Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Why does certificate management need that complicated?

Daniel Nashed – 28 December 2021 17:00:01
Certificate management is not rocket science and it looks like we just have too complicated tooling.
Why does certificate information need to be displayed that cryptic?


And why does certificate conversion need to be that complicated with cryptic parameters?


OpenSSL command line is the standard Swiss army knife. But why is it that complex to use?

Probably because it has been written over the years and it is built by geeks for geeks ..


Domino 12 comes with CertMgr and cerstore.nsf and is very easy to use.

With 12.0.1 the export/import functionality can be used to convert certificates.

And we are using it for customers already to convert certificates for external applications.


But because I work a lot with certificates, I have some special requirements and have also fun working with the OpenSSL API.

So here is a new command-line tool I wrote over the year. I am adding new functionality as needed -- like reading all kinds of information from certificates, the connection, checking OCSP etc..


It can merge certificates from many formats. PEM, DER, PKCS#12, PKCS#7, encrypted with AES256, but also has a switch for legacy encryption.

And it can also query certificates directly from websites with SNI support.


It doesn't care for file extensions and does some magical filtering similar to what Domino 12 CertMgr provides.
The conversion was the first functionality I implemented. But it can do a lot more than what is documented today. It's also its own CA with its own TCP/IP listener.


I just giving it to friends and family for now. Would you find a tool like this helpful?  


-- Daniel


Nash!Com CerTool 0.9.0

OpenSSL 1.1.1a  20 Nov 2018

(Build on: OpenSSL 1.1.1k  25 Mar 2021)

[Valid for 90 days]


Usage: \lotus\notes\nshcertool.exe


Manage Keys & Certificates

--------------------------

    Up to 4 input files in pkcs12/pfx, pkcs7 chain, PEM, DER (. = clipboard)

                   Automagical conversion: Files can have any extension and order. Duplicated information is filtered.


-web address & port to read certificates

-sni      SNI name used when connecting via -web

-RSA                 Request RSA   signing algorithms

-EC                  Request ECDSA signing algorithms

-sigalgs  Hash algorithms for connect. example: ECDSA+SHA256:RSA+SHA256

-noverify            Ignore certificate issues


-cacerts  Alternate root cacerts file for checking trusted roots

-pem        Output PEM file (. = clipboard)

-p12        Output PKCS12 file

-pub        Write separate public key output PEM file

-pkey  Write separate key output PEM file

-p          Input password

-P         Output password


-InsecureExport      Use legacy encryption (insecure)

-n                   Write name tags for output PEM file

-a                   Export all certificates & keys without sorting & filtering

-v                   Verbose logging

-V                   More verbose logging


Key & CSR Creation

------------------

-key       Output/Input key file PEM

-ec  256|384|521     ECDSA key NIST-P curve (default: 256)

-rsa 2048|4096       RSA key size (default: 2048)


-rsa-pss 2048|4096   RSA-PSS key size (default: 2048)


-csr        CSR output file

-host     Hostname also used as CN for CSR

-tag       Tag name stored in keyfile field


CSR options

------------------

-CN     Common name

-O             Organization

-OU        Organization unit

-ST        Province

-L            City

-san           Subject alternate name (SAN)

-crl           CRL distribution point

-email      e-mail address


Example

-------


nshcertool.exe win.pfx dom.key . -p pwdin -P pwdout -pem all.pem -p12 all.p12 -n


Imports a PFX file +  key in PEM + PEM from clipboard, sorts + consolidates them and exports into PEM and P12 with input/output passwords




-- Certificate information example --


nshcertool.exe -web blog.nashcom.de -sni blog.nashcom.de -v -pem nsh-wildcard.pem


[WEB: blog.nashcom.de:443] Certs: 3

Certificate Validation OK

SSL-Version: TLSv1.2

SSL-Cipher : ECDHE-ECDSA-AES256-GCM-SHA384

SSL-Bits   : 256

Key        : X25519 253 bit


OCSP Status: good

OCSP This  : 2021.12.26 10:00:00

OCSP Next  : 2022.01.02 09:59:58

PrivateKeys: 0


#0

Subject    : *.nashcom.de

SAN        : *.nashcom.de, nashcom.de

Issuer     : US/Let's Encrypt/R3

Not Before : 2021.11.16 09:30:07

Not After  : 2022.02.14 09:30:06 (expires in 47.0 days)


Serial     : 0442CF9A33F239CA380A6CBE87E529DE104F

Sign Alg   : sha256WithRSAEncryption

KeyUsage   : DigitalSignature

Extensions : BasicConstraints, KeyUsage, ExtKeyUsage

ExtKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication

Key        : ECDSA NIST P-256

ASN1 OID   : prime256v1


OCSP       :
http://r3.o.lencr.org
AuthInfoURL:
http://r3.i.lencr.org/

AuthKeyId  : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

SubjKeyId  : 07:BB:3F:58:13:D7:43:22:CF:29:39:45:14:43:7A:9A:EC:B9:FD:20

MD5        : 29:12:95:F9:26:08:9A:62:02:99:8F:4A:3B:6F:CB:70

SHA1       : 14:33:B0:09:FD:B8:C0:39:F3:CD:96:04:06:63:5B:71:83:31:BC:56

SHA256     : CA:C7:8D:58:F2:22:8E:BA:26:98:44:4B:0A:9B:2A:7B:08:76:87:20:3C:86:2E:12:B6:59:82:03:9A:1F:11:5D



#1

Subject    : US/Let's Encrypt/R3

Issuer     : US/Internet Security Research Group/ISRG Root X1

Not Before : 2020.09.04 00:00:00

Not After  : 2025.09.15 16:00:00 (expires in 3.7 years)


Serial     : 912B084ACF0C18A753F6D62E25A75F5A

Sign Alg   : sha256WithRSAEncryption

KeyUsage   : DigitalSignature, CrlSign

Extensions : BasicConstraints, CA, KeyUsage, ExtKeyUsage

PathLen    : 0

ExtKeyUsage: TLS Web Client Authentication, TLS Web Server Authentication

Key        : RSA 2048 bit


AuthInfoURL:
http://x1.i.lencr.org/
CRL        :
http://x1.c.lencr.org/

AuthKeyId  : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

SubjKeyId  : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

MD5        : E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36

SHA1       : A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05

SHA256     : 67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD



#2

Root       : US/Internet Security Research Group/ISRG Root X1

Not Before : 2015.06.04 11:04:38

Not After  : 2035.06.04 11:04:38 (expires in 13.4 years)


Serial     : 8210CFB0D240E3594463E0BB63828B00

Sign Alg   : sha256WithRSAEncryption

KeyUsage   : CrlSign

Extensions : BasicConstraints, CA, SelfSigned, KeyUsage

Key        : RSA 4096 bit



SubjKeyId  : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

MD5        : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E

SHA1       : CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

SHA256     : 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6


Info: Certificate chain validated!


Certificates: 3/3 - Keys: 0/0

Comments

1Don  30.12.2021 9:49:42  Why does certificate management need that complicated?

Probably is usefull. We still need to upgrade to Domino 12.0.1 so untill then we're using OpenSSL and I have made some internal documentation so everyone can do this.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]