misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Convert final article

Browse Source
This commit is contained in:
Ian Gulliver
2019-04-14 23:12:51 +00:00
parent caba920808
commit 5796878203
4 changed files with 386 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
2016-03-27-ec-ca-redux-now-with-more-nitrokey.html
View File

@@ -15,17 +15,18 @@
<h3>Create directory structure</h3>
<code>mkdir ca
<pre><code>mkdir ca
cd ca
mkdir -p {root,intermediate}/{certs,crl,csr,newcerts}
mkdir -p {client,server}/{certs,csr,pfx,private}
touch {root,intermediate}/database
echo 1000 | tee {root,intermediate}/{serial,crlnumber}
chmod 700 {client,server}/private</code>
chmod 700 {client,server}/private
</code></pre>
<h3>Create openssl.cnf</h3>
<code>cat > openssl.cnf &lt;&lt;'END'
<pre><code>cat &gt; openssl.cnf &amp;lt;&amp;lt;'END'
openssl_conf = openssl_init
[ openssl_init ]
engines = engines
@@ -138,93 +139,105 @@ engine_id = pkcs11
dynamic_path = /usr/lib/arm-linux-gnueabihf/openssl-1.0.0/engines/libpkcs11.so
MODULE_PATH = /usr/local/lib/pkcs11/opensc-pkcs11.so
init = 0
END</code>
END
</code></pre>
<h3>Tell future commands to use your new conf file</h3>
<code>export OPENSSL_CONF=openssl.cnf</code>
<pre><code>export OPENSSL_CONF=openssl.cnf
</code></pre>
<h3>Create a root key</h3>
<p>Insert your root HSM.</p>
<code>/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label root
# Enter PIN</code>
<pre><code>/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label root
# Enter PIN
</code></pre>
<h3>Create a self-signed root cert</h3>
<code>openssl req -engine pkcs11 -keyform engine -key label_root -new -extensions ext_root -out root/certs/root.cert.pem -x509 -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Root CA' -days 7300
<pre><code>openssl req -engine pkcs11 -keyform engine -key label_root -new -extensions ext_root -out root/certs/root.cert.pem -x509 -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Root CA' -days 7300
# Enter PIN
chmod 444 root/certs/root.cert.pem</code>
chmod 444 root/certs/root.cert.pem
</code></pre>
<h3>Verify root cert</h3>
<code>openssl x509 -noout -text -in root/certs/root.cert.pem</code>
<pre><code>openssl x509 -noout -text -in root/certs/root.cert.pem
</code></pre>
<p>Check:</p>
<ul>
<li>Expiration date (20 years in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (256 bit)</li>
<li>CA:TRUE</li>
<li>Expiration date (20 years in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (256 bit)</li>
<li>CA:TRUE</li>
</ul>
<h3>Import root cert onto HSM</h3>
<code>openssl x509 -in root/certs/root.cert.pem -out root/certs/root.cert.der -outform der
<pre><code>openssl x509 -in root/certs/root.cert.pem -out root/certs/root.cert.der -outform der
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
# Enter PIN</code>
# Enter PIN
</code></pre>
<h3>Create an intermediate key</h3>
<p>Insert your intermediate HSM</p>
<code>/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label intermediate
# Enter PIN</code>
<pre><code>/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label intermediate
# Enter PIN
</code></pre>
<h3>Create an intermediate certificate signing request (CSR)</h3>
<code>openssl req -engine pkcs11 -keyform engine -new -key label_intermediate -out intermediate/csr/intermediate.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Intermediate'
# Enter PIN</code>
<pre><code>openssl req -engine pkcs11 -keyform engine -new -key label_intermediate -out intermediate/csr/intermediate.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Intermediate'
# Enter PIN
</code></pre>
<h3>Sign intermediate cert with root key</h3>
<p>Insert your root HSM</p>
<code>openssl ca -engine pkcs11 -keyform engine -name ca_root -extensions ext_intermediate -notext -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
<pre><code>openssl ca -engine pkcs11 -keyform engine -name ca_root -extensions ext_intermediate -notext -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
# Enter PIN
chmod 444 intermediate/certs/intermediate.cert.pem</code>
chmod 444 intermediate/certs/intermediate.cert.pem
</code></pre>
<h3>Verify intermediate cert</h3>
<code>openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile root/certs/root.cert.pem intermediate/certs/intermediate.cert.pem</code>
<pre><code>openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile root/certs/root.cert.pem intermediate/certs/intermediate.cert.pem
</code></pre>
<p>Check:</p>
<ul>
<li>Expiration date (10 years in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (256 bit)</li>
<li>CA:TRUE</li>
<li>OK</li>
<li>Expiration date (10 years in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (256 bit)</li>
<li>CA:TRUE</li>
<li>OK</li>
</ul>
<h3>Import root & intermediate certs onto HSM</h3>
<h3>Import root &amp; intermediate certs onto HSM</h3>
<p>Insert your intermediate HSM</p>
<code>openssl x509 -in intermediate/certs/intermediate.cert.pem -out intermediate/certs/intermediate.cert.der -outform der
<pre><code>openssl x509 -in intermediate/certs/intermediate.cert.pem -out intermediate/certs/intermediate.cert.der -outform der
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
# Enter PIN
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object intermediate/certs/intermediate.cert.der --type cert --label intermediate
# Enter PIN</code>
# Enter PIN
</code></pre>
<h3>Create a chain certificate file</h3>
<code>cat intermediate/certs/intermediate.cert.pem root/certs/root.cert.pem > intermediate/certs/chain.cert.pem
chmod 444 intermediate/certs/chain.cert.pem</code>
<pre><code>cat intermediate/certs/intermediate.cert.pem root/certs/root.cert.pem &gt; intermediate/certs/chain.cert.pem
chmod 444 intermediate/certs/chain.cert.pem
</code></pre>
<h3>CA setup done!</h3>
@@ -236,75 +249,85 @@ chmod 444 intermediate/certs/chain.cert.pem</code>
<p>You can substitute “server” for “client” for a server cert.</p>
<code>openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out client/private/test1.key.pem
<pre><code>openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out client/private/test1.key.pem
# Create client key password
chmod 400 client/private/test1.key.pem</code>
chmod 400 client/private/test1.key.pem
</code></pre>
<h3>Create a client certificate signing request (CSR)</h3>
<code>openssl req -new -key client/private/test1.key.pem -out client/csr/test1.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Test/CN=XXXX Test 1'</code>
<pre><code>openssl req -new -key client/private/test1.key.pem -out client/csr/test1.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Test/CN=XXXX Test 1'
</code></pre>
<h3>Sign client cert with intermediate key</h3>
<code>openssl ca -engine pkcs11 -keyform engine -extensions ext_client -notext -in client/csr/test1.csr.pem -out client/certs/test1.cert.pem
<pre><code>openssl ca -engine pkcs11 -keyform engine -extensions ext_client -notext -in client/csr/test1.csr.pem -out client/certs/test1.cert.pem
# Enter PIN
chmod 444 client/certs/test1.cert.pem</code>
chmod 444 client/certs/test1.cert.pem
</code></pre>
<h3>Verify client cert</h3>
<code>openssl x509 -noout -text -in client/certs/test1.cert.pem
openssl verify -CAfile intermediate/certs/chain.cert.pem client/certs/test1.cert.pem</code>
<pre><code>openssl x509 -noout -text -in client/certs/test1.cert.pem
openssl verify -CAfile intermediate/certs/chain.cert.pem client/certs/test1.cert.pem
</code></pre>
<p>Check:</p>
<ul>
<li>Expiration date (1 year in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (384 bit)</li>
<li>CA:FALSE</li>
<li>OK</li>
<li>Expiration date (1 year in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
<li>Public key size (384 bit)</li>
<li>CA:FALSE</li>
<li>OK</li>
</ul>
<h3>Create a PKCS#12 bundle for the client</h3>
<p>This is an easy(er) way to get all the necessary keys & certs to the client in one package.</p>
<p>This is an easy(er) way to get all the necessary keys &amp; certs to the client in one package.</p>
<code>openssl pkcs12 -export -out client/pfx/test1.pfx -inkey client/private/test1.key.pem -in client/certs/test1.cert.pem -certfile intermediate/certs/chain.cert.pem
# Enter both the client key password, and a new password for the export; you'll need to give the latter to the client</code>
<pre><code>openssl pkcs12 -export -out client/pfx/test1.pfx -inkey client/private/test1.key.pem -in client/certs/test1.cert.pem -certfile intermediate/certs/chain.cert.pem
# Enter both the client key password, and a new password for the export; you'll need to give the latter to the client
</code></pre>
<h3>Generate a certificate revocation list (CRL)</h3>
<p>Initially empty. You can also do this for your root CA (with its HSM inserted).</p>
<code>openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem</code>
<pre><code>openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
</code></pre>
<h3>Verify certificate revocation list</h3>
<code>openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text</code>
<pre><code>openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
</code></pre>
<p>Check:</p>
<ul>
<li>Expiration date (30 days in future)<li>
<li>Signature algorithm (ecdsa-with-SHA256)<li>
<li>Expiration date (30 days in future)</li>
<li>Signature algorithm (ecdsa-with-SHA256)</li>
</ul>
<h3>Revoke a certificate</h3>
<p>Only do this if you need to. Find the certificate:</p>
<code>cat intermediate/database
<pre><code>cat intermediate/database
# You'll need the hex-formatted serial number, in the third field.
# Substitute serial number for YYYY below.</code>
# Substitute serial number for YYYY below.
</code></pre>
<p>Revoke it:</p>
<code>openssl ca -engine pkcs11 -keyform engine -revoke intermediate/newcerts/YYYY.pem
# Enter PIN</code>
<pre><code>openssl ca -engine pkcs11 -keyform engine -revoke intermediate/newcerts/YYYY.pem
# Enter PIN
</code></pre>
<p>Generate a new CRL file:</p>
<code>openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
# Enter PIN</code>
<pre><code>openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
# Enter PIN
</code></pre>
<!--# include file="include/bottom.html" -->

2
2016-05-17-wifi-bridging-redux.html
View File

@@ -85,7 +85,7 @@ iface br0 inet dhcp
pre-up /sbin/start-stop-daemon --start --pidfile=/var/run/wpa_supplicant.wlan0.pid --exec=/usr/local/sbin/wpa_supplicant --user=root -- -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf -C /var/run/wpa_supplicant -P /var/run/wpa_supplicant.wlan0.pid -b $IFACE
bridge_ports eth0 eth1 wlan0
post-down /sbin/start-stop-daemon --stop --pidfile=/var/run/wpa_supplicant.wlan0.pid --exec=/usr/local/sbin/wpa_supplicant --user=root
post-down /sbin/iw dev wlan0 set 4addr off&lt;/code&gt;&lt;/p&gt;
post-down /sbin/iw dev wlan0 set 4addr off
</code></pre>
<p>We use start-stop-daemon because it provides idempotence and safety from stale PID files.</p>

302
markdown/2016-03-27-ec-ca-redux-now-with-more-nitrokey.md Normal file
View File

@@ -0,0 +1,302 @@
<!--# set var="title" value="EC CA redux: now with more Nitrokey" -->
<!--# set var="date" value="May 27, 2016" -->
<!--# include file="include/top.html" -->
This is a revisit on my doc on [how to set up an EC CA](https://medium.com/where-the-flamingcow-roams/elliptic-curve-certificate-authority-bbdb9c3855f7#.4z3bzvz6e). In this version, were using the [Nitrokey HSM](https://shop.nitrokey.com/shop/product/nitrokey-hsm-7) for key generation, storage, and operations. Youll need two Nitrokey HSMs. You can get away with one, but theres not a lot of point to splitting root and intermediate certs if you then keep them on the same device. Youll also need a [system set up](https://medium.com/where-the-flamingcow-roams/nitrokey-hsm-ec-setup-6ed9b9e43c36#.pgal18rvh) to talk to the Nitrokey, which is a bit tricky.
If you do this right, you can set up a CA where the keys never touched computer that youre using to host the CA; they only ever reside protected in the Nitrokey.
You have a choice between making the keys unexportable, or supporting a [backup scheme](https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#using-key-backup-and-restore). Choose wisely, because you cant change later. If youre choosing the former, make sure you can answer “what is my plan if the Nitrokey breaks?”.
Theres one material difference from the other instructions: the Nitrokey HSM only supports up to 320-bit EC keys, so we cant use P-384 (secp384r1) as we did in the other instructions. Well be using P-256 (prime256v1) instead.
XXXX is still our placeholder of choice.
### Create directory structure
mkdir ca
cd ca
mkdir -p {root,intermediate}/{certs,crl,csr,newcerts}
mkdir -p {client,server}/{certs,csr,pfx,private}
touch {root,intermediate}/database
echo 1000 | tee {root,intermediate}/{serial,crlnumber}
chmod 700 {client,server}/private
### Create openssl.cnf
cat > openssl.cnf &lt;&lt;'END'
openssl_conf = openssl_init
[ openssl_init ]
engines = engines
[ ca ]
default_ca = ca_intermediate
[ ca_root ]
dir = root
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = label_root
certificate = $dir/certs/root.cert.pem
crl = $dir/crl/root.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 3650
preserve = no
policy = policy_strict
[ ca_intermediate ]
dir = intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = label_intermediate
certificate = $dir/certs/intermediate.cert.pem
crl = $dir/crl/intermediate.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
string_mask = utf8only
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ ext_root ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_intermediate ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_client ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ ext_server ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ ext_crl ]
authorityKeyIdentifier = keyid:always
[ ext_ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
[ engines ]
pkcs11 = engine_pkcs11
[ engine_pkcs11 ]
engine_id = pkcs11
dynamic_path = /usr/lib/arm-linux-gnueabihf/openssl-1.0.0/engines/libpkcs11.so
MODULE_PATH = /usr/local/lib/pkcs11/opensc-pkcs11.so
init = 0
END
### Tell future commands to use your new conf file
export OPENSSL_CONF=openssl.cnf
### Create a root key
Insert your root HSM.
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label root
# Enter PIN
### Create a self-signed root cert
openssl req -engine pkcs11 -keyform engine -key label_root -new -extensions ext_root -out root/certs/root.cert.pem -x509 -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Root CA' -days 7300
# Enter PIN
chmod 444 root/certs/root.cert.pem
### Verify root cert
openssl x509 -noout -text -in root/certs/root.cert.pem
Check:
* Expiration date (20 years in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (256 bit)
* CA:TRUE
### Import root cert onto HSM
openssl x509 -in root/certs/root.cert.pem -out root/certs/root.cert.der -outform der
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
# Enter PIN
### Create an intermediate key
Insert your intermediate HSM
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label intermediate
# Enter PIN
### Create an intermediate certificate signing request (CSR)
openssl req -engine pkcs11 -keyform engine -new -key label_intermediate -out intermediate/csr/intermediate.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Intermediate'
# Enter PIN
### Sign intermediate cert with root key
Insert your root HSM
openssl ca -engine pkcs11 -keyform engine -name ca_root -extensions ext_intermediate -notext -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
# Enter PIN
chmod 444 intermediate/certs/intermediate.cert.pem
### Verify intermediate cert
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile root/certs/root.cert.pem intermediate/certs/intermediate.cert.pem
Check:
* Expiration date (10 years in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (256 bit)
* CA:TRUE
* OK
### Import root & intermediate certs onto HSM
Insert your intermediate HSM
openssl x509 -in intermediate/certs/intermediate.cert.pem -out intermediate/certs/intermediate.cert.der -outform der
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
# Enter PIN
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object intermediate/certs/intermediate.cert.der --type cert --label intermediate
# Enter PIN
### Create a chain certificate file
cat intermediate/certs/intermediate.cert.pem root/certs/root.cert.pem > intermediate/certs/chain.cert.pem
chmod 444 intermediate/certs/chain.cert.pem
### CA setup done!
Take your root HSM, if you have a separate one, and lock it in a safe somewhere; you wont need it for regular use.
The following steps are examples of how to use your new CA.
### Create a client key
You can substitute “server” for “client” for a server cert.
openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out client/private/test1.key.pem
# Create client key password
chmod 400 client/private/test1.key.pem
### Create a client certificate signing request (CSR)
openssl req -new -key client/private/test1.key.pem -out client/csr/test1.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Test/CN=XXXX Test 1'
### Sign client cert with intermediate key
openssl ca -engine pkcs11 -keyform engine -extensions ext_client -notext -in client/csr/test1.csr.pem -out client/certs/test1.cert.pem
# Enter PIN
chmod 444 client/certs/test1.cert.pem
### Verify client cert
openssl x509 -noout -text -in client/certs/test1.cert.pem
openssl verify -CAfile intermediate/certs/chain.cert.pem client/certs/test1.cert.pem
Check:
* Expiration date (1 year in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (384 bit)
* CA:FALSE
* OK
### Create a PKCS#12 bundle for the client
This is an easy(er) way to get all the necessary keys & certs to the client in one package.
openssl pkcs12 -export -out client/pfx/test1.pfx -inkey client/private/test1.key.pem -in client/certs/test1.cert.pem -certfile intermediate/certs/chain.cert.pem
# Enter both the client key password, and a new password for the export; you'll need to give the latter to the client
### Generate a certificate revocation list (CRL)
Initially empty. You can also do this for your root CA (with its HSM inserted).
openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
### Verify certificate revocation list
openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Check:
* Expiration date (30 days in future)
* Signature algorithm (ecdsa-with-SHA256)
### Revoke a certificate
Only do this if you need to. Find the certificate:
cat intermediate/database
# You'll need the hex-formatted serial number, in the third field.
# Substitute serial number for YYYY below.
Revoke it:
openssl ca -engine pkcs11 -keyform engine -revoke intermediate/newcerts/YYYY.pem
# Enter PIN
Generate a new CRL file:
openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
# Enter PIN
<!--# include file="include/bottom.html" -->

2
markdown/2016-05-17-wifi-bridging-redux.md
View File

@@ -75,7 +75,7 @@ Because of the ordering issues, its easier to treat this all as one interface
pre-up /sbin/start-stop-daemon --start --pidfile=/var/run/wpa_supplicant.wlan0.pid --exec=/usr/local/sbin/wpa_supplicant --user=root -- -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf -C /var/run/wpa_supplicant -P /var/run/wpa_supplicant.wlan0.pid -b $IFACE
bridge_ports eth0 eth1 wlan0
post-down /sbin/start-stop-daemon --stop --pidfile=/var/run/wpa_supplicant.wlan0.pid --exec=/usr/local/sbin/wpa_supplicant --user=root
post-down /sbin/iw dev wlan0 set 4addr off</code></p>
post-down /sbin/iw dev wlan0 set 4addr off
We use start-stop-daemon because it provides idempotence and safety from stale PID files.