Why does certificate management need that complicated?
Daniel Nashed – 28 December 2021 17:00:01
Certificate management is not rocket science and it looks like we just have too complicated tooling. Why does certificate information need to be displayed that cryptic?
And why does certificate conversion need to be that complicated with cryptic parameters?
OpenSSL command line is the standard Swiss army knife. But why is it that complex to use?
Probably because it has been written over the years and it is built by geeks for geeks ..
Domino 12 comes with CertMgr and cerstore.nsf and is very easy to use.
With 12.0.1 the export/import functionality can be used to convert certificates.
And we are using it for customers already to convert certificates for external applications.
But because I work a lot with certificates, I have some special requirements and have also fun working with the OpenSSL API.
So here is a new command-line tool I wrote over the year. I am adding new functionality as needed -- like reading all kinds of information from certificates, the connection, checking OCSP etc..
It can merge certificates from many formats. PEM, DER, PKCS#12, PKCS#7, encrypted with AES256, but also has a switch for legacy encryption.
And it can also query certificates directly from websites with SNI support.
It doesn't care for file extensions and does some magical filtering similar to what Domino 12 CertMgr provides.
The conversion was the first functionality I implemented. But it can do a lot more than what is documented today. It's also its own CA with its own TCP/IP listener.
I just giving it to friends and family for now. Would you find a tool like this helpful?
-- Daniel
Nash!Com CerTool 0.9.0
OpenSSL 1.1.1a 20 Nov 2018
(Build on: OpenSSL 1.1.1k 25 Mar 2021)
[Valid for 90 days]
Usage: \lotus\notes\nshcertool.exe
Manage Keys & Certificates
--------------------------
Automagical conversion: Files can have any extension and order. Duplicated information is filtered.
-web
-sni
-RSA Request RSA signing algorithms
-EC Request ECDSA signing algorithms
-sigalgs
-noverify Ignore certificate issues
-cacerts
-pem
-p12
-pub
-pkey
-p
-P
-InsecureExport Use legacy encryption (insecure)
-n Write name tags for output PEM file
-a Export all certificates & keys without sorting & filtering
-v Verbose logging
-V More verbose logging
Key & CSR Creation
------------------
-key
-ec 256|384|521 ECDSA key NIST-P curve (default: 256)
-rsa 2048|4096 RSA key size (default: 2048)
-rsa-pss 2048|4096 RSA-PSS key size (default: 2048)
-csr
-host
-tag
CSR options
------------------
-CN
-O
-OU
-ST
-L
-san
-crl
Example
-------
nshcertool.exe win.pfx dom.key . -p pwdin -P pwdout -pem all.pem -p12 all.p12 -n
Imports a PFX file + key in PEM + PEM from clipboard, sorts + consolidates them and exports into PEM and P12 with input/output passwords
-- Certificate information example --
nshcertool.exe -web blog.nashcom.de -sni blog.nashcom.de -v -pem nsh-wildcard.pem
[WEB: blog.nashcom.de:443] Certs: 3
Certificate Validation OK
SSL-Version: TLSv1.2
SSL-Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
SSL-Bits : 256
Key : X25519 253 bit
OCSP Status: good
OCSP This : 2021.12.26 10:00:00
OCSP Next : 2022.01.02 09:59:58
PrivateKeys: 0
#0
Subject : *.nashcom.de
SAN : *.nashcom.de, nashcom.de
Issuer : US/Let's Encrypt/R3
Not Before : 2021.11.16 09:30:07
Not After : 2022.02.14 09:30:06 (expires in 47.0 days)
Serial : 0442CF9A33F239CA380A6CBE87E529DE104F
Sign Alg : sha256WithRSAEncryption
KeyUsage : DigitalSignature
Extensions : BasicConstraints, KeyUsage, ExtKeyUsage
ExtKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
Key : ECDSA NIST P-256
ASN1 OID : prime256v1
OCSP : http://r3.o.lencr.org
AuthInfoURL: http://r3.i.lencr.org/
AuthKeyId : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
SubjKeyId : 07:BB:3F:58:13:D7:43:22:CF:29:39:45:14:43:7A:9A:EC:B9:FD:20
MD5 : 29:12:95:F9:26:08:9A:62:02:99:8F:4A:3B:6F:CB:70
SHA1 : 14:33:B0:09:FD:B8:C0:39:F3:CD:96:04:06:63:5B:71:83:31:BC:56
SHA256 : CA:C7:8D:58:F2:22:8E:BA:26:98:44:4B:0A:9B:2A:7B:08:76:87:20:3C:86:2E:12:B6:59:82:03:9A:1F:11:5D
#1
Subject : US/Let's Encrypt/R3
Issuer : US/Internet Security Research Group/ISRG Root X1
Not Before : 2020.09.04 00:00:00
Not After : 2025.09.15 16:00:00 (expires in 3.7 years)
Serial : 912B084ACF0C18A753F6D62E25A75F5A
Sign Alg : sha256WithRSAEncryption
KeyUsage : DigitalSignature, CrlSign
Extensions : BasicConstraints, CA, KeyUsage, ExtKeyUsage
PathLen : 0
ExtKeyUsage: TLS Web Client Authentication, TLS Web Server Authentication
Key : RSA 2048 bit
AuthInfoURL: http://x1.i.lencr.org/
CRL : http://x1.c.lencr.org/
AuthKeyId : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
SubjKeyId : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
MD5 : E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36
SHA1 : A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
SHA256 : 67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD
#2
Root : US/Internet Security Research Group/ISRG Root X1
Not Before : 2015.06.04 11:04:38
Not After : 2035.06.04 11:04:38 (expires in 13.4 years)
Serial : 8210CFB0D240E3594463E0BB63828B00
Sign Alg : sha256WithRSAEncryption
KeyUsage : CrlSign
Extensions : BasicConstraints, CA, SelfSigned, KeyUsage
Key : RSA 4096 bit
SubjKeyId : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
MD5 : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
SHA1 : CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
SHA256 : 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
Info: Certificate chain validated!
Certificates: 3/3 - Keys: 0/0
- Comments [1]
1Don 30.12.2021 9:49:42 Why does certificate management need that complicated?
Probably is usefull. We still need to upgrade to Domino 12.0.1 so untill then we're using OpenSSL and I have made some internal documentation so everyone can do this.