From Mediawiki-1
Jump to navigation Jump to search

SSL Certificates


  http://support.citrix.com/article/CTX106028 Citrix

Formats, Encodings and Conversions

Ref: https://www.sslshopper.com/ssl-converter.html

Using OpenSSL for converting Certificate Encodings
PEM to DER openssl x509 -outform der -in certificate.pem -out certificate.der
PEM to P7B openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
PEM to PFX openssl pkcs12 -export -out certificate.pfx -in certificate.crt -inkey privateKey.key -certfile CACert.crt
PEM to PFX openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mycert.key -name "www.mycert.com"
DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
P7B to PFX openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
PFX to PEM openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Minting Certificates

The following commands create a Certificate Signing Request (CSR), sign it, and convert it to pkcs12 format:

openssl req -new -newkey rsa:4048 -nodes -out mycert.csr -keyout mycert.key
openssl x509 -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/ca.srl -req -in mycert.req  -out mycert.pem -days 3650
openssl pkcs12 -export -clcerts -in mycert.pem -inkey mycert.key -out mycert.p12 -name "My first Certificate"

Create a new CSR given an expired Cert and it's private Key

Ref: Renewing CA keeping original key-pair

 openssl x509 -x509toreq -signkey private.key -out newcsr.csr -in oldcert.pem

Obtain Certificate Information

 openssl x509 -noout -text -in mycert.pem

Using Configuration file with Openssl

Reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/

MODIFY default file /etc/sfw/openssl/openssl.cnf or create/modify local copy


 openssl req -new -config openssl.cnf -newkey rsa:2048 -out server/SPFW10.req -keyout server/SPFW10.key


 openssl ca -config openssl.cnf -days 3650 -out server/SPFW10.crt -in server/SPFW10.req
 openssl ca -config openssl.cnf -days 3650 -out server/SPFW10.crt -in server/SPFW10.req -batch -notext

CREATE intermediary CA

 openssl ca -extensions v3_ca -days 3650 -out test.crt -in test.req  -config openssl.cnf


 openssl ca -config openssl.cnf -revoke certs/ce1aruba0001.ing-americas.com.pem

Misc other commands

 openssl req -config openssl.cnf -new -newkey rsa:2048 -out certs/test.csr -keyout certs/test.key
 openssl ca  -config openssl.cnf -days 3650 -out  certs/test.pem -in  certs/test.csr
 openssl pkcs12 -export -out certs/test.pfx -in certs/test.pem -inkey certs/test.key -name "viaclienttest"

Let's Encrypt

HowTo articles:


CA Creation



Cipher Suites used in Browsers =

Disabling RC4 ciphers in Firefox

Go to about:config and search for “security.ssl3…..” and select true/false

Disabling RC4 ciphers in Chrome

As for Chrome, current 31.0.1650.57:stable, you will need to launch with:


in order to disable the following four ciphers:

Spec Cipher Suite Name Key Size Description
(00,04) RSA-RC4128-MD5 128 Bit Key exchange: RSA, encryption: RC4, MAC: MD5.
(00,05) RSA-RC4128-SHA 128 Bit Key exchange: RSA, encryption: RC4, MAC: SHA1.
(c0,07) ECDHE-ECDSA-RC4 128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.
(c0,11) ECDHE-RSA-RC4128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.

Hash Algorithms

C:> certutil -hashfile VMware-vSphere-CLI-5.5.0-1549297.exe [MD5|SHA1|SHA256]

Web Server Implications


List ciphers supported by a web server

 $ nmap --script ssl-enum-ciphers -p 443 www.example.com

Check security of a web server


Disable weak Ciphers

Seee the "Cipher Suite Names" section in https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for naming convention of cipher suites

Bluecoat SGOS =

Open ssh session and enter enable mode

 ceproxy01#conf t
 Enter configuration commands, one per line.  End with CTRL-Z.
 ceproxy01#(config management-services)edit HTTPS-Console
 ceproxy01#(config HTTPS-Console)view
 Service Name:   HTTPS-Console
 Service:        HTTPS-Console
 Attributes:     <None>
 Keyring: ceproxy01.ing-americas.com
 SSL Protocol version: tlsv1.1 tlsv1.2
 CA Certificate List: <All CA Certificates>
 Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha
 Destination IP    Port Range
 <All>             8082              Enabled
 ceproxy01#(config HTTPS-Console)attribute cipher-suite  aes128-sha256 aes256-sha256
 ceproxy01#(config HTTPS-Console)
 snproxy03#conf t
 Enter configuration commands, one per line.  End with CTRL-Z.
 snproxy03#(config ssh-console)ciphers
 snproxy03#(config ssh-console)ciphers  view
   current:  chacha20-poly1305@openssh.com,aes256-ctr,blowfish-cbc,aes256-gcm@openssh.com,rijndael-cbc@lysator.liu.se,aes256-cbc                                                                                                                                                                                                              
   default:  chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,blowfish-cbc,cast128-                                                                                                              cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,rijndael-cbc@lysator.liu.se,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc                                                      
   choices:  chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,blowfish-cbc,cast128-                                                                                                     cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,rijndael-cbc@lysator.liu.se,aes128-cbc,aes192-cbc,aes256-cbc,3                                                                                                   des-cbc
 ceproxy01# conf t
 ceproxy01#(config ssh-console)hmacs set hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Netscaler Load Balancers

General advice https://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated/

Depending on version, different approaches are needed

  • Create/modify SSL cipher suite group and use with vservers
  • Create/modify SSL profile and use with vserver
  • bind/unbind cipher groups to management service
 unbind ssl service nshttps- -cipherName  SSL3-RC4-MD5
 unbind ssl service nshttps- -cipherName  SSL3-RC4-SHA
 unbind ssl service nshttps- -cipherName  SSL3-DES-CBC3-SHA
 bind ssl service nshttps- -cipherName TLS1.2-AES-256-SHA256
 bind ssl service nshttps- -cipherName TLS1.2-AES-128-SHA256
 bind ssl service nshttps- -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
 bind ssl service nshttps- -cipherName TLS1.2-DHE-RSA-AES-256-SHA256

It appears that once cipher customization is performed, a bunch of them show up in ns.conf. At that point one can disable classes of ciphers by issueing e.g.

 unbind ssl service nshttps- -cipherName SHA
 unbind ssl service nshttps- -cipherName RC4

To verify, go into a shell and run

 grep nshttp /nsconfig/ns.conf

For ssh hardening, to disable weak ciphers and macs edit sshd_config file and modify or append the lines

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Radware DDoS


Disable ciphers

  • open ssh shell as root and modify /etc/httpd/ssl/ssl.conf

Install new cert

  • open ssh shell as radware and run "system ssl import"
  • Notes: needed to create separate .pem files for key and cert


Disable ciphers

  • There's only a generic way to disable weak ciphers:
  • open ssh shell as admin and run
 manage ssl weak-ciphers

Update certificates

  • open ssh shell as admin and run commands like
 security certificate import name_cert.pem -t key -p mypasskey123
 security certificate import name_key.pem  -t certificate


  • open ssh shell as admin
  • use menu /cfg/sys/access/https to upload new key&cert, then save the cert, and apply the running config
  • In version 29.0.1 ciphers can not be disabled for management interface - pending case update


Setup tutorial:



StrongSwan on Ubuntu