The latest articles on DEV Community by Fakhrulhilal M (@fakhrulhilal). https://dev.to/fakhrulhilal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F129924%2F56fcd649-5f4b-4f93-994d-3d33f0c26e26.png https://dev.to/fakhrulhilal en Fakhrulhilal M Thu, 29 Jul 2021 09:00:29 +0000 https://dev.to/fakhrulhilal/applying-ci-cd-for-classic-asp-project-1c0h https://dev.to/fakhrulhilal/applying-ci-cd-for-classic-asp-project-1c0h <p>A new challenge to add CI/CD support for classic ASP. You might be wondering why I take care of classic ASP project for nowadays😂. But I believe one of you know the reason already😁. Classic ASP project doesn't have configuration system by default. It used to store in ordinary ASP file and place anything in VBscript variables, f.e. config.asp. Fortunately, they used to store in centralized place, so we don't have to scan all configurations in many files.<br> So the basic idea is simple, introduce placeholder format and replace it before deploying. Let's use <code>#PLACEHOLDER#</code> as an example. I prefer to use all caps so I can pay attention easily what needed to be changed. See example below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vb"><code><span class="o">&lt;</span><span class="err">%</span> <span class="k">Dim</span> <span class="nv">cfgSocials</span> <span class="k">Set</span> <span class="n">cfgSocials</span> <span class="o">=</span> <span class="n">Server</span><span class="p">.</span><span class="n">CreateObject</span><span class="p">(</span><span class="s">"Scripting.Dictionary"</span><span class="p">)</span> <span class="n">cfgSocials</span><span class="p">.</span><span class="n">Add</span> <span class="s">"github"</span><span class="p">,</span> <span class="s">"#SOCIAL_GITHUB#"</span> <span class="n">cfgSocials</span><span class="p">.</span><span class="n">Add</span> <span class="s">"twitter"</span><span class="p">,</span> <span class="s">"#SOCIAL_TWITTER#"</span> <span class="n">cfgSocials</span><span class="p">.</span><span class="n">Add</span> <span class="s">"linkedin"</span><span class="p">,</span> <span class="s">"#SOCIAL_LINKEDIN#"</span> <span class="n">cfgSocials</span><span class="p">.</span><span class="n">Add</span> <span class="s">"email"</span><span class="p">,</span> <span class="s">"#SOCIAL_EMAIL#"</span> <span class="k">Dim</span> <span class="nv">cfgSite</span> <span class="k">Set</span> <span class="n">cfgSite</span> <span class="o">=</span> <span class="n">Server</span><span class="p">.</span><span class="n">CreateObject</span><span class="p">(</span><span class="s">"Scripting.Dictionary"</span><span class="p">)</span> <span class="n">cfgSite</span><span class="p">.</span><span class="n">Add</span> <span class="s">"name"</span><span class="p">,</span> <span class="s">"Portofolio"</span> <span class="n">cfgSite</span><span class="p">.</span><span class="n">Add</span> <span class="s">"fullname"</span><span class="p">,</span> <span class="s">"#FULL_NAME#"</span> <span class="n">cfgSite</span><span class="p">.</span><span class="n">Add</span> <span class="s">"address"</span><span class="p">,</span> <span class="s">"#ADDRESS#"</span> <span class="err">%</span><span class="o">&gt;</span> </code></pre> </div> <p>After that, all we need to do read file content, and do find-replace based on placeholder. I'm a fan of powershell, because it's easy to write the script and its dotnet support is deadly insane👍. Here's the quick snippet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">function</span><span class="w"> </span><span class="nf">Get-Value</span><span class="p">([</span><span class="n">string</span><span class="p">]</span><span class="nv">$Key</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Value</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$Configs</span><span class="p">[</span><span class="nv">$Key</span><span class="p">]</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="p">([</span><span class="n">string</span><span class="p">]::</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="nv">$Value</span><span class="p">)))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Value</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="p">[</span><span class="n">System.Environment</span><span class="p">]::</span><span class="n">GetEnvironmentVariable</span><span class="p">(</span><span class="nv">$Key</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$PlaceholderPattern</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">regex</span><span class="p">]::</span><span class="n">new</span><span class="p">(</span><span class="s1">'#(?&lt;placeholder&gt;\w+)#'</span><span class="p">)</span><span class="w"> </span><span class="nv">$ParsedContent</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Content</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$Path</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">%</span><span class="p">{</span><span class="w"> </span><span class="nv">$PlaceholderPattern</span><span class="o">.</span><span class="nf">Replace</span><span class="p">(</span><span class="bp">$_</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">param</span><span class="p">(</span><span class="nv">$Match</span><span class="p">)</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$Match</span><span class="o">.</span><span class="nf">Success</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Value</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Value</span><span class="w"> </span><span class="nt">-Key</span><span class="w"> </span><span class="nv">$Match</span><span class="o">.</span><span class="n">Groups</span><span class="p">[</span><span class="s1">'placeholder'</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="nx">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="p">([</span><span class="n">string</span><span class="p">]::</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="nv">$Value</span><span class="p">)))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Value</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Match</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Match</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">})</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">Set-Content</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$Path</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nv">$ParsedContent</span><span class="w"> </span></code></pre> </div> <p>In azure pipeline, it exposes all variables to environment variables. So it's easy to populate from pipeline definition to file. </p> <p>Take a look at <a href="https://dev.azure.com/fakhrulhilal/OpenSource/_git/asp-classic-demo">demo repo</a> and give me feedback😊. I put all the details there.</p> aspclassic ci transformation pipeline Fakhrulhilal M Sun, 04 Jul 2021 05:27:49 +0000 https://dev.to/fakhrulhilal/getting-started-with-gpg-key-5eea https://dev.to/fakhrulhilal/getting-started-with-gpg-key-5eea <h2> Configuring Git and GPG </h2> <p>After installing <a href="https://git-scm.com/downloads">git</a>, you need to add git's binary path to the PATH environment, located in <code>%ProgramFiles%\Git\usr\bin</code>. </p> <h2> GPG Key </h2> <h3> Create new key </h3> <p>Generate a key: <code>gpg --default-new-key-algo rsa4096 --gen-key</code>. After that, check again with this command: <code>gpg --list-secret-keys --keyid-format LONG</code>, result example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>gpg <span class="nt">--list-secret-keys</span> <span class="nt">--keyid-format</span> LONG /c/Users/fmaktum/.gnupg/pubring.gpg <span class="nt">-----------------------------------</span> sec rsa4096/E170165D27E434C2 2018-07-22 <span class="o">[</span>SC] <span class="o">[</span>expires: 2022-07-23] FE428E022494CC3ED85ACDD3E170165D27E434C2 uid <span class="o">[</span>ultimate] Fakhrulhilal Maktum &lt;fakhrulhilal@gmail.com&gt; uid <span class="o">[</span>ultimate] Fakhrulhilal Maktum &lt;fakhrulhilal@outlook.com&gt; uid <span class="o">[</span>ultimate] <span class="o">[</span>jpeg image of size 13093] ssb rsa4096/C0D8267ED759FC4B 2018-07-22 <span class="o">[</span>E] <span class="o">[</span>expires: 2022-07-23] </code></pre> </div> <p>in that case, key ID is <code>3AA5C34371567BD2</code>.</p> <p>Next, we need to associate with the email address. To do that, we need to edit first by this command: <code>gpg --edit-key 3AA5C34371567BD2</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg&gt; adduid Real name: Fakhrulhilal Maktum Email address: fakhrulhilal@outlook.com Comment: You selected this USER-ID: <span class="s2">"Fakhrulhilal Maktum &lt;fakhrulhilal@outlook.com&gt;"</span> Change <span class="o">(</span>N<span class="o">)</span>ame, <span class="o">(</span>C<span class="o">)</span>omment, <span class="o">(</span>E<span class="o">)</span>mail or <span class="o">(</span>O<span class="o">)</span>kay/<span class="o">(</span>Q<span class="o">)</span>uit? o </code></pre> </div> <p>Optionally, we can add the picture (suggested to use 240x288)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gpg&gt; addphoto </code></pre> </div> <p>After all changes, we can know save it<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg&gt; save </code></pre> </div> <h3> Extending Expired Public Key </h3> <p>You need to edit the key by using this command: <code>gpg --edit-key</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg&gt; expire Changing expiration <span class="nb">time </span><span class="k">for </span>a subkey. Please specify how long the key should be valid. 0 <span class="o">=</span> key does not expire &lt;n&gt; <span class="o">=</span> key expires <span class="k">in </span>n days &lt;n&gt;w <span class="o">=</span> key expires <span class="k">in </span>n weeks &lt;n&gt;m <span class="o">=</span> key expires <span class="k">in </span>n months &lt;n&gt;y <span class="o">=</span> key expires <span class="k">in </span>n years Key is valid <span class="k">for</span>? <span class="o">(</span>0<span class="o">)</span> 2y Key expires at Sun Jul 24 06:36:28 2022 SEAST Is this correct? <span class="o">(</span>y/N<span class="o">)</span> y sec rsa4096/E170165D27E434C2 created: 2018-07-22 expires: 2023-07-23 usage: SC trust: ultimate validity: ultimate ssb<span class="k">*</span> rsa4096/C0D8267ED759FC4B created: 2018-07-22 expires: 2022-07-23 usage: E <span class="o">[</span>ultimate] <span class="o">(</span>1<span class="o">)</span><span class="nb">.</span> Fakhrulhilal Maktum &lt;fakhrulhilal@gmail.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>2<span class="o">)</span> Fakhrulhilal Maktum &lt;fakhrulhilal@outlook.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>3<span class="o">)</span> <span class="o">[</span>jpeg image of size 13093] gpg&gt; key 1 sec rsa4096/E170165D27E434C2 created: 2018-07-22 expires: 2023-07-23 usage: SC trust: ultimate validity: ultimate ssb rsa4096/C0D8267ED759FC4B created: 2018-07-22 expires: 2022-07-23 usage: E <span class="o">[</span>ultimate] <span class="o">(</span>1<span class="o">)</span><span class="nb">.</span> Fakhrulhilal Maktum &lt;fakhrulhilal@gmail.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>2<span class="o">)</span> Fakhrulhilal Maktum &lt;fakhrulhilal@outlook.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>3<span class="o">)</span> <span class="o">[</span>jpeg image of size 13093] gpg&gt; expire Changing expiration <span class="nb">time </span><span class="k">for </span>the primary key. Please specify how long the key should be valid. 0 <span class="o">=</span> key does not expire &lt;n&gt; <span class="o">=</span> key expires <span class="k">in </span>n days &lt;n&gt;w <span class="o">=</span> key expires <span class="k">in </span>n weeks &lt;n&gt;m <span class="o">=</span> key expires <span class="k">in </span>n months &lt;n&gt;y <span class="o">=</span> key expires <span class="k">in </span>n years Key is valid <span class="k">for</span>? <span class="o">(</span>0<span class="o">)</span> 2y Key expires at Sun Jul 24 06:36:36 2022 SEAST Is this correct? <span class="o">(</span>y/N<span class="o">)</span> y sec rsa4096/E170165D27E434C2 created: 2018-07-22 expires: 2022-07-23 usage: SC trust: ultimate validity: ultimate ssb rsa4096/C0D8267ED759FC4B created: 2018-07-22 expires: 2022-07-23 usage: E <span class="o">[</span>ultimate] <span class="o">(</span>1<span class="o">)</span><span class="nb">.</span> Fakhrulhilal Maktum &lt;fakhrulhilal@gmail.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>2<span class="o">)</span> Fakhrulhilal Maktum &lt;fakhrulhilal@outlook.com&gt; <span class="o">[</span>ultimate] <span class="o">(</span>3<span class="o">)</span> <span class="o">[</span>jpeg image of size 13093] </code></pre> </div> <p>The first key is for extending primary key, the second command is for extending sub encryption key.</p> <h3> Backup GPG Key </h3> <p>The easy way to backup all keys is by copy-paste the database</p> <ul> <li>public keys: <code>%UserProfile%\.gnupg\pubring.gpg</code> </li> <li>secret keys: <code>%UserProfile%\.gnupg\secring.gpg</code> </li> <li>trust db: <code>%UserProfile%\.gnupg\trustdb.gpg</code> </li> </ul> <p><a href="http://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html">GPG manual</a> suggests this command to backup trust db: <code>gpg --export-ownertrust &gt; gpg-owner-trust.txt</code>.</p> <p>To backup individual key:</p> <ul> <li>public key: <code>gpg --armor --export E170165D27E434C2 &gt; public.gpg</code> </li> <li>secret key: <code>gpg --armor --export-secret-key E170165D27E434C2&gt; secret.asc</code> </li> </ul> <p>Or you can use the email address instead of the key ID, f.e. <code>git --armor --export fakhrulhilal@gmail.com &gt; public.gpg</code>. Note that, secret key always contains public key.</p> <p>We can also publish the GPG key to public server with this command: <code>gpg --keyserver [server address] --send-keys fakhrulhilal@gmail.com</code>. Some notable PGP public key servers:</p> <ul> <li>pgp.mit.edu</li> <li>pgp.key-server.io</li> <li>keyserver.pgp.com</li> </ul> <h3> Import/Restore GPG Key </h3> <p>Importing secret key (along with public key): <code>gpg --import fakhrulhilal@gmail.com.asc</code>. After that, import all owner trust: <code>gpg --import-ownertrust gpg-owner-trust.txt</code>. Alternatively, we can trust by each key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>gpg <span class="nt">--edit-key</span> fakhrulhilal@gmail.com gpg&gt; trust Your decision? 5 <span class="o">(</span>Ultimate trust<span class="o">)</span> </code></pre> </div> <h3> Sharing GPG key to public key server </h3> <p>Below is currently active keyservers:</p> <ul> <li>pgp.mit.edu</li> <li>keyserver.ubuntu.com</li> <li>keys.openpgp.org</li> <li>keyserver1.pgp.com</li> </ul> <p>To upload the key using gpg command, use <code>gpg --keyserver the_server --send-keys E170165D27E434C2</code>. Another way is by uploading manually to them. So we need to go their website and upload the key, commonly, they accept ASCII version of public key (<code>gpg --export --armor E170165D27E434C2</code>)</p> <h2> Associating Git with GPG </h2> <h3> Setting GPG key for git commit </h3> <p>Set the key by using this command: <code>git config user.signingkey E170165D27E434C2</code>. And then we can sign the commit by <a href="https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work"><code>-S</code></a> option. Alternatively, we can force all commit to be signed using this command <code>git config commit.gpgsign true</code>, so we don't have to specify <code>-S</code> parameter each time committing the change.</p> <h3> Uploading public key to github </h3> <p>First, we need to backup the public key as follows: <code>gpg --armor --export E170165D27E434C2 &gt; fakhrulhilal.gpg</code></p> <ol> <li>Login to your github account</li> <li>Go to menu Settings &gt; SSH and GPG keys</li> <li>Add new gpg key</li> <li>Copy-paste from <code>fakhrulhilal.gpg</code> content then save it</li> </ol> <h2> References </h2> <ul> <li><a href="https://docs.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key">Github: Generating a new GPG key</a></li> <li><a href="https://docs.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key">Github: Telling Git about your signing key</a></li> <li><a href="https://gist.github.com/chrisroos/1205934">Backup/restore GPG key</a></li> </ul> gpg openpgp git signing Fakhrulhilal M Sun, 04 Jul 2021 05:15:51 +0000 https://dev.to/fakhrulhilal/creating-ssl-certificate-with-custom-ca-402e https://dev.to/fakhrulhilal/creating-ssl-certificate-with-custom-ca-402e <h2> Creating Default OpenSSL Config File </h2> <div class="ltag_gist-liquid-tag"> </div> <h2> Creating Custom Root CA </h2> <p>Creating the CA key:<br> <code>openssl genrsa -des3 -out root-CA.key 4096</code><br> Note: remove <code>-des</code> option to create key without password</p> <p>Creating self sign CA certificate<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">openssl</span><span class="w"> </span><span class="nx">req</span><span class="w"> </span><span class="nt">-x509</span><span class="w"> </span><span class="nt">-new</span><span class="w"> </span><span class="nt">-nodes</span><span class="w"> </span><span class="nt">-key</span><span class="w"> </span><span class="nx">root-CA.key</span><span class="w"> </span><span class="nt">-sha256</span><span class="w"> </span><span class="nt">-days</span><span class="w"> </span><span class="nx">3650</span><span class="w"> </span><span class="nt">-out</span><span class="w"> </span><span class="nx">root-CA.crt</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-subj</span><span class="w"> </span><span class="s2">"/C=ID/O=Dev lab/CN=Dev lab Root CA"</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-addext</span><span class="w"> </span><span class="s1">'keyUsage = cRLSign, keyCertSign, digitalSignature'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-addext</span><span class="w"> </span><span class="s1">'extendedKeyUsage = critical, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-addext</span><span class="w"> </span><span class="s1">'subjectKeyIdentifier=hash'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-addext</span><span class="w"> </span><span class="s1">'authorityKeyIdentifier=keyid:always,issuer:always'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-addext</span><span class="w"> </span><span class="s2">"basicConstraints = critical, CA:TRUE"</span><span class="w"> </span></code></pre> </div> <p>Explanations:</p> <ul> <li><p><code>subj</code><br> create unattended answer subject</p></li> <li><p><code>basicConstraints</code><br> <em>CA:TRUE</em> means it's issuer</p></li> <li><p><code>keyUsage</code><br> determine what's this cert for: certificate signing (<em>keyCertSign</em>), CRL signing (<em>cRLSign</em>), digital signature</p></li> <li><p><code>extendedKeyUsage</code><br> an extended version of <code>keyUsage</code>: server authentication (<em>serverAuth</em>), client authentication (<em>clientAuth</em>), file/code signing (<em>codeSigning</em>), S/MIME signing (<em>emailProtection</em>), time stamping</p></li> <li><p><code>subjectKeyIdentifier</code><br> identifier of this cert</p></li> <li><p><code>authoritykKeyIdentifier</code></p></li> </ul> <p>the identifier which signs the cert, if it's root cert, then it should be itself</p> <p>Shorter version</p> <p><code>openssl req -config openssl.cnf -x509 -new -nodes -key root-CA.key -out root-CA.crt -days 3650 -extensions ca_cert -subj "/C=ID/O=Dev Lab/CN=Dev Lab Root CA"</code></p> <p>Reference: <a href="https://www.openssl.org/docs/manmaster/man5/x509v3_config.html">OpenSSL man page</a></p> <p>Inspect root CA certificate<br> <code>openssl x509 -noout -text -in root-CA.crt</code></p> <p>Convert into PKCS12 (.pfx) format<br> <code>openssl pkcs12 -export -name "Root CA" -out root-CA.pfx -inkey root-CA.key -in root-CA.crt</code><br> Then import the pfx file into local machine placed under <em>Trusted Root Certification Authorities</em></p> <h2> Creating Intermediate CA </h2> <p>Creating the intermedia CA key<br> <code>openssl genrsa -out server-CA.key 4096</code></p> <p>Creating intermediate certificate request</p> <p><code>openssl req -new -key server-CA.key -out server-CA.csr -subj "/C=ID/O=Dev Lab/OU=Development/CN=Dev Lab Server CA"</code></p> <p>Sign the intermedia CA certificate's request with CA's key and cert:<br> <code>openssl x509 -extfile openssl.cnf -req -in server-CA.csr -CA root-CA.crt -CAkey root-CA.key -CAcreateserial -out server-CA.crt -extensions ica_cert -days 3650</code></p> <p>Inspect root CA certificate<br> <code>openssl x509 -noout -text -in server-CA.crt</code></p> <p>Convert into PKCS12 format<br> <code>openssl pkcs12 -export -name "Dev lab Server CA" -inkey server-CA.key -in server-CA.crt -out server-CA.pfx</code><br> Then import the pfx file into local machine placed under <em>Intermediate Certification Authorities</em></p> <h2> Creating User Certificate </h2> <p>Creating the certificate key<br> <code>openssl genrsa -out dev.lab.key 2048</code></p> <p>Before moving on, the openssl config is configured to accept subject alternate name from environment variable named <code>SAN</code> (see line 176), so you need to configure first, otherwise, it will fail: <code>$Env:SAN = 'DNS:*.dev.lab, DNS:dev.lab'</code>. You can set it to the same as CN if you don't want to assign it to wilcard domain. We can also assign it to IP address as follows: <code>$Env:SAN = 'DNS:*.dev.lab,DNS:dev.lab,DNS:localhost,IP:127.0.0.1'</code>. After that, we can continue to create certificate request<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">openssl</span><span class="w"> </span><span class="nx">req</span><span class="w"> </span><span class="nt">-new</span><span class="w"> </span><span class="nt">-key</span><span class="w"> </span><span class="nx">dev.lab.key</span><span class="w"> </span><span class="nt">-out</span><span class="w"> </span><span class="nx">dev.lab.csr</span><span class="w"> </span><span class="nt">-subj</span><span class="w"> </span><span class="s2">"/C=ID/ST=Jakarta/O=Dev Home/OU=Development/CN=*.dev.lab"</span><span class="w"> </span></code></pre> </div> <p>Sign the certificate request using server CA's key and certificate<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">openssl</span><span class="w"> </span><span class="nx">x509</span><span class="w"> </span><span class="nt">-extfile</span><span class="w"> </span><span class="nx">openssl.cnf</span><span class="w"> </span><span class="nt">-extensions</span><span class="w"> </span><span class="nx">web_cert</span><span class="w"> </span><span class="nt">-req</span><span class="w"> </span><span class="nt">-CA</span><span class="w"> </span><span class="nx">server-CA.crt</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-CAkey</span><span class="w"> </span><span class="nx">server-CA.key</span><span class="w"> </span><span class="nt">-CAcreateserial</span><span class="w"> </span><span class="nt">-days</span><span class="w"> </span><span class="nx">365</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-in</span><span class="w"> </span><span class="nx">dev.lab.csr</span><span class="w"> </span><span class="nt">-out</span><span class="w"> </span><span class="nx">dev.lab.crt</span><span class="w"> </span></code></pre> </div> <p>Convert into PKCS12 format<br> <code>openssl pkcs12 -export -name "dev.lab Certificate" -inkey dev.lab.key -in dev.lab.crt -out dev.lab.pfx</code></p> <p>Import the .pfx file into local machine using default location.</p> <h2> Creating S/MIME Certificate </h2> <p>Creating the certificate key</p> <p><code>openssl genrsa -out iroel-email.key 2048</code></p> <p>Creating certificate request<br> <code>openssl req -new -key iroel-email.key -out iroel-email.csr -subj "/C=ID/ST=Jakarta/CN=Fakhrulhilal Maktum/emailAddress=iroel@dev.lab" -addext "subjectAltName = email:iroel@dev.lab, email:iroel@other.lab"</code></p> <p>Sign the certificate request using server CA's key and certificate<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">Env</span><span class="p">:</span><span class="nv">SAN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'email:iroel@dev.lab, email:iroel@dev.test'</span><span class="w"> </span><span class="n">openssl</span><span class="w"> </span><span class="nx">x509</span><span class="w"> </span><span class="nt">-extfile</span><span class="w"> </span><span class="nx">openssl.cnf</span><span class="w"> </span><span class="nt">-extensions</span><span class="w"> </span><span class="nx">smime_cert</span><span class="w"> </span><span class="nt">-req</span><span class="w"> </span><span class="nt">-CA</span><span class="w"> </span><span class="nx">server-CA.crt</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-CAkey</span><span class="w"> </span><span class="nx">server-CA.key</span><span class="w"> </span><span class="nt">-CAcreateserial</span><span class="w"> </span><span class="nt">-setalias</span><span class="w"> </span><span class="s2">"Dev email certificate"</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-in</span><span class="w"> </span><span class="nx">iroel-email.csr</span><span class="w"> </span><span class="nt">-out</span><span class="w"> </span><span class="nx">iroel-email.crt</span><span class="w"> </span><span class="nt">-trustout</span><span class="w"> </span><span class="nt">-days</span><span class="w"> </span><span class="nx">365</span><span class="w"> </span></code></pre> </div> <p>Convert into PKCS12 format<br> <code>openssl pkcs12 -export -name "wilcard.dev.lab Certificate" -inkey dev.lab.key -in dev.lab.crt -out dev.lab.pfx</code></p> <p>Import the .pfx file into local machine using default location.</p> <h2> Installing Certificates </h2> <h3> Installing CAs' Certificate </h3> <ol> <li>Install root certificate (root-CA.crt) to <em>Trusted Root Certification Authorities</em> in machine level</li> <li>Install intermediate certificate (server-CA.crt) to <em>Intermediate Certification Authorities</em> </li> </ol> <h3> Install IIS Express Certificate </h3> <p>Install the certificate in Local Machine wide and in default location (Personal). Run this powershell with administrator privilege. Friendly name is <code>-name</code> parameter value when converting into PKCS12 format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$PfxPassword</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'pfx_password'</span><span class="w"> </span><span class="c">#$Certificate = Get-ChildItem Cert:\LocalMachine\My | ?{ $_.FriendlyName -eq 'localhost' }</span><span class="w"> </span><span class="nv">$Certificate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-PfxCertificate</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="o">.</span><span class="nx">\dev.lab.pfx</span><span class="w"> </span><span class="nt">-Password</span><span class="w"> </span><span class="p">(</span><span class="n">ConvertTo-SecureString</span><span class="w"> </span><span class="nt">-String</span><span class="w"> </span><span class="nv">$PfxPassword</span><span class="w"> </span><span class="nt">-AsPlainText</span><span class="p">)</span><span class="w"> </span><span class="nv">$IisExpress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-CimInstance</span><span class="w"> </span><span class="nx">Win32_Product</span><span class="w"> </span><span class="nt">-Filter</span><span class="w"> </span><span class="s1">'Name like "IIS%Express%"'</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="p">(</span><span class="nv">$Port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">44300</span><span class="p">;</span><span class="w"> </span><span class="nv">$Port</span><span class="w"> </span><span class="o">-lt</span><span class="w"> </span><span class="mi">44400</span><span class="p">;</span><span class="w"> </span><span class="nv">$Port</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">netsh</span><span class="w"> </span><span class="nx">http</span><span class="w"> </span><span class="nx">delete</span><span class="w"> </span><span class="nx">sslcert</span><span class="w"> </span><span class="nx">ipport</span><span class="o">=</span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="p">:</span><span class="nv">$Port</span><span class="w"> </span><span class="n">netsh</span><span class="w"> </span><span class="nx">http</span><span class="w"> </span><span class="nx">add</span><span class="w"> </span><span class="nx">sslcert</span><span class="w"> </span><span class="nx">ipport</span><span class="o">=</span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="p">:</span><span class="nv">$Port</span><span class="w"> </span><span class="n">certhash</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nv">$Certificate</span><span class="o">.</span><span class="nf">Thumbprint</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="n">appid</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nv">$IisExpress</span><span class="o">.</span><span class="nf">IdentifyingNumber</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Installing Kestrel Certificate </h3> <ol> <li><p>Using environment variable<br> <code>ASPNETCORE_Kestrel__Certificates__Default__Path</code> = path to pfx file<br> <code>ASPNETCORE_Kestrel__Certificates__Default__Password</code> = pfx's password</p></li> <li><p>Using appsettings.json<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Kestrel"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Certificates"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Default"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"path/to/pfx/file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pfx's password"</span><span class="p">,</span><span class="w"> </span><span class="err">/*</span><span class="w"> </span><span class="err">or</span><span class="w"> </span><span class="err">using</span><span class="w"> </span><span class="err">.crt</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="err">file</span><span class="w"> </span><span class="err">*/</span><span class="w"> </span><span class="err">/*</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"path/to/crt/file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"KeyPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"path/to/key/file"</span><span class="w"> </span><span class="err">*/</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Reference: <a href="https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints">Configure endpoints for the ASP.NET Core Kestrel web server</a></p> <ol> <li>Using dotnet tool: <code>dotnet dev-certs https --clean -i .\dev.lab.pfx -p the_password</code> </li> </ol> <h3> Installing remote desktop certificate </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$PfxPassword</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'pfx_password'</span><span class="w"> </span><span class="c">#$Certificate = Get-ChildItem Cert:\LocalMachine\My | ?{ $_.FriendlyName -eq 'localhost' }</span><span class="w"> </span><span class="nv">$Certificate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-PfxCertificate</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="o">.</span><span class="nx">\dev.lab.pfx</span><span class="w"> </span><span class="nt">-Password</span><span class="w"> </span><span class="p">(</span><span class="n">ConvertTo-SecureString</span><span class="w"> </span><span class="nt">-String</span><span class="w"> </span><span class="nv">$PfxPassword</span><span class="w"> </span><span class="nt">-AsPlainText</span><span class="p">)</span><span class="w"> </span><span class="n">wmic</span><span class="w"> </span><span class="nx">/namespace:\\root\cimv2\TerminalServices</span><span class="w"> </span><span class="nx">PATH</span><span class="w"> </span><span class="nx">Win32_TSGeneralSetting</span><span class="w"> </span><span class="nx">Set</span><span class="w"> </span><span class="nx">SSLCertificateSHA1Hash</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nv">$Certificate</span><span class="o">.</span><span class="nf">Thumbprint</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span></code></pre> </div> <p><br> `</p> openssl certificate x509 selfsign