BG9wnvu+v305h88XHTho1bWQDt9Q03dcdmTr2cLXhYkENpiJaF iUwTtB4YW6m9oZK9DjvwjAEtQPBr0SPUOX4jAgNA1jJ7IOdWgua4Q+BjTMaAkNR6 dJeIiKxFr7UUCLLluKSJUJ39WSE++RzXXk408Pin8aKxdyvF8Nx2ugLITTdN7Uts 8G9oHUC71WWcdsFGoAejzegxevNqmGKBqNJhhYFSep8iLizD9RUvMY4ymY/DIhaM OMpPX/ItK6H1L6cjJyujXtHceDJn95F+VnbPWFqylz5QQwJCQs+I79Vx3wpJYTbK u5my6jyfGmX32Y6LrCDp8yIm795BjUiJcJ1+IJaQ2EnxBar22rYv+uX+js/Y0nye NwZ7iUd5HgvCfG9VNO5XAgMBAAGjggEwMIIBLDB0BggrBgEFBQcBAQRoMGYwMgYI KwYBBQUHMAKGJmh0dHA6Ly9yb290LWNhLnNrYi51cGpzLnNrL3Jvb3QtY2EuY3J0 MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5yb290LWNhLnNrYi51cGpzLnNrOjkw ODAwHwYDVR0jBBgwFoAUK0SbVKaBo0vaCO5iIPbjFzCTkHMwDAYDVR0TAQH/BAIw ADA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vcm9vdC1jYS5za2IudXBqcy5zay9y b290LWNhLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0P AQH/BAQDAgWgMB0GA1UdDgQWBBSzCMTMZQcpxFjvjLW493gdRTwFfjANBgkqhkiG 9w0BAQsFAAOCAgEADQ79bj84UWlD0CzhjPOEGDqlLtzsi/JJQYNb4KC4+65kZ48T U/s0qX2zZotZatF2FNc5PvjEz8C14TolPeKki7IaDzoaX34q/P5z/5vrUsNdIkAQ ZwzRCMs7yGflrY9UmqmCpZW9UcxVpKM233uHDNGs0AkzA24R/dN/fY5y1GraorHe 7Mo6Tm3I88RcJtwEhgT4TQQMl6WOvZbumC3RiXJ7QEZDhb5rT2fZz5vLAq/WVIJx 2t2SAm7CcUyl/Rxr+v+Mo0znYuRLME0MxEk6GJ3GIz0uNHhjyuiqHPBZtO5BeAjE 9+2TxaHpWUgYi8XvzePKJejQgjjWm8i4k+ApRME2FL914Ye4wdVhZcPMOusrJDAv MXvHAoTfVPeYcjVDgEr8PnIM0zNXFm4TpfjxANEQF9OKew5HHDBspkCgtBXYRQ2o TUIkkEO/fiQixO45DF7Gk+2DyKiBAmLg6DHtmja2WmT6voREGMILaD9JyXlrhIi6 uG40zQfIKd9i+MIRhqE4vA73pwG8VwRc6FM+0LrFrXey0GlAjWEK5opR0KBvGjGO bZB//WtmNG6HjZkhPX8h+PqWJ8FDj77YiYZqguxt2Lhoy2J9CjpszvleM59OAp0L 83eDQEVTQqG/1+iRZqzGjbcxv03/Epcg1mlv6FWB//is6v7oEEYVkFymyuY= -----END CERTIFICATE----- subject=C = SK, O = UPJS, CN = www.skb.upjs.sk issuer=C = SK, O = UPJS, CN = SKB Level 1 CA --- Acceptable client certificate CA names C = SK, O = UPJS, CN = SKB Level 1 CA C = SK, O = UPJS, CN = SKB Root CA Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5577 bytes and written 2542 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
Enter pass phrase for klientA/client.key: depth=2 C = SK, O = UPJS, CN = SKB Root CA verify return:1 depth=1 C = SK, O = UPJS, CN = SKB Level 1 CA verify return:1 depth=0 C = SK, O = UPJS, CN = www.skb.upjs.sk verify return:1 DONE
!cat /var/www/html/skb.php
<?php printf("<pre>"); print_r($_SERVER); printf("</pre>");
%%bash
openssl pkcs12 -export -out "klientA/clientA.pfx" -inkey "klientA/client.key" -in "klientA/client.crt" -certfile "subCA/ca.crt"
Enter pass phrase for klientA/client.key: Enter Export Password: Verifying - Enter Export Password:
!tree
. ├── ca-conf.tgz ├── CA.ipynb ├── client.conf ├── klientA │ ├── clientA.pfx │ ├── client.crt │ ├── client.csr │ └── client.key ├── klientB │ ├── client.crt │ ├── client.csr │ └── client.key ├── rootCA │ ├── ca.crt │ ├── ca.csr │ ├── certs │ │ ├── 2910E71DA39D985FE57CA60070F54645.pem │ │ └── 2910E71DA39D985FE57CA60070F54646.pem │ ├── db │ │ ├── crlnumber │ │ ├── index │ │ ├── index.attr │ │ ├── index.attr.old │ │ ├── index.old │ │ ├── serial │ │ └── serial.old │ └── private │ └── ca.key ├── rootCA.conf ├── server │ ├── chain.crt │ ├── server.crt │ ├── server.csr │ └── server.key ├── server.conf ├── subCA │ ├── ca.crt │ ├── ca.csr │ ├── certs │ │ ├── EEB85B87F8D005C51C6E98814AB3E33C.pem │ │ ├── EEB85B87F8D005C51C6E98814AB3E33D.pem │ │ └── EEB85B87F8D005C51C6E98814AB3E33E.pem │ ├── chain.crt │ ├── db │ │ ├── crlnumber │ │ ├── index │ │ ├── index.attr │ │ ├── index.attr.old │ │ ├── index.old │ │ ├── serial │ │ └── serial.old │ └── private │ └── ca.key └── subCA.conf 11 directories, 43 files