Category Archives: Linux - Page 2

SSL Certificates: From CSR to a JKS storage

I have started doing this quite a lot these days so I’d better put a post up here to get rid of all the Google searching 🙂 It’s not that complicated but I know I will forget if I don’t do it for a while.

Let’s start with creating the CSR
First we create a key

openssl genrsa -out 2048

This will create a private key called and with a key size of 2048 bits

Now it’s time to create the CSR

openssl req -new -sha256 -key -out

When creating a CSR you need to input some details about the site/organisation that are going to use the certificate, eg.:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Out of these questions there is one that is CRUCIAL and that is the Common Name. For an SSL certificate this HAS to be the domain name with or without a subdomain that the certificate is going to be valid for, so if the URL that is called the Common Name should be “” and if it is called the Common Name should be “”

After these questions have been answered the openssl program creates a CSR file called that we can send to our certificate supplier (DigiCert/Go-Daddy/Amazon and many others). The supplier will then get back to us with a certificate, root certificate and maybe some intermediate certificates

When we have received the certificates from our supplier it is time to start assembling the signed key .p12 file. For this we use the domain.crt (supplier) and (same key we created in the beginning) files.

First we remove any password from the key file (depending on application this might not always be necessary)

openssl rsa -in -out

You will be prompted for the password of your .key file

Once the key file is without a password we can create the .p12 file

openssl pkcs12 -export -name somename -in domain.crt -inkey -out keystore.p12

Now we have the .p12 file. Time to put it into the jks container

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias somealias

Lastly we need the CA and any intermediate certificates (one command run per certificate file)

keytool -import -keystore mykeystore.jks -file someca.crt -alias someotheralias

The jks is now ready for use!

Tested on Ubuntu 16.04 (AWS) and Play Framework 2.3

Setup Trac project on Debian Wheezy with Apache using the mod_wsgi and Basic Authentication

I had a lot of trouble understanding the Trac install instruction on the Trac project homepage. Maybe I’m getting old 🙂 Anyhow, I decided to create this step by step tutorial so that I have something easy to return too the next time I need to setup a new Trac project. In this tutorial I assume that all the necessary programs (Apache (with mod_wsgi), Trac and SQlite) are already installed

So lets start off by creating a folder to put our project in:

mkdir /var/trac/my_project

I place my trac instances in /var/trac/ but you can use almost any location

Now lets use trac-admin to create the project

trac-admin /var/trac/my_project initenv
trac-admin /var/trac/my_project deploy /tmp/deploy

The project is now created and deployed, but I have deployed it to /tmp – strange? I certainly think so but it’s apparently the preferred way. Somehow trac-admin can not deploy the necessary script into you project folder. You have to copy them there yourself. Editors note: Why can’t this be done automatically in the creation of the project

mv /tmp/deploy/* /var/trac/my_project/

This now moves the created scripts in htdocs and cgi-bin folders to your project

Now we need to set the correct ownership (this is not my strong suite so please report any errors) of the project files:

chown -R www-data:www-data /var/trac/my_project

Now it’s time to create a password file for the project since I normally only use Basic Authentication for my Trac projects:

htpasswd -c /var/trac/my_project/.trac.htpasswd niklas

This creates the user niklas inside the password files (you will be promted for a password)

To add more users just drop the -c option like this

htpasswd /var/trac/my_project/.trac.htpasswd another_user

To tighten up the security somewhat we set owner and permission on the password file like this:

chmod 640 /var/trac/my_project/.trac.htpasswd
chown root:www-data /var/trac/my_project/.trac.htpasswd

Now lets add these users to the trac project also. First the admin, niklas

trac-admin /var/trac/my_project permission add niklas TRAC_ADMIN

and then a user with basic privileges (create tickets, read wiki, timeline, milestones and such):

trac-admin /var/trac/my_project permission add anotheruser authenticated

We are now finally done with the project files. Time to move on to the Apache configuration. For this I create a file in the conf.d folder of the Apache installation like this:

vim /etc/apache2/conf.d/my_project

In this file I put the following:

<Directory /var/trac/my_project/cgi-bin/trac.wsgi>
  WSGIApplicationGroup %{GLOBAL}
  Order deny,allow
  Allow from all

<VirtualHost *>
  WSGIScriptAlias /trac/my_project /var/trac/my_project/cgi-bin/trac.wsgi
  <Location '/trac/my_project'>
    AuthType Basic
    AuthName "Trac"
    AuthUserFile /var/trac/my_project/.trac.htpasswd
    Require valid-user

Now its finally time to test the new project. Restart Apache

/etc/init.d/apache2 restart

If all goes well you should now be able to find your new Trac project at http://localhost/trac/my_project. You should also be promted for a login when you arrive there

Tested on Debian Wheezy v7.0 with Apache 2 v2.2.22-13 and Trac v0.12.3

Find all hosts on network with Nmap

To find all pingable hosts on the newtwork you are currently on first find your own ip. In Linux/OSX you can run the command ifconfig (windows uses the ‘ipconfig’ command):

malen@LKGADEFB8:~$ sudo ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1d:7e:ad:ef:b8  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::21d:7eff:fead:efb8/64 Scope:Link
          RX packets:23647854 errors:0 dropped:83 overruns:0 frame:0
          TX packets:31522391 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:320343317 (305.5 MiB)  TX bytes:3340057852 (3.1 GiB)

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1736 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1736 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:159128 (155.3 KiB)  TX bytes:159128 (155.3 KiB)

You here see your IP at ‘inet addr’ on eth0: To see if there are any other hosts on the 192.168.0.x net use:

nmap -v -sP

This will ping all hosts on 192.168.0.x and show your result in a list

Host appears to be down.
Host appears to be down.
Host appears to be down.
Host appears to be down.
Host appears to be down.
Host Slug ( appears to be up.
Host appears to be down.
Host appears to be down.
Host appears to be down.
Host appears to be down.
Host appears to be down.
Host appears to be down.

Tested on OSX 10.7.4 and Debian Lenny