ssl - how to generate a pem certificate with Openssl using 'TLS1_ECDHE_RSA' ciphers for fips platform -


i want generate '.pem' certificate openssl using 'tls1_ecdhe_rsa_' ciphers fips platform. also, using elliptic curve 'sec384r1'.

the certs using on non-fips platform not working on fips platform though size of key 2048 bits.

i using load balancer between client , server. here configuration:

using curl on client:

curl -v -o ssl_ecdhe.txt -tls1.2 http://30.1.1.101/ssl_ecdhe.txt

using openssl on server:

/usr/local/ssl/bin/openssl s_server -accept 443 -cert /root/2k.pem -key /root/2k.key -tls1_2 -named_curve secp384r1 -www -msg

configuration on load balancer:

slb template server-ssl srvssl    cipher tls1_ecdhe_rsa_aes_128_sha    ec-name secp384r1    version 33 33  ! slb server main-server 20.1.1.1    port 443 tcp      health-check-disable  ! slb service-group main-service-gp-ssl tcp    member main-server 443  ! slb virtual-server main-vip 30.1.1.101    port 80 http      service-group main-service-gp-ssl      template server-ssl srvssl

please me this. 

srv31(~)#openssl x509 -in 2k.pem -text -noout certificate:     data:         version: 1 (0x0)         serial number:             d8:43:e6:a9:22:23:ea:49         signature algorithm: md5withrsaencryption         issuer: c=us, st=california, l=sanjose, o=a1, ou=regression, cn=regression/emailaddress=regression@networks.com         validity             not before: sep 29 21:56:06 2008 gmt             not after : sep 27 21:56:06 2018 gmt         subject: c=us, st=california, l=sanjose, o=a1, ou=regression, cn=regression/emailaddress=regression@networks.com         subject public key info:             public key algorithm: rsaencryption                 public-key: (2048 bit)                 modulus:                     00:b9:b7:bd:68:39:16:7d:77:29:51:db:51:73:2f:                     6b:83:36:df:0b:8c:d2:03:75:4c:02:2b:66:ea:8d:                     95:70:eb:5d:c6:45:f8:58:e4:ae:8b:b4:05:29:11:                     bd:93:f9:ef:97:33:ec:1a:c7:d2:d5:03:4a:a1:08:                     3b:0b:a9:9c:f5:ad:14:e6:02:60:1a:67:e3:c4:c0:                     ff:00:18:c4:78:5c:a1:16:d0:84:c7:ab:86:7c:42:                     05:d8:2d:43:d3:f4:2b:d7:29:0f:7e:da:7f:88:1f:                     92:81:65:0b:01:67:ac:5c:35:06:6d:77:9c:b2:b7:                     a1:84:69:54:ca:df:5b:02:62:41:f1:7d:73:fe:c0:                     52:ce:9f:58:c7:0b:18:87:78:eb:b1:9a:c6:af:c0:                     86:ab:ab:e5:02:28:5a:44:aa:66:d2:e2:7b:60:a2:                     93:63:6f:6a:15:7b:97:7a:57:8a:c3:41:ec:d2:38:                     cd:ba:62:20:03:0c:ea:16:f1:45:3a:66:5e:1d:a1:                     16:23:8e:09:72:76:d6:d6:2d:d5:2c:26:de:b3:56:                     16:22:a7:15:49:7c:0a:07:74:4c:5a:e3:6e:fd:e4:                     51:c9:58:f3:92:88:e2:89:af:a9:3c:36:39:d2:23:                     cc:c0:32:f4:8d:63:bb:de:a4:cc:91:c3:75:77:8d:                     aa:9b                 exponent: 65537 (0x10001)     signature algorithm: md5withrsaencryption         44:05:cb:91:d5:1d:f8:c7:21:7b:de:8e:be:bf:ed:c6:a8:f7:         86:be:a8:a8:96:42:d6:b6:a3:d6:79:42:e4:37:0d:88:d8:e2:         91:05:d1:45:14:0b:93:45:c2:97:f6:dc:0d:82:ae:97:9e:67:         e1:70:44:0d:fa:ed:a1:e0:d6:7a:8f:27:97:4b:de:81:75:7b:         5f:8d:86:28:e3:4d:19:24:a2:27:5f:76:cb:f2:ca:8b:3f:ff:         d5:eb:b9:73:5c:a4:21:e9:30:15:50:bc:68:a2:55:50:67:b4:         bb:2b:5e:a1:b1:9d:6d:1a:ca:29:ba:b1:74:62:a2:80:85:9e:         85:48:96:66:d6:40:9b:fe:da:ee:fd:4a:32:ab:e0:b6:34:88:         93:dd:92:60:0b:12:09:ae:b7:57:8a:c8:2b:0c:03:4c:75:fc:         ed:0b:6c:a6:d3:9b:b7:d4:88:9e:35:f6:66:23:3b:2a:64:e6:         a4:fa:d2:5a:68:81:02:4d:a8:0b:fd:a4:f2:a3:14:5e:26:fe:         f5:cc:54:01:2e:bc:1e:ee:37:5d:3b:d7:0e:2e:5c:a5:e0:ce:         79:ac:95:56:39:3b:b7:91:46:2f:30:c6:37:60:d0:07:11:58:         d8:8d:40:a6:a1:00:51:7f:90:aa:67:23:12:e5:d6:25:11:8c:         c4:45:32:7f

x509 certificate generation using open ssl tool straight forward. not sure how fips platform loads certificates , terminates ssl connections, please provide bit more information application server , versions able help.

you run these commands generate key/csr , certificate.

  1. openssl genrsa -des3 -out yournameforkey.key 2048

  2. openssl req -new -key yournameforkey.key -out yourdomain.csr

  3. openssl req -x509 ..........


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more