= SSL =

== openssl certificate + key generation ==
{{{#!highlight sh
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/http2.pem -keyout /etc/ssl/private/http2.pem
#Country Name: PT
#Country Name (2 letter code) [XX]:PT
#State or Province Name (full name) []:State
#Locality Name (eg, city) [Default City]:City
#Organization Name (eg, company) [Default Company Ltd]:example
#Organizational Unit Name (eg, section) []:
#Common Name (eg, your name or your server's hostname) []:*.example.org
#Email Address []:user@example.org
}}}

== Check https connection ==
{{{#!highlight sh
openssl s_client -connect wiki.bitarus.allowed.org:443
}}}

== Multiple SSL nginx ==
http://nginx.org/en/docs/http/configuring_https_servers.html

== Multiple SSL Apache ==
https://wiki.apache.org/httpd/NameBasedSSLVHosts

As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port.

It is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:

All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com.
You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)

== Encrypt and decrypt with openssl + RSA keypair + base64 ==
{{{#!highlight sh
# generate RSA key pair
openssl genrsa -out private.pem 2048
# export public key 
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

rm test.txt test.txt.bin.enc test.txt.bin.enc.b64 decoded.enc test.txt.bin
echo -n "test" > test.txt
hexdump -C test.txt
# encrypt with public key
openssl rsautl -encrypt -inkey public.pem -pubin -in test.txt -out test.txt.bin.enc
# encode 
base64 test.txt.bin.enc > test.txt.bin.enc.b64
# decode
base64 -d test.txt.bin.enc.b64 > decoded.enc
# decrypt with public key 
openssl rsautl -decrypt -inkey private.pem -in decoded.enc -out test.txt.bin
hexdump -C test.txt.bin
}}}


=== encrypt.sh ===
{{{#!highlight sh
# ssh-keygen
# openssl rsa -in id_rsa -outform PEM -pubout -out id_rsa.pub.pem
MESSAGE=message.txt
MESSAGE_ENC=message.txt.enc
MESSAGE_ENC_B64=message.txt.enc.b64
PUB_KEY=~/.ssh/id_rsa.pub.pem

echo -n $1 > $MESSAGE
openssl rsautl -encrypt -inkey "$PUB_KEY" -pubin -in "$MESSAGE" -out "$MESSAGE_ENC" 
base64 $MESSAGE_ENC > $MESSAGE_ENC_B64
cat $MESSAGE_ENC_B64
}}}

=== decrypt.sh ===
{{{#!highlight sh
OUT_MESSAGE=message.txt.dec
MESSAGE_ENC_B64=message.txt.enc.b64
DECODED_ENC=message.dec.enc
PRV_KEY=~/.ssh/id_rsa
 
base64 -d $MESSAGE_ENC_B64 > $DECODED_ENC
openssl rsautl -decrypt -inkey $PRV_KEY -in $DECODED_ENC -out $OUT_MESSAGE
cat $OUT_MESSAGE
}}}

== https://gethttpsforfree.com/ ==
{{{#!highlight sh
cd ~
openssl genrsa 4096 > httpsforfreeaccount.key
openssl rsa -in httpsforfreeaccount.key -pubout > httpsforfreeaccount.pub
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "\n[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
}}}

== https://www.sslforfree.com/ ==


== Get expiration date ==
 * echo | openssl s_client -servername www.bitarus.allowed.org -connect www.bitarus.allowed.org:443 2>/dev/null | openssl x509 -noout -enddate
{{{#!highlight python
import sys
import os
import time

hostname = "www.bitarus.allowed.org"
output_file = "/tmp/cert_info_%s.txt"%(hostname)
command = "echo | openssl s_client -servername %s -connect %s:443 2>/dev/null | openssl x509 -noout -enddate > %s"

threshold = 86400 * 5 # 5 days

os.system(command%(hostname, hostname, output_file))

with open(output_file) as f:
  for line in f:
    datex = line.split("=")[1].strip()
    print datex
    t = time.strptime(datex,'%b %d %H:%M:%S %Y %Z')
    delta = time.mktime(t) - time.time()
    if delta < 0: print "Expired %s"%(hostname)
    if delta >=0 and delta <= threshold: print "Will expire soon %s"%(hostname)
    if delta > threshold : print "Is okay %s"%(hostname)
}}}

== Create root CA (certification authority) and signed certificate for darkstar host ==
{{{#!highlight sh
mkdir ~/certs
cd ~/certs
# create root CA private key
openssl genrsa -des3 -out localCA.key 2048
# create root CA certificate
openssl req -x509 -new -nodes -key localCA.key -sha256 -days 1825 -out localCA.pem 
# update certificates in the OS
sudo cp ~/certs/localCA.pem /usr/local/share/ca-certificates/localCA.crt
sudo update-ca-certificates
# create darkstar host private key 
openssl genrsa -out darkstar.key 2048
# Create darkstar host CSR (certificate signing request)
openssl req -new -key darkstar.key -out darkstar.csr
}}}

=== Create darkstar host configuration file called darkstar.ext ===
{{{
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = darkstar
}}}

{{{#!highlight sh
# Create darkstar host signed certificate 
openssl x509 -req -in darkstar.csr -CA ~/certs/localCA.pem -CAkey ~/certs/localCA.key -CAcreateserial -days 825 -sha256 -extfile darkstar.ext -out darkstar.crt 

cd /etc/nginx/sites-available
nano darkstar
ssl_certificate /etc/ssl/certs/darkstar.crt;
ssl_certificate_key /etc/ssl/private/darkstar.key;

sudo mv darkstar.crt /etc/ssl/certs
sudo mv darkstar.key /etc/ssl/private/
service nginx restart 
}}}

Import the root CA in the certificates authorities part in the browsers.
 * Firefox 
  * settings, privacy and security
  * view certificates 
  * Authorities, import 
  * import localCA.pem 
  * trust to identify websites and email users 
  * Access https://darkstar/
 * Android Chrome
  * Install root CA certificate from https://darkstar/localCA.crt
   * VPN and apps
   * cert name "localCA root cert"