当前位置: 文江博客 话题详情

如何从 OpenSSL 保存 LDAP SSL 证书

发布于 2024-11-30 01:52:59 字数 177 浏览 2 评论 0 原文

我想要我的 LDAP 服务器(Novell eDirectory)的 SSL 证书。我已经使用openssl连接到ldap来查看证书。

openssl s_client -connect 192.168.1.225:636

它只是打印证书。如何将其保存到某些证书格式文件?

原文

I wanted the SSL Certificate of my LDAP Server which is Novell eDirectory. I have used openssl to connect to ldap to view the certificate. 

openssl s_client -connect 192.168.1.225:636

It is just printing the certificate. How can I save this to some certificate format file?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

时光是把杀猪刀 2024-12-07 01:53:00

或者,如果您需要 DER 或 PEM 格式的公钥和私钥,您可以通过 iManager 轻松导出它们。 (DER 是二进制格式,PEM 是 base64 编码格式,因此在 iManager 中,您的选择将是 DER 或 B64,并且在这种情况下 B64 ~= PEM)

Or you can easily export the public and private key via iManager if you need them in either DER or PEM format. (DER is a binary format, PEM is a base64 encoded format, so in iManager, your choices will be DER or B64 and B64 ~= PEM in this context)

回复 原文
邮友 2024-12-07 01:53:00

您还可以使用 https://keystore-explorer.org/ 导出证书。使用检查->检查 SSL。

You can also use https://keystore-explorer.org/ to export the certificate. Use Examine -> Examine SSL.

回复 原文
私野 2024-12-07 01:52:59

复制 -----BEGIN CERTIFICATE----------END CERTIFICATE----- 之间的所有内容(包括这些分隔符)并粘贴在新的文本文件中(通常扩展名为 .pem.crt)。为此,您可以使用您最喜欢的(纯)文本编辑器,例如记事本、Gedit、Vim、Emacs(取决于您使用的系统)。

或者,您可以将输出通过管道传输到sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p',如此处

echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

Copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (including these delimiters) and paste it in a new text file (usually with the extension .pem or .crt). You can use your favourite (plain) text editor for this, for example Notepad, Gedit, Vim, Emacs (depending on the system you're using).

Alternatively, you can pipe the output to sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p', as described here:

echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
回复 原文
吖咩 2024-12-07 01:52:59

对于那些希望使用 StartTLS 通过 LDAP 连接获取证书的人:

我已经重新提交了补丁 到 OpenSSL 以在对 s_client 使用 -starttls 时支持 LDAP。所以最终这应该可以工作(如果我猜它曾经成功过——截至2016年10月18日还没有)

openssl s_client -connect servername:389 -starttls ldap -showcerts< /code>

编辑:支持最终合并到 此 PR。 C 不是我的强项,所以幸运的是其他人使用了它;)

我还编写了一个 PHP 函数,用于在通过 TCP 连接发出 STARTTLS 命令后提取 SSL 证书。只需做一些工作就可以轻松地将其移植到其他语言:

/**
 * @param string $server The server name to connect to
 * @param int $port The standard LDAP port
 * @return array In the form of ['peer_certificate' => '', 'peer_certificate_chain' => [] ]
 */
function getLdapSslCertificates($server, $port = 389)
{
    $certificates = [
        'peer_certificate' => null,
        'peer_certificate_chain' => [],
    ];
    // This is the hex encoded extendedRequest for the STARTTLS operation...
    $startTls = hex2bin("301d02010177188016312e332e362e312e342e312e313436362e3230303337");
    $opts = [
        'ssl' => [
            'capture_peer_cert' => true,
            'capture_peer_cert_chain' => true,
            'allow_self_signed' => true,
            'verify_peer' => false,
            'verify_peer_name' => false,
        ],
    ];

    $context = stream_context_create($opts);
    $client = @stream_socket_client(
        "tcp://$server:$port",
        $errorNumber,
        $errorMessage,
        5,
        STREAM_CLIENT_CONNECT,
        $context
    );
    @stream_set_timeout($client, 2);
    @fwrite($client, $startTls);
    @fread($client, 10240);
    @stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
    $info = @stream_context_get_params($client);

    if (!$info) {
        return $certificates;
    }
    openssl_x509_export($info['options']['ssl']['peer_certificate'], $certificates['peer_certificate']);

    foreach ($info['options']['ssl']['peer_certificate_chain'] as $index => $cert) {
        $certChain = '';
        openssl_x509_export($cert, $certChain);
        $certificates['peer_certificate_chain'][$index] = $certChain;
    }
    @fclose($client);

    return $certificates;
}

上面的函数将返回一个包含对等证书和对等证书链的数组。所以它可以像这样使用:

// Just pass it the server name
$certificates = getLdapSslCertificates('dc1.example.local');

// The certificates are in the array as strings in PEM format
echo $certificates['peer_certificate'].PHP_EOL;
foreach ($certificates['peer_certificate_chain'] as $cert) {
    echo $cert.PHP_EOL;
}

For those looking to grab the certs over a LDAP connection using StartTLS:

I have re-submitted a patch to OpenSSL to support LDAP when using -starttls for s_client. So eventually this should work (if it ever makes it in I guess -- not yet as of 10/18/16):

openssl s_client -connect servername:389 -starttls ldap -showcerts

Edit: Support was eventually merged under this PR. C is not my forte so luckily someone else ran with it ;)

I also wrote a PHP function to extract the SSL certificates after issuing a STARTTLS command over a TCP connection. It could easily be ported to other languages with a little work:

/**
 * @param string $server The server name to connect to
 * @param int $port The standard LDAP port
 * @return array In the form of ['peer_certificate' => '', 'peer_certificate_chain' => [] ]
 */
function getLdapSslCertificates($server, $port = 389)
{
    $certificates = [
        'peer_certificate' => null,
        'peer_certificate_chain' => [],
    ];
    // This is the hex encoded extendedRequest for the STARTTLS operation...
    $startTls = hex2bin("301d02010177188016312e332e362e312e342e312e313436362e3230303337");
    $opts = [
        'ssl' => [
            'capture_peer_cert' => true,
            'capture_peer_cert_chain' => true,
            'allow_self_signed' => true,
            'verify_peer' => false,
            'verify_peer_name' => false,
        ],
    ];

    $context = stream_context_create($opts);
    $client = @stream_socket_client(
        "tcp://$server:$port",
        $errorNumber,
        $errorMessage,
        5,
        STREAM_CLIENT_CONNECT,
        $context
    );
    @stream_set_timeout($client, 2);
    @fwrite($client, $startTls);
    @fread($client, 10240);
    @stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
    $info = @stream_context_get_params($client);

    if (!$info) {
        return $certificates;
    }
    openssl_x509_export($info['options']['ssl']['peer_certificate'], $certificates['peer_certificate']);

    foreach ($info['options']['ssl']['peer_certificate_chain'] as $index => $cert) {
        $certChain = '';
        openssl_x509_export($cert, $certChain);
        $certificates['peer_certificate_chain'][$index] = $certChain;
    }
    @fclose($client);

    return $certificates;
}

The above function will return an array containing the peer certificate and the peer certificate chain. So it could be used like so:

// Just pass it the server name
$certificates = getLdapSslCertificates('dc1.example.local');

// The certificates are in the array as strings in PEM format
echo $certificates['peer_certificate'].PHP_EOL;
foreach ($certificates['peer_certificate_chain'] as $cert) {
    echo $cert.PHP_EOL;
}
回复 原文
美煞众生 2024-12-07 01:52:59

有一种仅使用 openssl 的非常简单的方法:

openssl s_client -connect 192.168.1.225:636 < /dev/null |
  openssl x509 -out cert.pem

第一行从服务器获取证书,第二行解析证书并允许将其转换为不同的格式,例如:

  • openssl x509 -noout -text:以文本格式打印证书,例如用于调试。
  • openssl x509 -outform der -out cert.crt:以 DER 格式保存证书

您可以查看 docs 了解所有可能的变化。

There is a pretty simple way using only openssl:

openssl s_client -connect 192.168.1.225:636 < /dev/null |
  openssl x509 -out cert.pem

The first line fetches the cert from server and the second line parses the cert and allows transforming it into different formats, for example:

  • openssl x509 -noout -text: prints certificate in text format, e.g., for debugging.
  • openssl x509 -outform der -out cert.crt: saves cert in DER format

You can checkout docs for all possible variations.

回复 原文
鹿! 2024-12-07 01:52:59

我发现从任何启用 SSL 的协议(如 ldap、imap、pop、ftps、https 等)保存证书的最简单方法就是使用 Chrome 浏览器。假设您的服务器运行任何协议(如提到的),创建像这样的 url

http://: (例如,如果您的 ldap 服务器在 SSL 端口 10636 上运行,则它将是 https://example.com:10636)。只需点击此 URL 并从 Chrome 浏览器本身获取证书即可。下面是一个简单的演示。在此演示中,我的 LDAP 服务器使用自签名证书。

单击证书信息

单击“复制到文件”并单击“下一步”保存证书。

输入图像描述这里

此方法适用于任何在 SSL 上运行的服务器,无论协议如何。

干杯。

The easiest way i found to save a certificate from any SSL enabled protocols like ldap, imap, pop, ftps, https etc. is just using chrome browser. Assume if your server running any protocol (like mentioned) create the url like this

http://: (example if your ldap server is running on SSL port 10636 it would be https://example.com:10636). Simply just hit this URL and obtain the certificate from the chrome browser itself. A simple demo below. In this demo my ldap server is using a self-signed certificate.

Click On Certificate Information

Click on copy to file and save the certificate by clicking next.

enter image description here

This method works for any server running on SSL irrespective of protocol.

Cheers.

回复 原文
谈下烟灰 2024-12-07 01:52:59

有一个工具可以让您从服务器收集并保存 SSL/TLS 证书,该服务器不仅支持 LDAPS,还支持 LDAP/STARTTLS。这是著名的 InstallCert 程序的修订版,用 Java 编写。

只需像这样运行它:

java -jar installcert-usn-20131123.jar host_name:port

它将为您将证书保存在 JRE 文件树中的 jssecacerts 密钥库文件中,以及当前目录中的 extracerts 密钥库文件中。然后,您可以使用 Java keytool 导出证书转换为其他格式。

欢迎您访问我的博客页面还另一个适用于 Java 的 InstallCert,现在支持 STARTTLS 以供下载和说明。

There is a tool that lets you collect and save an SSL/TLS certificate from a server that speaks not only LDAPS, but LDAP/STARTTLS too. That's a revision of the well-known InstallCert program, written in Java.

Just run it like this:

java -jar installcert-usn-20131123.jar host_name:port

and it will save the certificate for you in the jssecacerts keystore file in your JRE file tree, and also in the extracerts keystore file in your current directory. You can then use Java keytool to export the certificate(s) to other formats.

You are welcome to visit my blog page Yet another InstallCert for Java, now with STARTTLS support for download and instructions.

回复 原文
甜心 2024-12-07 01:52:59

我们喜欢使用 ldapsearch 来执行此操作。 整个过程,几行,但这就是要点:

ldapsearch -x -T ~/ -t -h your-edirectory-host.yourdomain.com -b "cn=Security" objectclass=nDSPKICertificateAuthority cACertificate

-jim

We liked using ldapsearch for performing this. The whole process, a few lines, but this is the gist of it:

ldapsearch -x -T ~/ -t -h your-edirectory-host.yourdomain.com -b "cn=Security" objectclass=nDSPKICertificateAuthority cACertificate

-jim

回复 原文
~没有更多了~

关于作者

冰雪梦之恋

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

已经忘了多久

文章 0 评论 0

15867725375

文章 0 评论 0

LonelySnow

文章 0 评论 0

走过海棠暮

文章 0 评论 0

轻许诺言

文章 0 评论 0

信馬由缰

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文