Converting SSL certicates

Often when we you buy / get a new certificate you need to have another certificate depending on your needs.

PEM Format

The PEM format is the most common format that CA’s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates

There are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don’t wont to store your PRIVATE key on someone else it’s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

 

Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.

Situation:

pbr-3800

The default gateway is set to 172.16.1.1 which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63
exit

Now we have a class we can bind it in a policy and set the next-hop to 172.16.1.2.

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address 192.168.1.0 255.255.255.0
   service-policy “POL-Office365-Subnets” in
   exit

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Output
Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

 show statistics policy POL-Office365-Subnets vlan 5 in

Output:
 Hit Counts for Policy POL-Office365-Subnets

  Total

 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
(       0 )      10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
(       0 )      15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
(       0 )      20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
(       0 )      25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
(       0 )      30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
(       0 )      35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
(       0 )      40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
(       0 )      45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
(       0 )      50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
(       0 )      55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
(       0 )      60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
(       0 )      65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
(       0 )      70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
(       0 )      75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
(       0 )      80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
(       0 )      85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
(       0 )      90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
(       0 )      95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
(       0 )      100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
(       0 )      105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
(       0 )      110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
(       0 )      115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
(       0 )      120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
(       0 )      125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
(       0 )      130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
(       0 )      135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
(       0 )      140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
(       0 )      145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
(       0 )      150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
(       0 )      155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
(       0 )      160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
(       0 )      165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
(       0 )      170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
(       0 )      175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
(       0 )      180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
(       0 )      185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
(       0 )      190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
(       0 )      195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
(       0 )      200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
(       0 )      205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
(       0 )      210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
(       0 )      215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
(       0 )      220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63

 

IPv4 Translation Table

IPv4 Translation Table

Netmask Inverse /CIDR Usable Size
255.255.255.255 0.0.0.0 /32 1 1 Host
255.255.255.254 0.0.0.1 /31 0 2 Hosts
255.255.255.252 0.0.0.3 /30 2 4 Hosts
255.255.255.248 0.0.0.7 /29 6 8 Hosts
255.255.255.240 0.0.0.15 /28 14 16 Hosts
255.255.255.224 0.0.0.31 /27 30 32 Hosts
255.255.255.192 0.0.0.63 /26 62 64 Hosts
255.255.255.128 0.0.0.127 /25 126 128 Hosts
255.255.255.0 0.0.0.255 /24 254 1 Class ‘C’
255.255.254.0 0.0.1.255 /23 510 2 Class ‘C’s
255.255.252.0 0.0.3.255 /22 1,022 4 Class ‘C’s
255.255.248.0 0.0.7.255 /21 2,046 8 Class ‘C’s
255.255.240.0 0.0.15.255 /20 4,094 16 Class ‘C’s
255.255.224.0 0.0.31.255 /19 8,190 32 Class ‘C’s
255.255.192.0 0.0.63.255 /18 16,382 64 Class ‘C’s
255.255.128.0 0.0.127.255 /17 32,766 128 Class ‘C’s
255.255.0.0 0.0.255.255 /16 65,534 1 Class ‘B’
255.254.0.0 0.1.255.255 /15 131,070 2 Class ‘B’s
255.252.0.0 0.3.255.255 /14 262,142 4 Class ‘B’s
255.248.0.0 0.7.255.255 /13 524,286 8 Class ‘B’s
255.240.0.0 0.15.255.255 /12 1,048,574 16 Class ‘B’s
255.224.0.0 0.31.255.255 /11 2,097,150 32 Class ‘B’s
255.192.0.0 0.63.255.255 /10 4,194,302 64 Class ‘B’s
255.128.0.0 0.127.255.255 /9 8,388,606 128 Class ‘B’s
255.0.0.0 0.255.255.255 /8 16,777,214 1 Class ‘A’
254.0.0.0 1.255.255.255 /7 33,554,430 2 Class ‘A’s
252.0.0.0 3.255.255.255 /6 67,108,862 4 Class ‘A’s
248.0.0.0 7.255.255.255 /5 134,217,726 8 Class ‘A’s
240.0.0.0 15.255.255.255 /4 268,435,454 16 Class ‘A’s
224.0.0.0 31.255.255.255 /3 536,870,910 32 Class ‘A’s
192.0.0.0 63.255.255.255 /2 1,073,741,822 64 Class ‘A’s
128.0.0.0 127.255.255.255 /1 2,147,483,646 128 Class ‘A’s
0.0.0.0 255.255.255.255 /0 4,294,967,294 Any

Cisco FirePower Management Center 6.0.0 Password

In the previous versions of Cisco FirePower Management Center  < 5.x the default credentials were:

Username: admin
Password: Sourcefire

With version 6 > the default password is changed and not listed (yet) in the Cisco documentation.

Username: admin
Password: Admin123