diff --git a/content/about.md b/content/about.md index f5b7ac2..ce3bc87 100644 --- a/content/about.md +++ b/content/about.md @@ -15,6 +15,4 @@ about technology and other passions of mine. - - Content on this site is [CC-BY-SA](https://creativecommons.org/licenses/by/3.0/) diff --git a/content/posts/create-your-own-ca-cert.md b/content/posts/create-your-own-ca-cert.md new file mode 100644 index 0000000..01c8d7c --- /dev/null +++ b/content/posts/create-your-own-ca-cert.md @@ -0,0 +1,94 @@ +--- +title: "Creating and Using a CA Certificate" +description: "" +date: "2023-01-27" +tags: +- SSL +draft: true +--- + + +## Creating the Certificate Authority's Certificate and Keys + +1. Generate a private key for the CA: +``` +$ openssl genrsa 4096 > ca-key.pem +``` + +2. Generate the X509 certificate for the CA: +``` + $ openssl req -new -x509 -nodes -days 3650 -sha256 \ + -subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \ + -key ca-key.pem \ + -out ca-cert.pem + +``` + +## Creating the Server's Certificate and Keys + +1. Generate the private key and certificate request: +``` +$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \ + -subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts + -keyout server-key.pem \ + -out server-req.pem + +# if you already have a private key +$ openssl req -new -nodes -days 3650 -sha256 \ + -subj "/CN=mydomain.com" \ + -key server-key.pem \ + -out server-req.pem + +# if you want to add SANs +$ openssl req -new -nodes -days 3650 -sha256 \ + -subj "/CN=mydomain.com" \ + -reqexts SAN \ + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs + -key server-key.pem \ + -out server-req.pem +``` + + +2. Generate the X509 certificate for the server: +> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple) +> https://support.apple.com/en-us/HT211025 +> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year +> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details +``` +$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \ + -in server-req.pem \ + -out server-cert.pem \ + -CA ca-cert.pem \ + -CAkey ca-key.pem + +# if you want to add SANs +$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \ + -extfile <(printf "subjectAltName=DNS:my.domain.com") \ + -in server-req.pem \ + -out server-cert.pem \ + -CA ca-cert.pem \ + -CAkey ca-key.pem +``` + +## Verifying the Certificates + +1. Verify the server certificate: + +``` + $ openssl verify -CAfile ca-cert.pem \ + ca-cert.pem \ + server-cert.pem +``` +2. Verify the client certificate: + +``` + $ openssl verify -CAfile ca-cert.pem \ + ca-cert.pem \ + client-cert.pem +``` + +## Verify the certificate's content + +``` +openssl x509 -in mydomain.com.crt -text -noout +``` diff --git a/content/posts/golang-makefiles.md b/content/posts/golang-makefiles.md index ac5aedd..ddfbf13 100755 --- a/content/posts/golang-makefiles.md +++ b/content/posts/golang-makefiles.md @@ -5,16 +5,16 @@ tags: [make, golang] draft: false --- -[Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and -popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to +[Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and +popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to demonstrate how to set up a basic Makefile for Golang projects that will build, lint and test your code. Make has a few simple rules that make it powerful, it expects that each task you create will be the name of an output file -on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work +on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work for that task. -## Building +## Building For example if you create the following `Makefile` below and place it in the root of your project and run `make`, you will see a new `hello_world` binary built: @@ -32,7 +32,7 @@ make: 'hello_world' is up to date. So lets add a clean command to clean up the build output: -```makefile {linenos=table,hl_lines=["4-5"]} +```makefile {hl_lines=["4-5"]} hello_world: go build -o hello_world main.go @@ -40,10 +40,10 @@ clean: rm -rf ./hello_world ``` -One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`. +One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`. If you want Make to ignore the file system for this task then you can add an entry to the `.PHONY` list: -```makefile {linenos=table,hl_lines=[7]} +```makefile {hl_lines=[7]} hello_world: go build -o hello_world main.go @@ -56,7 +56,7 @@ clean: ## Testing Next we can run tests. You can define variables in your makefile that run shell commands for their value. I'm running -`go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add +`go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add that `test` task to the `.PHONY` list: ```makefile @@ -68,11 +68,11 @@ test: .PHONY: test ``` -## Linting +## Linting -Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint] -so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called -prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy +Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint] +so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called +prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy to set up the install task as a dependency of our `lint` command, ensuring its installed every time we run it: ```makefile @@ -94,7 +94,7 @@ your commands in. The `-euo pipefail` runs your commands in a type of [strict mo errors as they happen and make your life debugging shells scripts generally much easier. ```makefile -.SHELLFLAGS := -euo pipefail +.SHELLFLAGS := -euo pipefail PKGS := $(shell go list ./... | grep -v vendor) LINT_BIN := $(GOPATH)/bin/golangci-lint