Generating private keys with openssl

Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn’t need to be generated separately.

Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this  article will show how to generate each of them.

Generating an RSA key

A RSA key can be used both for encryption and for signing and generating a key is quite easy, all you have to do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

That will generate a private key with is password protected (it will prompt you for the password during generation). If you don’t want it password protected (usually for server side use) then leave the -des3 parameter out, i.e.:

  openssl genrsa -out privkey.pem 2048
 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is considered insecure.

Generating a DSA key

A DSA key can be used for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key then to generate the key itself.

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -des3 -out privkey.pem dsaparam.pem

Again like RSA, 2048 is the size of the key, in bits with anything smaller than 2048 being insecure in todays standards.

Also the -des3 parameter will prompt you for a pass phrase – for server use leave it out:

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -out privkey.pem dsaparam.pem

Installing the latest Firefox on Linux Mint

This probably applies to Ubuntu as well, but on my Linux Mint 10 install it was stuck on Firefox 3.5 with the occasional updates so how do you get the latest Firefox to install with updates?

Well it’s pretty simple, first make sure FireFox isn’t running then:

 sudo add-apt-repository ppa:mozillateam/firefox-stable
 sudo apt-get update
 sudo apt-get install firefox ubufox

Thats all thats needed.

How to flush the DNS Cache on OSX

I keep forgetting this one hence writing it up. Every so often you need to flush the local dns cache – usually you’ve made a change in some dns & you want to test it immediately etc.

dscacheutil -flushcache

It’s that simple – so simple it’s an easy one to forget 😦

How to add a static route on OSX

I’ve just had this one with a pptp vpn – one network was accessible over it but another behind it wasnt so I had to add a static route.

First you need to know the remote ip address of the vpn connection:

sabrina:table peter$ ifconfig ppp0
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
 inet 192.168.1.3 --> 192.168.1.1 netmask 0xffffff00

Here the address we want is the first one, 192.168.1.3

Now to create the route

sabrina:table peter$ sudo route add -net 192l168.2.0/24 192.168.1.3
Password:
add net 192.168.2.0: gateway 192.168.1.3

Thats it, now that route will work as long as the vpn connection stays up. When you disconnect it will then be removed & you’ll have to add it again later.

Installing latest mercurial when Ubuntu or Linux Mint repos don’t have it

Ah I just hit an interesting problem with Mercurial. I had a repository which had been created with a recent version however I had to restore it from a backup onto another machine however I couldn’t commit to it as it’s format wasn’t supported:

$ hg st
abort: requirement ‘dotencode’ not supported!

The reason is that the dotencode format was only introduced into mercurial in version 1.7 so if you’re running an earlier version then you’ll get this error. Ok so upgrade – problem is that according to apt I had the latest version – 1.6.3 – erm nope thats not the latest.

Thankfully the fix is simple, all you need is to ass the correct repository first before installing the latest version

sudo add-apt-repository ppa:mercurial-ppa/releases
sudo apt-get update
sudo apt-get install mercurial

Once you’ve done that then you’ll find mercurial will work again as expected.

Compiling Java 7.0 on OS X

Since the announcement by Apple last week about deprecating Java on OS X, there’s been a few people wanting to know how to compile OpenJDK on the Mac.

Although I’ve not done this for JDK 6, this article cover’s how to compile and use the current development version of JDK 7.0 on OS X.

First a few notes:

  1. This only enables Java 7 within an X environment, native UI’s are not supported – one of the main parts of the Apple JVM
  2. When I tested this by running Netbeans 7.0 M2 within X the menus were a bit screwey – try it you’ll see what I mean
  3. These instructions are for 10.5.8 but should work for 10.6.x
  4. This is for Intel processors only

So as a word of warning: Don’t expect this to either work, or work well – and don’t use this in production – JDK7 isn’t due out for another 12 months or so…

Ok, first we need a bootstrap JDK6 environment. This is needed to do some of the initial java compilation during the build. For this the apple JVM can’t be used so we need to download and install the i386 Soylate binaries JDK – don’t get the amd64 version, get the i386 one…

Once you have it downloaded, copy it to /usr/local/soylatte16-i386-1.0.3 and test it:

sabrina:~ peter$ /usr/local/soylatte16-i386-1.0.3/bin/java -version
java version "1.6.0_03-p3"
Java(TM) SE Runtime Environment (build 1.6.0_03-p3-landonf_19_aug_2008_14_55-b00)
Java HotSpot(TM) Server VM (build 1.6.0_03-p3-landonf_19_aug_2008_14_55-b00, mixed mode)

Next create a blank directory under which we will build everything. I’m using ~/dev/ojdk but you could use any directory. Under this we need to create a couple of directories and some symlinks:

sabrina:~ peter$ mkdir -p dev/ojdk
sabrina:~ peter$ cd dev/ojdk
sabrina:~ peter$ mkdir -p bin ALT_COMPILER_PATH
sabrina:~ peter$ cd ALT_COMPILER_PATH
sabrina:~ peter$ ln -s /usr/bin .SOURCE
sabrina:~ peter$ ln -s .SOURCE/g++-4.0 g++
sabrina:~ peter$ ln -s .SOURCE/gcc-4.0 gcc
sabrina:~ peter$ cd ../bin

Now in the bin directory you need to create two scripts. Fortunately these are readily available from http://gist.github.com/617451 – specifically update.sh and update-usr-local.sh. Copy these two files into the bin directory and ensure they are executable.

Now open update.sh in your favourite editor and find the line with ALT_COMPILER_PATH in it. Change it to hold the full path to the ALT_COMPILER_PATH directory defined above. In my case this looks like:

ALT_COMPILER_PATH=/Users/peter/dev/ojdk/ALT_COMPILER_PATH/ \

Next we need to checkout a copy of the source:

sabrina:~ peter$ cd ~/dev/ojdk
sabrina:~ peter$ hg fclone http://hg.openjdk.java.net/bsd-port/bsd-port bsd

We should now be setup. The last step is to run a build. This can be done at any time. It will check for any updates, clear down and then run a full build:

sabrina:~ peter$ cd ~/dev/ojdk/bsd
sabrina:~ peter$ source ../bin/update.sh

If all goes well, after about 20 minutes you should see something like the following at the end of the build:

testing build: ./build/bsd-amd64/j2sdk-image/bin/java -version

openjdk version "1.7.0-internal"
OpenJDK Runtime Environment (build 1.7.0-internal-peter_2010_10_25_11_19-b00)
OpenJDK 64-Bit Server VM (build 19.0-b05, mixed mode)

If the build succedes the last step is to install it under /usr/local/java-1.7.0:

sabrina:~ peter$ cd ~/dev/ojdk/bsd
sabrina:~ peter$ source ../bin/update-usr-local.sh

To use Java 7, you need to simply point the app to the installed application, usually by setting JAVA_HOME=/usr/local/java-1.7.0 and running $JAVA_HOME/bin/java…

sabrina:bin peter$ /usr/local/java-1.7.0/bin/java -version
openjdk version "1.7.0-internal"
OpenJDK Runtime Environment (build 1.7.0-internal-peter_2010_10_25_11_19-b00)
OpenJDK 64-Bit Server VM (build 19.0-b05, mixed mode)

Configure a VPN under Linux

Although NetworkManager on Ubuntu supports VPN’s, it doesn’t always work so this article describes how to setup a PPTP VPN under linux. Although it’s Ubuntu specific (this works with 9.10 and 10.04), this should work for most distributions.

What you need

You need to know:

  • The remote IP address of the vpn server
  • The remote network address range
  • A remote name to give to this connection
  • remote username and password

What we’ll use for this article:

  • remote Server Ip – 192.168.2.100
  • remote network address range – 192.168.3.0/24
  • remote Name – myvpn
  • name – peter
  • password – password

Installation

First you need to install pptpd:

peter@kira:~$ sudo apt-get install pptp-linux ppp pptpd

Configuration

Now as root create/etc/ppp/peers/myvpn with the following content – replace the example values listed above with your ones:

peter@kira:~$ sudo vi /etc/ppp/peers/myvpn
pty "pptp 192.168.2.100 --nolaunchpppd"
#debug
#nodetach
#logfd 2
noproxyarp
ipparam myvpn
remotename myvpn
name peter
require-mppe-128
nobsdcomp
nodeflate
lock
noauth
refuse-eap

Next edit /etc/ppp/chap-secrets and add the following line:

peter@kira:~$ sudo vi /etc/ppp/chap-secrets
peter  myvpn  password *

Now edit (create if missing) /etc/ppp/ip-up.d/add-subnet with the following:

peter@kira:~$ sudo vi /etc/ppp/ip-up.d/add-subnet
#!/bin/bash
if [ "$PPP_IPPARAM" = "myvpn" ]
then
    route add -net 192.168.3.0/24 dev $PPP_IFACE
fi

If you created the add-subnet script then:

peter@kira:~$ chmod +x /etc/ppp/ip-up.d/add-subnet

Running the VPN Connection

Now if you have configured everything correctly you’ll be able to start the vpn with

peter@kira:~$ sudo pon myvpn

To stop the vpn:

peter@kira:~$ sudo poff myvpn

If it does not work first time you can uncomment the three lines of /etc/ppp/peers/myvpn. When you do the pon command will not return but it will log what it’s doing.

You may also have to tweek the other parameters in that file so it’s specific to your vpn.

Name resolution

The above will get you up and running with the actual connection but does nothing with configuring dns.

What you can do is either:

  • Manually edit /etc/resolv.conf each time with the remote dns
  • Edit /etc/ppp/ip-up.d/add-subnet to edit resolv.conf when it connects
  • Add hosts directly into your local /etc/hosts file
  • Use a local bind nameserver to use the remote dns server

I actually use the latter with a local bind nameserver.