Surprise! We've been running on hardware provided by BuyVM for a few months and wanted to show them a little appreciation.
Running a paste site comes with unique challenges, ones that aren't always obvious and hard to control. As such, BuyVM offered us a home where we could worry less about the hosting side of things and focus on maintaining a clean and useful service! Go check them out and show them some love!
Submitted on July 11, 2016 at 02:15 PM

Download - Report

Section 1 (Bash)

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
# Creating the root pair
# Create necessary folders

mkdir /etc/ssl/ca

cd /etc/ssl/ca

mkdir certs crl newcerts private

chmod 700 private

touch index.txt

echo 1000 > serial

# Configuration file

Edit https://paste.ee/p/HNaSG to your needs and copy it to /etc/ssl/ca

# Create root key

openssl genrsa -aes256 -out private/TrustedRoot.key 4096

chmod 400 private/TrustedRoot.key

# Create root certificate

openssl req -config openssl.cnf -key private/TrustedRoot.key -new -x509 -days 9000 -sha256 -extensions v3_ca -out certs/TrustedRoot.crt

chmod 444 certs/TrustedRoot.crt

# Verify the root certificate

openssl x509 -noout -text -in certs/TrustedRoot.crt

# Creating the intermediate pair

mkdir /etc/ssl/ca/intermediate

cd /etc/ssl/ca/intermediate

mkdir certs crl csr newcerts private

chmod 700 private

touch index.txt

echo 1000 > serial

echo 1000 > /etc/ssl/ca/intermediate/crlnumber

# Configuration file

Edit https://paste.ee/p/uoVQW to your needs and copy it to /etc/ssl/ca/intermediate as openssl.cnf

# Creating the intermediate key

cd /etc/ssl/ca

openssl genrsa -aes256 -out intermediate/private/HAProxy_Intermediate_CA.key 4096

chmod 400 intermediate/private/HAProxy_Intermediate_CA.key

# Creating the intermediate certificate

openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/HAProxy_Intermediate_CA.key -out intermediate/csr/HAProxy_Intermediate_CA.csr

openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/HAProxy_Intermediate_CA.csr -out intermediate/certs/HAProxy_Intermediate_CA.crt

chmod 444 intermediate/certs/HAProxy_Intermediate_CA.crt

# Verify the intermediate certificate

openssl x509 -noout -text -in intermediate/certs/HAProxy_Intermediate_CA.crt

openssl verify -CAfile certs/TrustedRoot.crt intermediate/certs/HAProxy_Intermediate_CA.crt

You should get:

intermediate/certs/HAProxy_Intermediate_CA.crt: OK

# Create chain of trust file

cat intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt > intermediate/certs/ca-chain.pem

chmod 444 intermediate/certs/ca-chain.pem

# Sign server and client certificates
# Create a key

Omit the -aes256 option to create a key without a password.

openssl genrsa -aes256 -out intermediate/private/mail.example.com.key 2048

chmod 400 intermediate/private/mail.example.com.key

# Create a certificate

openssl req -config intermediate/openssl.cnf -key intermediate/private/mail.example.com.key -new -sha256 -out intermediate/csr/mail.example.com.csr

When prompted for Common Name while creating a server certificate, use a FQDN. For clients certificates you can use whatever you want.

Use the option server_cert when creating server certificates and usr_cert when creating users certificates.

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in intermediate/csr/mail.example.com.csr -out intermediate/certs/mail.example.com.crt

chmod 444 intermediate/certs/mail.example.com.crt

# Verify the certificate

openssl x509 -noout -text -in intermediate/certs/mail.example.com.crt

In the output the Issuer should be the intermediate certificate and the Subject should be the certificate itself.

openssl verify -CAfile intermediate/certs/ca-chain.pem intermediate/certs/mail.example.com.crt

You should get:

intermediate/certs/mail.example.com.crt: OK

# Create PEM file

# Remove passphrase from private key

openssl rsa -in intermediate/private/mail.example.com.key -out intermediate/private/mail.example.com-nopass.key

cat intermediate/private/mail.example.com-nopass.key intermediate/certs/mail.example.com.crt intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt | sudo tee intermediate/certs/mail.example.com.pem

# Create PK12/PFX file after creating a suer certificate

openssl pkcs12 -export -clcerts -in intermediate/certs/client.crt -inkey intermediate/private/client.key -out intermediate/certs/client.p12