Сертификат с DNS алиасами и загрузка его в IIS

Сначала создаем сертификат по мануалу

HOW TO: Create server certificate and include DNS alias

By default certificates are tied to the exact server name they are created for. Which is normally the FQDN of the server. If you create a certificate for the server myserver.vstrong.info and then connect to it by the short name myserver / MyServer or by any other DNS aliases, the certificate will not be seen as a trusted certificate. There is a way to get all aliases included in the certificate.

In order to create a certificate you need an application that can generate certificate request and then send it to the Certification Authority (CA) for signing.
One of the easiest application that can gererate certificate request is OpenSSL. Download and install OpenSSL from this link http://slproweb.com/products/Win32OpenSSL.html

I will be installing OpenSSL on 64-bit OS, so lets download Win64 OpenSSL v1.0.1e Light and its pre-requisite Microsoft Visual C++ 2008 Redistributible (x64).
Installation is straightforward, accept the defaults and select Copy OpenSSL DLLs to The OpenSSL binaries (/bin) directory. Please donate generously!

By default, OpenSSL looks for a configuration file in the user’s local profile directory:

1 2 3

C:OpenSSL-Win64bin>openssl WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL> exit

Run the following SET command to specify the configuration file:

1	SET OPENSSL_CONF=C:OpenSSL-Win64binopenssl.cfg

Before we create any certificates, lets make a backup of the default OpenSSL configuration file and pre-configure default information that will be applicable to all certificates that we are going to create:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

[ req_distinguished_name ] countryName         = Country Name (2 letter code) countryName_default = UK stateOrProvinceName         = State or Province Name (full name) stateOrProvinceName_default = Greater London localityName         = Locality Name (eg, city) localityName_default = London 0.organizationName         = Organization Name (eg, company) 0.organizationName_default = vStrong.info organizationalUnitName         = Organizational Unit Name (eg, section) organizationalUnitName_default = IT

By default, OpenSSL create 1024 bit certificate request. You you need stronger certificate, you can do either of these:

1. Edit openssl.cfg and amend the following line:

   1 2	[ req ] default_bits        = 1024

2. Add this command when you run openssl:

   1	-newkey rsa:4096

What about the aliases?

Find the [ req ] section and add/un-comment the following line:

1	req_extensions = v3_req

Find the [ v3_req ] section and add a new subjectAltName line and list all DNS aliases as in this example:

1	subjectAltName = "DNS:server001.vstrong.info, DNS:server001, DNS:SERVER001.VSTRONG.INFO, DNS:SERVER001, DNS:CITRIX, DNS:citrix, DNS:10.10.100.150"

As you can see, I added lower- and uppercase, short and FQDN server name, two aliases, ‘CITRIX’ and ‘citrix’. You can also add an IP address of the server or device. I find it quite useful as sometimes IP address is easier to remember.

Lets generate the certificate request!

Open Windows Command Prompt, navigate to the the directory where you installed OpenSSL and run the following:

1	openssl req -new -nodes -keyout server001.key -out server001.csr

There will be a series of questions. Answer each question and make note of the challenge password; it will be needed later in the process.
The certificate creation process will create 2 files:

1. *.crt – the CSR that will be signed by the Certificate Authority to create the final certificate
2. *.key – the private key in PEM format

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

C:OpenSSL-Win64bin>openssl req -new -nodes -keyout server001.key -out server001.csr Loading 'screen' into random state - done Generating a 1024 bit RSA private key ..................++++++ ......++++++ writing new private key to 'server001.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UK]: State or Province Name (full name) [Greater London]: Locality Name (eg, city) [London]: Organization Name (eg, company) [vStrong.info]: Organizational Unit Name (eg, section) [IT]: Common Name (e.g. server FQDN or YOUR name) []:server001.vstrong.info Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:MySuperSecretPassw0rd string is too long, it needs to be less than  20 bytes long A challenge password []:MySuperPWD An optional company name []:

Signing the request

You must sign the request with Microsoft Active Directory Certificate Services.

1. Open server001.csr with Wordpad (to preserve the formatting) and copy the contents onto the clipboard (Edit > Select all; Edit > Copy).
   
2. In Internet Explorer, navigate to the Microsoft CA server.
   Enter the following URL:
   http://<CA_server_IP_address>/certsrv
   The Certificate Services applet starts.
3. On the Welcome screen, below the Select a task heading, select Request a certificate.
   
4. The Request a certificate page displays. Select advanced certificate request
   
5. On the Advanced Certificate Request screen, select Submit a certificate request by using a base-64-encoded CMC.
   The Submit a Certificate Request or Renewal Request screen displays.
6. On the Submit a Certificate Request or Renewal Request screen, paste the content of the server001.csr file (previously placed on the clipboard), in the Certificate Template drop down window select Web Server or other appropriate to your needs template and click Submit.
   
7. The certificate is issued and the Certificate Issued screen displays.
   
8. Select the Base 64 encoded radio button and then select Download certificate. Save the certificate as server001.cer to your desktop.
9. Lets confirm the certificate includes the server aliases:
   

Далее генерим .PFX для загрузки в IIS

c:\OpenSSL-Win64\bin>openssl pkcs12 -export -out certificate.pfx -inkey server001.key -in server001.cer
Enter Export Password:
Verifying - Enter Export Password:


c:\OpenSSL-Win64\bin>

Далее в Диспетчере служб IIS в разделе Сертификаты сервера импортируем certificate.pfx

После чего уже в Привязки сайта назначаем импортированные сертификат на https

Рестартуем IIS. Готово!




http://vstrong.info/2013/03/19/how-to-create-server-certificate-and-include-dns-alias/

IPSEC ( GRE tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
                                       10.0.0.1<---------GRE--------->10.0.0.2

#########################################################
### Cisco ###
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
 set transform-set tunnel
 set pfs group2
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 10.66.66.1
 tunnel destination 10.66.66.2
 tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.0.0.2
!
!
!
access-list 100 permit gre host 10.66.66.2 host 10.66.66.1
access-list 100 permit esp host 10.66.66.2 host 10.66.66.1
access-list 100 permit ahp host 10.66.66.2 host 10.66.66.1
access-list 100 permit udp host 10.66.66.2 host 10.66.66.1eq isakmp
access-list 100 deny   ip any any
access-list 101 permit gre host 10.66.66.1host 10.66.66.2 
access-list 101 permit esp host 10.66.66.1host 10.66.66.2 
access-list 101 permit ahp host 10.66.66.1host 10.66.66.2 
access-list 101 permit udp host 10.66.66.1host 10.66.66.2 eq isakmp
access-list 101 deny   ip any any

!

##############################################

### Debian8 ###

modprobe gre

ip tunnel add tun1 mode gre remote 10.66.66.1 local 10.66.66.2

ifconfig tun1 10.0.0.2 pointopoint 10.0.0.1 up

или

auto tun1

iface tun1 inet tunnel
        address 10.0.0.2
        netmask 255.255.255.252
        dstaddr 10.0.0.1
        local 10.66.66.2
        endpoint 10.66.66.1
        mode gre

root@debian:/home/tuhvatov# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default

    link/gre 0.0.0.0 brd 0.0.0.0

5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

6: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default

    link/gre 10.66.66.2 peer 10.66.66.1

    inet 10.0.0.2 peer 10.0.0.1/32 scope global tun1

       valid_lft forever preferred_lft forever

    inet6 fe80::5efe:a42:4202/64 scope link

       valid_lft forever preferred_lft forever

/etc/racoon/racoon.conf

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 10.66.66.2/32 47 address 10.66.66.1/32 47 {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 10.66.66.2/32 10.66.66.1/32 47 -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 10.66.66.1/32 10.66.66.2/32 47 -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

iptables -P INPUT     DROP

iptables -P FORWARD   DROP
iptables -P OUTPUT    ACCEPT
iptables -t filter -A INPUT -i tun1 -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p gre -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p esp -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT

https://www.altlinux.org/VPN_c_%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%BE%D0%B9_%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_(GRE_Racoon_OSPF)

http://www.rhd.ru/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html

DNAT в cisco

12.12.12.0/24 ===| R1 |====23.23.23.0/24=====| R2 | ===== 5.5.5.0/24 
                                                                                           | ===== 3.3.3.0/24 

==== on R1 ====
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
ip nat inside


interface FastEthernet1/0ip address 23.23.23.2 255.255.255.0
ip nat outside

ip nat outside source static tcp 5.5.5.5 23 3.3.3.3 23 extendable

итог, когда мы стучимся на 3.3.3.3, делается подмена на 5.5.5.5

IPSEC (mode tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24

##########################################################3
### Cisco ###

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
 set peer 10.66.66.2
 set transform-set tunnel
 set pfs group2
 match address MY-ACL
!
!
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 duplex auto
 speed auto
 crypto map TEST
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 deny   ip any any
!

##############################################

### Debian8 ###

root@debian:/etc/init.d# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

root@debian:/etc/racoon# cat /etc/racoon/psk.txt

# IPv4/v6 addresses

10.66.66.1      test

root@debian:/etc/racoon# cat /etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 3.3.3.0/24 any address 2.2.2.0/24 any {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

root@debian:/etc# cat /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
10.66.66.2.500                                10.66.66.1.500                                2f884599e608cee3:69f1cc4a2e88d065  9 I 10 M 2016-07-01 09:12:30      1

root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul  1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul  1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul  1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul  1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul  1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul  1 09:12:31 debian racoon: WARNING: attribute has been modified.

Ipsec Cisco + Mikrotik

Cisco 2811

!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp key SeCrEtKeY address 99.251.150.181
!
crypto ipsec transform-set PEER1 esp-aes 256 esp-md5-hmac
!
crypto map OUT 11 ipsec-isakmp
 set peer 99.251.150.181
 set security-association lifetime seconds 28800
 set transform-set PEER1
 set pfs group2
 match address 112
!
access-list 112 permit ip host 192.168.45.254 192.168.66.0 0.0.0.255

Cisco2811#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 3
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit



Mikrotik RB450G v6.27

/ip address

add address=192.168.66.1/24 interface=ether2-master-local network=\

    192.168.66.0

add address=99.251.150.181/24 interface=ether1 network=\

    99.251.150.0

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc  lifetime=8h

/ip ipsec peer
add address=212.66.129.54/32 enc-algorithm=des exchange-mode=aggressive \
    hash-algorithm=md5 lifetime=8h nat-traversal=no secret=SeCrEtKeY
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.45.0/24 sa-dst-address=212.66.129.54 sa-src-address=\
    99.251.150.181 src-address=192.168.66.0/24 tunnel=yes

Systemd custom script start/stop

You need two files: the script and the .service file (unit configuration file).
Make sure your script is executable and the first line (the shebang) is #!/bin/sh. Then create the .service file in /etc/systemd/system (a plain text file, let's call it vgaoff.service).
For example:

1. the script: /usr/bin/vgaoff
2. the unit file: /etc/systemd/system/vgaoff.service

Now, edit the unit file. Its content depends on how your script works:

If vgaoff just powers off the gpu, e.g.:

exec blah-blah pwrOFF etc 

then the content of vgaoff.service should be:

[Unit]
Description=Power-off gpu

[Service]
Type=oneshot
ExecStart=/usr/bin/vgaoff

[Install]
WantedBy=multi-user.target

If vgaoff is used to power off the GPU and also to power it back on, e.g.:

start() {
  exec blah-blah pwrOFF etc
}

stop() {
  exec blah-blah pwrON etc
}

case $1 in
  start|stop) "$1" ;;
esac

then the content of vgaoff.service should be:

[Unit]
Description=Power-off gpu

[Service]
Type=oneshot
ExecStart=/usr/bin/vgaoff start
ExecStop=/usr/bin/vgaoff stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Once you're done with the files, enable the service:

systemctl enable vgaoff.service

It should start automatically after rebooting the machine.

http://unix.stackexchange.com/questions/47695/how-to-write-startup-script-for-systemd
http://www.freedesktop.org/software/systemd/man/systemd.service.html