Table des matières
4 billet(s) pour janvier 2026
| AWX sur K8S Kind - partage de fichier pour les blob - Execution pods | 2026/01/26 10:15 | Jean-Baptiste |
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Notes port série RS-232 ttyUSB0
Brouillon
Voir :
apt-get install screen minicom
screen /dev/ttyUSB0 minicom --device /dev/ttyUSB0
lsusb
Bus 001 Device 002: ID 058f:6364 Alcor Micro Corp. AU6477 Card Reader Controller
Radio
apt-get install chirp
Droit sous Debian
ls -l /dev/ttyUSB0
crw-rw---- 1 root dialout 188, 0 janv. 21 13:54 /dev/ttyUSB0
Ajout de l'utilisateur jean au groupe dialout
sudo gpasswd -a jean dialout
chirpw
Notes PKI
Infrastructure à clés publiques (ICP ou PKI)
Voir :
- CloudFlare's PKI/TLS toolkit (a command line tool and an HTTP API server)
Voir aussi :
- KeyStore Explorer
Solutions Pro :
- OpenXPKI
- EJBCA
- Redhat Certificate System
EJBCA :
Generating intermediate CA https://forums.openvpn.net/topic10023.html
https://wiki.archlinux.org/index.php/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts https://code.google.com/p/android-openvpn-settings/wiki/CertificateHowTo
Révocation OpenVPN http://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/
PKI Java pk12 pk12util certutil libnss3-tools NSS
Voir :
Voir aussi :
- PKICertImport
NSS
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. For detailed information on standards supported, see
http://www.mozilla.org/projects/security/pki/nss/overview.html.
https://curl.haxx.se/docs/sslcerts.html
If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install p11-kit-nss-trust which makes NSS use the system wide CA certificate store. NSS also has a new database format. Starting with version 7.19.7, libcurl automatically adds the 'sql:' prefix to the certdb directory (either the hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR environment variable). To check which certdb format your distribution provides, examine the default certdb location: /etc/pki/nssdb; the new certdb format can be identified by the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are cert8.db, key3.db, secmod.db.
Test CA
openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
Install NSS
sudo apt-get update # Obsolète #sudo apt-get install -y p11-kit libnss3 #sudo apt-get install p11-kit-modules #Install de certutil sudo apt-get install libnss3-tools
Conversion des certs au format p12
openssl pkcs12 -export -inkey your_private_key.key -in result.pem -name my_name -out final_result.p12 openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.cer -certfile your_chain.pem -out final_result.p12
Création de la NSS DB
mkdir -p ~/.pki/nssdb chmod 700 ~/.pki/nssdb certutil -N -d $HOME/.pki/nssdb --empty-password
Import du certificat p12 dans la NSS DB
pk12util -i server.p12 -d $HOME/.pki/nssdb -n Test
Vérif lister les certificats
certutil -L -d sql:$HOME/.pki/nssdb certutil -L -d sql:. -a -n "Amazon" | openssl x509 -text -noout
import each as trusted proxy
# list of hosts to get certificates from hosts="ip-of-squid-proxy1:443 ip-of-squid-proxy2:443" for host in ${hosts}; do openssl s_client -connect ${host} -prexit </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > "${host}.crt" certutil -d sql:$HOME/.pki/nssdb -A -t P,P,P -n "${host}" -i ${host}.crt rm ${host}.crt done
source : https://gist.github.com/seanorama/b453524b8f24dcb625a901bc4d503a86
Autre - Importer un crt
certutil -A -n "Test" -t ",," -i plop.fr.crt -d . # CA certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n GoAgent -i ~/programs/goagent/local/CA.crt
NSS DB PATH - pour curl
export SSL_DIR=$HOME/.pki/nssdb
Compil curl
./configure --with-ssl --without-nss
Aide
certutil -H pk12util -H
keytool
echo "### remove old keystore" rm -f solrtest.keystore echo "### create keystore and keys" keytool -keystore solrtest.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=localhost, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=ip:127.0.0.1" -validity 999999
Voir :
apt-get install libnss3-tools
By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add “-P https-instance-hostname-” parameter for the prefix.
certutil -L -d certdir #pkcs12util -o exportedcertfilename -d . -n Server-Cert #pkcs12util -i exportedcertfilename -d . -h "Sun Metaslot" pk12util -o exportcert -n Server-Cert_xx -d .
pk12util
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_pk12util
Import keys and certificates from a PKCS#12 file into a security database.
https://wts.uwo.ca/pki/resources/pk12util.html
pk12util -d . -i /tmp/dropz.its.uwo.ca.p12 #pk12util -d . -P slapd- -i /tmp/auth.uwotest.ca.p12
Exemple certutil
Exemple
mkdir $HOME/.pki/ certutil -N -d sql:$HOME/.pki/nssdb certutil -d sql:$HOME/.pki/nssdb -L certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,C" -n "CA Root" -i /etc/pki/ca-trust/source/anchors/RootCA.crt env SSL_DIR=$HOME/.pki/nssdb curl https://nok.acme.fr
Autres
mkdir -p $HOME/.pki/nssdb && chmod -R 0700 $HOME/.pki && certutil -d sql:$HOME/.pki/nssdb -N --empty-password
Notes PKI EasyRSA OpenVPN
Voir :
sudo apt-get install easy-rsa make-cadir vpnpki cd vpnpki
vars
export KEY_COUNTRY="FR" export KEY_PROVINCE="FR" export KEY_CITY="Paris" export KEY_ORG="Acme" export KEY_EMAIL="nospam@me.fr" export KEY_OU="Acme"
(sur les versions plus récentes ?) vars
set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512"
source ./vars ./clean-all unlink clean-all ln -s openssl-1.0.0.cnf openssl.cnf
./build-dh
./build-ca
Les “Common Name” doivent être unique
“A challenge password” doit être laissé vide (pas de mdp nécessaire pour revoquer le cerificat)
./build-key-server nom_serveur_fqdn
Pour Nginx notamment
cat keys/nom_serveur_fqdn.crt keys/ca.crt > /etc/nginx/ssl/nom_serveur_fqdn.crt+chain
./build-key --batch nom_client
Création du fichier crl.pem (Crash si crl.pem a une taille zero)
export KEY_CN='' export KEY_ALTNAMES='' openssl ca -gencrl -out keys/crl.pem -config openssl-1.0.0.cnf unset KEY_CN KEY_ALTNAMES
#export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_CONFIG="$EASY_RSA/openssl.cnf" source vars ./clean-all #initialize root ca; give it a cert with cn=rootca KEY_CN=rootca KEY_NAME=rootca ./pkitool --initca rootca #build intermediate ca, with name interca KEY_CN=interca KEY_NAME=interca ./pkitool --inter interca #now copy vars for intermediate ca cp vars inter_ca_vars #... and edit them for use for endpoints (clients/servers): nano inter_ca_vars nano inter_ca_vars #edit place where keys are stored # intermediate ca has separate key directory export KEY_DIR="$EASY_RSA/intercakeys" #edit to set up end user certs export KEY_CN=EndPoint export KEY_NAME=EndPoint export KEY_OU=host.domain_endpoint_division source ./inter_ca_vars ./clean-all ./build-dh # generates several files in /etc/openvpn/easy-rsa/intercakeys: # export-ca.crt ./inherit-inter /home/jibe/tmp/pki/keys interca ./pkitool --server openvpnserver
Using Common Name: openvpnserver Error Loading extension section server 139680895010448:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:x509v3/v3_utl.c:370: 139680895010448:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:x509v3/v3_conf.c:146:name=subjectAltName,section= 139680895010448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:x509v3/v3_conf.c:97:name=subjectAltName, value=