Tag Archives: Encryption

Generating SSH key pair

SSH key pair is a set of private/public keys used in securing network communication. These keys are normally required for passwordless SSH login to a remote host running SSH daemon (sshd). Here is how you would generate a pair of RSA keys:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nirbhay/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/nirbhay/.ssh/id_rsa.
Your public key has been saved in /home/nirbhay/.ssh/id_rsa.pub.
The key fingerprint is:
5f:1a:b5:50:a8:b6:d6:2b:48:1b:b6:df:4c:54:a2:28 nirbhay@nirbhay-VirtualBox
The key's randomart image is:
+--[ RSA 2048]----+
|           ..    |
|          ..     |
|         .o o    |
|       .o. = .   |
|       ...o      |
$ ls ~/.ssh/
id_rsa  id_rsa.pub

Now that we have the private/public key files, all you need to do is copy/append the public key (id_rsa.pub) contents to the remote machine’s ~/.ssh/authorized_keys (600) file. DO NOT share the “private key”.

Note: On debian-based distributions, ssh-keygen is provided by openssh-client package.

Generating SSL certificates

** The (self-signed) SSL certificate generated by the procedure mentioned in this article should be used for testing purpose only **

Generating an SSL certificate is very simple. All you need is openssl package installed on your system. A key point to note here is that SSL certificates contain public key, which is always generated in pair with a private key. Here is the step-by-step procedure to generate one:

  1. Private key
    Lets first generate a 2048-bit RSA private key.

    openssl genrsa -out privkey.pem 2048

    $ openssl genrsa -out privkey.pem 2048
    Generating RSA private key, 2048 bit long modulus
    unable to write 'random state'
    e is 65537 (0x10001)
    $ ls

    So, we have the private key in place. This will be used to generate the certificate.

    If “unable to write ‘random state'” bothers you, then check this out for a possible solution: http://stackoverflow.com/a/94458

  2. The self-signed certificate
    A certificate can now be generated using the following command.

    openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

    $ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:XX
    State or Province Name (full name) [Some-State]:XX
    Locality Name (eg, city) []:XX
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XX
    Organizational Unit Name (eg, section) []:XX
    Common Name (e.g. server FQDN or YOUR name) []:XX
    Email Address []:XX
    $ ls
    cacert.pem  privkey.pem

These files can easily be tested by starting a test SSL/TLS server (s_server(1) and connecting to it using a client (s_client(1)).

$ openssl s_server -port <port> -cert /path/to/cacert.pem -key /path/to/privkey.pem

$ openssl s_client -host <server-host> -port <server-port> -key /path/to/privkey.pem

Reference : https://www.openssl.org/docs/HOWTO/
Thats all!