Medo's Home Page

Creating Your Own Certificate Authority

If you are playing a lot with SSL/TLS, at certain point it starts making sense to create your own self-signed certificate authority. However, where to make something that needs to be as secret as possible?

For CA creation I personally love to use Raspberry Pi with Raspbian Jessie Lite for this. Once you create SD image, and assuming you don’t plug the network in, it is as close to secure computer as it can get.

While ideally (and in this guide) you are not going to save anything to disk without password, if you do slip it is really easy to recover on Raspberry Pi. Just destroy the SD card you used and no leaks will occur. Of course, paranoid should destroy SD card regardless. Just in case. :)

But let’s get back to creation of our certificate authority.

First we need to create a key. With OpenSSL you can even choose to protect it with password from the very start. Guess what? We’re gonna use that:

openssl genrsa -aes256 -out ca.key 2048

Once key is there, we need to sign it. Considering RSA 2048 key (approximately 112 bits of security) is considered by NIST to be acceptable until 2030, 10 years duration seems reasonable. You can fill as much or as little information as you wish. If nothing else, fill out common name to simplify your life:

openssl req -new -x509 -key ca.key -sha256 -days 3650 -extensions myext -config &lt;(cat /etc/ssl/openssl.cnf &lt;(echo -e "\n[myext]\nbasicConstraints=CA:true\nkeyUsage=cRLSign,keyCertSign")) -out ca.cer
 Country Name (2 letter code) [AU]: .
 State or Province Name (full name) [Some-State]: .
 Locality Name (eg, city) []: .
 Organization Name (eg, company) [Internet Widgits Pty Ltd]: .
 Organizational Unit Name (eg, section) []: .
 Common Name (e.g. server FQDN or YOUR name []: .
 Email Address []: .

With this our certificate is ready. I still like to make a PKCS #12 packet for safe keeping. Do not forget to set the passphrase here too (it will ask):

openssl pkcs12 -export -in ca.cer -inkey ca.key -out ca.p12

To get all this out of Pi, we can cheat and use FAT32 partition on SD card:

sudo mkdir /boot/ca
sudo cp *.cer /boot/ca/
sudo cp *.p12 /boot/ca/

Now we have a self-signed CA we can use it to create other server or client keys.

Mikrotik Configuration Backup

For start, I will assume that SSH user with appropriate rights is already configured as described in one previous blog post. From there getting Mikrotik’s configuration is easy:

ssh backup@192.168.88.1 "/export"

However, there are a few things wrong with it. First of all, all lines end with CRLF instead of more conventional LF (at least in the world of Linux/Unix). Fortunately this is easily fixed:

ssh backup@192.168.88.1 "/export" | tr -d '\r'

Next you will notice that exported config has a line continuation character (\) on its longer lines. While this is nice for viewing config, if we are to automatically process result with diff it is better to have each configuration line on its own. Getting Mikrotik to stop wrapping lines under all terminals is pretty much impossible, even using the +t4200w trick. However, sed can do wonders with enough cryptic code:

ssh backup@192.168.88.1 "/export" \
  | tr -d '\r' \
  | awk '{sub(/^ +/, "", $0); if (sub(/\\$/,"")) printf "%s", $0; else print $0}'

And finally, you might notice there is a time on top of the exported script. This, usually a handy information, will cause any automatic diff to always find a difference. So, removing it is in order:

ssh backup@192.168.88.1 "/export" \
  | tr -d '\r' \
  | awk '{sub(/^ +/, "", $0); if (sub(/\\$/,"")) printf "%s", $0; else print $0}' \
  | sed "s/^#.* by RouterOS/# RouterOS/"

With this we have a nice, repeatable, and diff-friendly configuration exported.

PS: If you are wondering why I am not using dos2unix, it is because I wanted code to run on NAS4Free that has quite restricted command line.

Cleaning Chrome DNS Cache

While playing with Mikrotik’s DNS I accidentally made a regular expression statement overly broad. Error was clear: I had “ana” in the DNS Rexexp field instead of “^ana$”. What this simple error did was to resolve everything with ana in the name to the machine on local network. I noticed that when I tried to access http://anandtech.com and got a timeout.

I fixed the erroneous entry and all was good when I checked it manually with nslookup. However, I still couldn’t access the web site. Interestingly, if I tried using Internet Explorer instead of my favorite Chrome, access worked. Yep, Chrome has its own internal DNS cache.

Cleaning Chrome’s cache is reasonably easy. Only thing needed is a visit to chrome://net-internals/#dns and hitting the Clear host cache button. However, my local erroneous address was back as soon as I tried accessing the site again.

Interestingly Windows themselves have also cached the incorrect IP address. Chrome using Windows API to resolve DNS name was catching the wrong one. Internet Explorer was unaffected as it made DNS query directly. Curious choices. :)

Cleaning Windows cache involved getting to elevated prompt. My favorite way is hitting Win+X and selecting Command Prompt (Admin) from the menu. Once in the prompt, we just execute:

ipconfig /flushdns
 Windows IP Configuration
 Successfully flushed the DNS Resolver Cache.

With this (and clearing Chrome’s cache again) I could browse anandtech.com again.

PS: For curious, Mikrotik supports extended POSIX regular expressions.

Mint Cacti for Mikrotik Queue

Mikrotik does routing beautifully but the same cannot be always said about its traffic monitoring facilities. While graphing does exist, its is as flexible as Trump supporter on immigration issues.

For me, one of the best ways to monitor router on the cheap is Cacti. Completely free and has built in SNMP support. Guess what else has built in SNMP support? Yep - Mikrotik.

To get Mikrotik’s SNMP working, just enable it from terminal window, adjusting firewall if necessary:

/snmp set enabled=yes

/ip firewall filter
add chain=input protocol=udp dst-port=161 in-interface=!ether1 action=accept place-before=0 comment="Allow local SNMP"

While we are playing with Mikrotik, we can also print OIDs for queues:

/queue simple
 print oid without-paging
 0    name=.1.3.6.1.4.1.14988.1.1.2.1.1.2.19
      bytes-in=.1.3.6.1.4.1.14988.1.1.2.1.1.8.19
      bytes-out=.1.3.6.1.4.1.14988.1.1.2.1.1.9.19
      packets-in=.1.3.6.1.4.1.14988.1.1.2.1.1.10.19
      packets-out=.1.3.6.1.4.1.14988.1.1.2.1.1.11.19
      queues-in=.1.3.6.1.4.1.14988.1.1.2.1.1.12.19
      queues-out=.1.3.6.1.4.1.14988.1.1.2.1.1.13.19
 ...

Just store this data somewhere are we are going to need bytes-in and bytes-out entries later.

To get Cacti running, I went with the latest Linux Mint distribution. Procedure is quite generic so you can select essentially any Linux. Just add a few packages:

sudo apt-get -y install lamp-server^
sudo apt-get -y install snmpd
sudo apt-get -y install cacti cacti-spine

During installation, some packages might have additional questions - especially password related - you might want to set. For the purpose of this exercise I just went with all defaults.

After all packages are installed, it is a good time to test if we get anything from Mikrotik:

snmpwalk -v 2c -c public ^^192.168.88.1^^

And yes, this command is going to show a lot. :)

Now that we know SNMP is working we can go further with Cacti setup. For that we go to http://127.0.0.1/cacti and answer a few questions - essentially just setting the admin password and confirming tool locations.

The next thing on Cacti’s Console page is selecting Devices and adding a new one. You need to enter Mikrotik’s IP address here and change SNMP version to 2. Once you create entry, you should see system name and uptime.

Now we can finally go to New Graph and create one based on SNMP - Generic OID Template. For the purpose of byte counting Maximum Value should be set to U and OID should be one belonging to Mikrotik’s queue byte count. In my case value .1.3.6.1.4.1.14988.1.1.2.1.1.8.19 is the one used for input bytes of my Internet queue. A few minutes afterward you can check your Graphs/Preview tab and you should see your data nicely displayed.

Of course, with Cacti’s seemingly infinite configurability, this is just a start. Feel free to snoop around and discover. :)

PS: To monitor router’s health, check out resource OIDs:

/system resource print oid
             uptime: .1.3.6.1.2.1.1.3.0
    total-hdd-space: .1.3.6.1.2.1.25.2.3.1.5.1
     used-hdd-space: .1.3.6.1.2.1.25.2.3.1.6.1
       total-memory: .1.3.6.1.2.1.25.2.3.1.5.2
        used-memory: .1.3.6.1.2.1.25.2.3.1.6.2
           cpu-load: .1.3.6.1.2.1.25.3.3.1.2.1

Escaping Backtick in (Perl)grep

It all started with a simple list of name='value' and name=`value` entries, all within the same line. My wish was to color a few matching entries for the devious purpose of making them more visible. First stab at solution was extremely easy:

something | grep --color=always -P "somename='.*?'"

Two things to note here: I had to use PERL-style grep as I needed a non-greedy matching and secondly this didn’t fulfill its task. Yep, it didn’t match backtick (`) character.

Simple regex adjustment one might think:

something | grep --color=always -P "somename=['`].*?['`]"

But no - backtick is a tricky one as it serves a special purpose in bash.

I tried a bunch of escaping methods before I remembered that hexadecimal characters are still a thing. Wouldn’t you know it - that worked. To match a backtick, instead of using character itself, one can always use its hexadecimal escape code:

something | grep --color=always -P "somename=['\x60].*?['\x60]"

1 … 95 96 97 98 99 … 263