Hi,
starting point is a simple powershell shell script testarray.ps1:
Continue reading Powershell: Passing an array to a script at command line
Tag Archives: command line
VMware ESXi: A (incomplete) list of host commands Part 4
Hi,
check if a storage LUN attached to an ESXi supports VAAI
Continue reading VMware ESXi: A (incomplete) list of host commands Part 4
Windows: Boot from USB or external device in UEFI or BIOS mode
Hi,
when Windows runs in UEFI mode (and also BIOS mode) and you want to boot from an alternate boot device or want boot into safe mode you have to start Windows into the Advanced Startup Options menu.
The graphical way is to open the Charms Menu and Settings
Continue reading Windows: Boot from USB or external device in UEFI or BIOS mode
Windows: Get a device serial number from command line
Hi,
it’s simply possible to get the serial number of your Windows device at command line. Precontition is that the vendor has done it’s home work and filled up the DMI tables correctly 🙂 .
Continue reading Windows: Get a device serial number from command line
OpenSSL: Command line examples
Hi,
here are some command line examples for openssl:
Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Add x509_v3 extensions from command line (>= V1.1.1)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -extension 'subjectAltName = DNS:myHost.myDOmain.org, DNS:myHost2.myDOmain.org' -extension 'certificatePolicies = 1.2.3.4.5'\
Get the certificate of a webserver
openssl s_client -connect michlstechblog.info:443
This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date
openssl s_client -connect michlstechblog.info:443| openssl x509 -text
Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text
Show details of a certificate file
openssl x509 -text -in server.crt -noout
Create pfx (pkcs12) file from key and certificate
openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt
Create pfx (pkcs12) file from key, certificate and the root CA(s), If necessary copy the root and the intermediate certificates in to one CACert.crt file.
openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt -certfile CACert.crt
Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key
And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt
Creating a self signed Certification Authority
To be continued….
See also this post. It describes how to setup a CA for OpenVPN from the scratch.
Generate a CA revokation list
openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem
Show details of certificate revocation list (crl)
openssl crl -in crl.pem -text
Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer
Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer
or copy CARootCertificate.cer and Intermediate.cer to one file
# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer
Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file
cat ca.pem intermediate.pem crl.pem > wholeChain.pem
and check
openssl verify -crl_check -CAfile wholeChain.pem myCert.pem
Create a signing request to renew an existing certificate
openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr
With some x509v3 extensions. File x509v3_extensions.ext
extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment
openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3
List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list
openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"
Michael