For enabling push notification on pushd server, you need to get a file with .p12 extension and .cer certificate file. For pushd to work you need to generate a .pem file and give its path in push configuration(`/etc/pushd/pushd.conf`).

We need to generate 2 pem files one called apns-cert.pem (generated from .cer file) and the other called apns-key.pem (generated from .p12 file).

To generate .pem file use openssl command, with the format below:

openssl pkcs12 -in YOUR_KEY.p12 -out apns-key.pem -nodes

NOTE: it may ask you for the password, enter the given password by whom that gave you the p12 file.

-in set your input file name and -out sets your output file name which will be generated.

And now generate the key pem file:

openssl x509 -in cert.cer -inform DER -outform PEM -out apns-cert.pem

Restart the pushd and check for any error in /var/log/pushd.

#pushd #openssl #p12 #cer #pem #push

Check if you can connect to APNS SERVER using openssl:

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /etc/pushd/apns-cert.pem -key /etc/pushd/apns-key.pem

At the end if you can connect to the APNS server you would see Verify return code: 0 (ok). Finally press CTRL+C to go outside of
response.

#pushd #openssl #apns #push

A couple days ago we talked about MongoDB that uses TLS/SSL to encrypt the communication with clients connecting to it (like pyMongo). Now if you want to test MongoDB with self-signed certificate you can generate one with the command below:

cd /etc/ssl/
 openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

This operation generates a new, self-signed certificate with no passphrase that is valid for 365 days. Once you have the certificate, concatenate the certificate and private key to a .pem file, as in the following example:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

If using the YAML configuration file format, include the following configuration in the file:

net:
    ssl:
       mode: requireSSL
       PEMKeyFile: /etc/ssl/mongodb.pem

NOTE: instead of requireSSL you can use preferSSL to not force the requirement. It depends on the requirements and network topolgy.


#mongodb #ssl #tls #pem #openssl

If you have followed our MongoDB SSL configuration, you should by now know that we can generate SSL certificate using lets encrypt. I have used dehydrated that fully matches with cloud flare.

To make the procedure automatic I have created a sample shell script that after automatic renewal will also renew the PEM files for MongoDB

#! /bin/bash

echo 'Binding new mongo private key PEM file and Cert PEM file...'
cat /etc/dehydrated/certs/mongo.example.com/privkey.pem /etc/dehydrated/certs/mongo.example.com/cert.pem > /etc/ssl/mongo.pem
echo 'Saved the new file in /etc/ssl/mongo.pem'

sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
echo 'truncate ca.pem file and generate a new in /etc/ssl/ca.pem...'
sudo truncate -s 0 /etc/ssl/ca.pem
echo 'generate a ca.pem file using opessl by input -> /etc/ssl/ca.crt'
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
echo 'ca.pem is generated successfully in /etc/ssl'

echo 'append the chain.pem content to newly created ca.pem in /etc/ssl/ca.pem'
sudo cat /etc/dehydrated/certs/mongo.example.com/chain.pem >> /etc/ssl/ca.pem
echo 'done!'

#mongodb #mongo #ssl #pem #openssl #lets_encrypt

In order to verify that you certificate is generated successfully in openssl:

openssl verify -verbose -CAfile /etc/ssl/ca.pem /etc/ssl/mongo.pem

#openssl #verify #pem #ca #mongodb #ssl

An easy way to encrypt and decrypt large files using OpenSSL and Linux:

Generate PEM public private key using openssl:

openssl req -x509 -nodes -newkey rsa:2048 -keyout private-key.pem -out public-key.pem

Encrypt file using public key PEM file:

openssl smime -encrypt -binary -aes-256-cbc -in large_file.img -out large_file.img.dat -outform DER public-key.pem

We can generate hash using md5sum for both files so we can compare them once we decrypt our file:

md5sum large_file.img*
 #cd573cfaace07e7949bc0c46028904ff  large_file.img
 #c4d8f1e868d1176d8aa5363b0bdf8e7c  large_file.img.dat

Decrypt large file using OpenSSL:

openssl smime -decrypt -in large_file.img.dat -binary -inform DEM -inkey private-key.pem -out decrypted_large_file.img

Check md5sum output:

md5sum *large_file.img*
 #cd573cfaace07e7949bc0c46028904ff  decrypted_large_file.img
 #cd573cfaace07e7949bc0c46028904ff  large_file.img
 #c4d8f1e868d1176d8aa5363b0bdf8e7c  large_file.img.dat

#linux #openssl #pem #encryption #decryption #x509 #public_key #private_key

How to check expiration time of a PEM certificate using openssl?

$ openssl x509 -enddate -noout -in file.pem
 notAfter=Sep  3 02:23:50 2018 GMT

#openssl #expiration_date

How to add self-signed certificates to replica set nodes?

https://medium.com/@rossbulat/deploy-a-3-node-mongodb-3-6-replica-set-with-x-509-authentication-self-signed-certificates-d539fda94db4

#mongo #mongodb #ssl #self_signed #openssl