2014-11-13更換CSS11506憑證

 2014-11-13更換CSS11506憑證

### Suspend Service ###
config term

service backend-server 171
suspend
service backend-server 172
suspend
service backend-server 175
suspend

service backend-server 176
suspend

service SSL_Front_1
suspend
service SSL_Front_2
suspend

exit

### Suspend ssl-proxy-list ###
config term

ssl-proxy-list TCBank_PDC_Branch_ssl-accel
suspend

exit

### Use FTP Upload cert_fcrbrn.2014.cer,cert_fcrbrn_2014.pem ###

       ###Check and Create ftp-record leslie-ftp
       ftp-record leslie-ftp 172.17.1.27 anonymous des-password tcbank

copy ssl ftp leslie-ftp import cert_fcrbrn_2014.cer PEM "password"
copy ssl ftp leslie-ftp import cert_fcrbrn_2014.pem PEM "password"
請參考cert.cer與cert.pem的產出方法

### 需先執行下列rsakey與rsacert刪除的動件 ###

###config term
###

###ssl-proxy-list TCBank_PDC_Branch_ssl-accel

no ssl-server 21 rsakey cert_fcrbrn_withrsa
no ssl-server 21 rsacert cert_fcrbrn_cert

CSS11506(config)# no ssl associate cert cert_fcrbrn_cert
CSS11506(config)# no ssl associate rsakey cert_fcrbrn_withrsa


### 再import RSA certificate and key pair ###
ssl associate cert cert_fcrbrn_cert cert_fcrbrn_2011.cer
ssl associate rsakey cert_fcrbrn_withrsa cert_fcrbrn_2011.pem

### 再於ssl-proxy-list TCBank_PDC_Branch_ssl-accel下設定 ###
ssl-server 21 rsakey cert_fcrbrn_withrsa
ssl-server 21 rsacert cert_fcrbrn_cert

### Active ssl-proxy-list ###
config term
ssl-proxy-list TCBank_PDC_Branch_ssl-accel
active
exit

### Active service & SSL_Front_1 & 2###
service backend-server 171
active
service backend-server 172
active
service backend-server 175
active

service backend-server 176
active

service SSL_Front_1
active
service SSL_Front_2
active

Certificate convert to .pem & .cer file

Certificate .pfx file convert to .pem & .cer file

1.        下載OpenSSL軟體

https://slproweb.com/products/Win32OpenSSL.html

2.        安裝OpenSSL 軟體

Win64OpenSSL-1_0_1j.exe

3.        下指令

由一個 pfx key 產生 PEM 與 CER Key

openssl pkcs12 -in Brn.pfx -nodes -out server.pem

openssl rsa -in server.pem -out server.key

openssl x509 -in server.pem -out server.cer


======================================================

PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

Converting Certificates between different Formats

PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–

Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfileCAcert.cer
———————————————————————————————————————————-

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -incertificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————

DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–

P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-

Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -outcertificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-

PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer,privateKey.key respectively.

Extraction Private Key From PEM
Method 1 -- use openssl——————————————————————————————–
$ openssl x509 -in server.pem -out server.cer

——————————————————————————————–

Method 2 --
      2.1 Install .pfx file
      2.2 Open Certificate -> Detail -> copy to file