150 lines
4.5 KiB
Plaintext
150 lines
4.5 KiB
Plaintext
[[[ Certificates ]]]
|
|
|
|
|
|
[[ VPN Two-Factor Authentication (2FA) ]]
|
|
# example for 2FA
|
|
http://ocserv.gitlab.io/www/recipes-ocserv-2fa.html
|
|
|
|
|
|
|
|
[[ OpenSSL ]]
|
|
# openssl ca (command that uses a text database to create CRLs and certificates with serials)
|
|
@ https://www.openssl.org/docs/manmaster/man1/ca.html
|
|
|
|
# opensll x509
|
|
@ https://www.openssl.org/docs/manmaster/man1/x509.html
|
|
|
|
|
|
|
|
[[ Android ]]
|
|
# Android 7.x changes cert installation behavior changes
|
|
@ https://stackoverflow.com/questions/39215229/how-to-get-charles-proxy-work-with-android-7-nougat
|
|
|
|
"What complicates matters is that the Settings -> Security -> Install from storage
|
|
does not provide an explicit way for the user to specify whether they are installing
|
|
a client authentication credential (private key + cert chain) or a server authentication
|
|
trust anchor (just a CA cert -- no private key needed).
|
|
As a result, the Settings -> Security -> Install from storage flow guesses whether it''s
|
|
dealing with client/user authentication credential or server authentication trust anchor
|
|
by assuming that, if a private key is specified, it must be a client/user authentication credential."
|
|
|
|
|
|
[[ StrongSwan Maintenance Cert ]]
|
|
|
|
|
|
|
|
[[ StrongSwan CA Intermediates ]]
|
|
|
|
|
|
|
|
[[ Certificate Attributes ]]
|
|
@ https://superuser.com/questions/738612/openssl-ca-keyusage-extension#738644
|
|
# example of configuration options
|
|
@ https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
|
|
|
|
pathLenConstraintof == 0
|
|
"I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates,
|
|
but these certificates must be end-entity-certificates (the CA flag in BasicConstraints
|
|
is false - these are the "normal" certificates that are issued to people or organizations)"
|
|
|
|
|
|
pathLenConstraintof > 0
|
|
"If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number
|
|
of possible intermediate CA certificates in a path built from an end-entity certificate
|
|
up to the CA certificate. Let''s say CA X has a pathLenConstraint of 2, the end-entity
|
|
certificate is issued to EE. Then the following scenarios are valid (I denoting an
|
|
intermediate CA certificate)"
|
|
|
|
VALID
|
|
X - EE
|
|
X - I1 - EE
|
|
X - I1 - I2 - EE
|
|
|
|
INVALID
|
|
X - I1 - I2 - I3 - EE
|
|
|
|
|
|
|
|
|
|
[[ VPN Clients ]]
|
|
|
|
[ misc notes ]
|
|
TUN/TAP
|
|
"Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older,
|
|
will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect
|
|
will use the utun device on OS X which does not require additional kernel modules to
|
|
be installed."
|
|
|
|
|
|
[ openconnect ]
|
|
# Support --key-password for GnuTLS PKCS#11 PIN.
|
|
|
|
# site
|
|
@ http://www.infradead.org/openconnect/
|
|
|
|
# comments that this works
|
|
@ https://gist.github.com/moklett/3170636
|
|
|
|
# compiling
|
|
@ http://www.infradead.org/openconnect/building.html
|
|
|
|
|
|
[ tunnelbrick ]
|
|
@ https://github.com/Tunnelblick/Tunnelblick
|
|
@ https://www.tunnelblick.net/cInstall.html
|
|
|
|
|
|
|
|
|
|
[[ IKEv2 vs OpenVPN ]]
|
|
@ https://security.stackexchange.com/questions/105967/ikev2-vs-openvpn
|
|
@ https://security.stackexchange.com/questions/63330/are-there-any-reasons-for-using-ssl-over-ipsec
|
|
|
|
|
|
|
|
|
|
[[ CA Intermediate ]]
|
|
|
|
[ Links ]
|
|
# nice tutorial site
|
|
@ https://roll.urown.net/ca/ca_intermed_setup.html
|
|
#
|
|
@ https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
|
|
#
|
|
@ https://smartnets.wordpress.com/2017/04/27/create-certificate-chain-and-sign-certificates-using-openssl/
|
|
# simple, direct, examples
|
|
@ https://wiki.cementhorizon.com/display/CH/Example+CA%2C+Intermediate%2C+and+Server+Certificate
|
|
# Wiki
|
|
@ https://en.wikipedia.org/wiki/Certificate_signing_request
|
|
|
|
|
|
[ Example Code ]
|
|
# Generate CSR & CA_I keys
|
|
$ openssl req -new -newkey rsa:2048 -nodes -out ca_i.csr -keyout ca_i_key_222.key -subj "/C=US/ST=Railroad/L=Train/O=ACME INC./OU=ACME Flyaway/CN=www.acme.xyz"
|
|
|
|
|
|
# Create CA
|
|
openssl genrsa -out ca.key 4096
|
|
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
|
|
|
|
# Create Intermediate
|
|
openssl genrsa -out intermediate.key 4096
|
|
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
|
|
|
|
# CA signs Intermediate
|
|
openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt
|
|
|
|
# Create Server
|
|
openssl genrsa -out test.example.com.key 4096
|
|
openssl req -new -key test.example.com.key -out test.example.com.csr
|
|
|
|
# Intermediate signs Server
|
|
openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt
|
|
|
|
|
|
[ Certificate Signing Request ]
|
|
# "US", "RailRoad", "City", "ACME", "ACME FLyaway", "flyaway.acme.xyz", "admin@acme.xyz"
|
|
|
|
|
|
|