Archive for February, 2018

Import a Trusted Root Certificate Authority in Windows 2012 R2 GPO

Export the certificate when you go to the site. I did this in Chrome through the “Developers Tools”. The result was a pem file.

I brought up the group policy management console and edited the GPO where I wanted the certificate. Then, I imported it.

Import the certificate to:
Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

CentOS 7 – Certificate For Apache Notes.

Generate a key and CSR:

# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Valencia
Organization Name (eg, company) [Default Company Ltd]:GreatTechHelp
Organizational Unit Name (eg, section) []:Information Systems
Common Name (eg, your name or your server’s hostname) []:myhostname
Email Address []:some@email.address

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Files created:

# ls
ca.csr ca.key

Sign the key:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Valencia/O=GreatTechHelp/OU=Information Systems/CN=myhostname/emailAddress=some@email.address
Getting Private key

Copy the certificate, key and csr files and set the permisions:

# cp ca.crt /etc/pki/tls/certs/
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr
# chmod 600 /etc/pki/tls/certs/
# chmod 600 /etc/pki/tls/private/ca.key
# chmod 600 /etc/pki/tls/private/ca.csr

Edit the apache configuration for the VirtualHost or site (Virtual host in this example.):

# cd /etc/httpd/conf.d/
# ls
autoindex.conf myhostname.conf php.conf README ssl.conf userdir.conf welcome.conf
# vi myhostname.conf

ServerName server.domain.tld
ServerAlias someothername
DocumentRoot /var/www/html

NameVirtualHost *:443

ServerAlias myhostname
DocumentRoot /var/www/html/myhostname
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

AllowOverride All

DocumentRoot /var/www/html/myhostname
ServerAlias myhostname

Restart apache:

# systemctl restart httpd

To renew the cert:

# cp -p /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/ca.crt.bak
# cp -p /etc/pki/tls/private/ca.key /etc/pki/tls/private/ca.key.bak
# openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/ca.crt -keyout /etc/pki/tls/private/ca.key
# systemctl restart httpd

MySQL DB access via shell.

Here is a decent secure way to get yourself access to your MySQL/MariaDB databases from a shell script in linux:

# umask 277
# vi /somedirectory/.supersecretfile
# ls -l /somedirectory/.supersecretfile
-r——–. 1 root root 36 Feb 2 11:58 /somedirectory/.supersecretfile
# umask 022

# mysql –defaults-file=/somedirectory/.supersecretfile -e “SOME SQL COMMAND”

Return top