Windows: Only register primary IP Address in DNS

Hi,

if you want to change the IP Address (new Address is in the same subnet) a of Windows Server by a minimal downtime for the users?

In pure Active Directory domains this is not a problem because the server itself updates its A Record at the DNS server and the Active Directory replicates the entry immediately.
In large environments with a heterogeneous DNS structure the TTL of the DNS entry respectively of the DNS zone becomes very important, because the entry is cached for this time by the requesting server, so the time when the new DNS A record reachesĀ  each DNS Server can take some time.
Continue reading Windows: Only register primary IP Address in DNS

Advertisment to support michlstechblog.info

OpenSSL: Command line examples

Hi,

here are some command line examples for openssl:

Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Get the certificate of a webserver

openssl s_client -connect michlstechblog.info:443

This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date

openssl s_client -connect michlstechblog.info:443| openssl x509 -text

Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text

Show details of a certificate file
openssl x509 -text -in server.crt -noout

Create pfx (pkcs12) file from key and certificate

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt

Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key

And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt

Creating a self signed Certification Authority

To be continued….

See also this post. It describes how to setup a CA for OpenVPN from the scratch.

Generate a CA revokation list

openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem

Show details of certificate revocation list (crl)

openssl crl -in crl.pem -text

Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer

Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer

or copy CARootCertificate.cer and Intermediate.cer to one file

# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer

Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file

cat ca.pem intermediate.pem crl.pem > wholeChain.pem

and check

openssl verify -crl_check -CAfile wholeChain.pem myCert.pem

Create a signing request to renew an existing certificate

openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr

With some x509v3 extensions. File x509v3_extensions.ext

extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment


openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3

List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list

openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"

Michael