Creating ECC keys

Invoke gpg frontend with --expert and --full-gen-key option.

gpg2 --expert --full-gen-key

Then, we input 9 to select ECC primary key and ECC encryption subkey.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
Your selection? 9

Next is the important selection. We input 1 to select Curve25519.

Please select which elliptic curve you want:
   (1) Curve 25519
   (2) NIST P-256
   (3) NIST P-384
   (4) NIST P-521
   (5) Brainpool P-256
   (6) Brainpool P-384
   (7) Brainpool P-512
   (8) secp256k1
Your selection? 1

For the expiration time it's a best practise to use 1 year and to renew it each year. This way, in case you lose or someone steals your private key, the key could not be valid after a maximum of 1 year.
Type 1y

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? 1y
Is this correct? (y/N) y

List keys

gpg --list-keys

pub   ed25519 2020-05-07 [SC] [expires: 2021-05-07]
uid           [ultimate] Baptiste Dauphin <>
sub   cv25519 2020-05-07 [E] [expires: 2021-05-07]

note : my key digest is 5A040187EDDDD936B41E8268E4577920E02746B3

Export public key

gpg --armor --export 5A040187EDDDD936B41E8268E4577920E02746B3



Export private key

gpg --export-secret-keys --armor 5A040187EDDDD936B41E8268E4577920E02746B3



Extract private key and import on different machine

gpg2 --export-secret-keys --armor 5A040187EDDDD936B41E8268E4577920E02746B3 > private.key

Copy on the desired location

gpg2 --import private.key

Sources :


Display gpg key photo

gpg2 --list-options show-photos --fingerprint 5A040187EDDDD936B41E8268E4577920E02746B3
gpg2 --list-options show-photos --fingerprint 5A040187EDDDD936B41E8268E4577920E02746B3 --photo-viewer 'eog %I'


Secret management

File-policy -> Policy -> Token

Login token

with your personal token. You can generate it from the web ui

vault login
Token (will be hidden): 
Success! You are now authenticated. The token information displayed below

GitHub Logo

Verify your token

vault token lookup

Login LDAP

vault login -method=ldap username=$USER

Both Will set up a token under ~/.vault-token


vault kv get path/to/secret


List all enabled policies:

vault policy list

Create or refresh a policy named "my-policy" from contents

vault policy write my-policy ./my-policy.hcl

Delete the policy named my-policy

vault policy delete my-policy


Token can be viewed as a policy accessor

vault token create -policy=my-api-policy-developement -renewable -period=768h

vault token create -policy=my-api-policy-staging -renewable -period=768h

vault token create -policy=my-api-policy-production -renewable -period=768h



Keywork meaning
Private key
Public key

Get info about a certificate

Option Description
-text Prints out the certificate in text form.
-noout Prevents output of the encoded version of the request.
-subject Outputs the subject name.
-issuer Outputs the issuer name.
-dates Prints out the start and expiry dates of a certificate.
-fingerprint prints out the digest of the DER encoded version of the whole certificate.
openssl s_client -servername -connect    < /dev/null | openssl x509 -text

openssl s_client -servername -connect    < /dev/null | openssl x509 -noout -fingerprint

openssl s_client -servername -connect    < /dev/null | openssl x509 -noout -fingerprint -dates

openssl s_client -servername -connect    < /dev/null | openssl x509 -text -noout -dates

echo | openssl s_client -servername -connect  2>/dev/null | openssl x509 -noout -dates

echo | openssl s_client -servername -connect 2>/dev/null | openssl x509 -noout -issuer -subject -dates
  • 2>/dev/null : Redirect stderr to /dev/null, (just to deal with the strange behaviour of openssl command.)
  • < /dev/null : plug the output of /dev/null to stdin of openssl because this cmd requires you an stdin, so we set it to /dev/null (just to deal with the strange behaviour of openssl command.)
  • echo | : Same behaviour as previous (< /dev/null) but it's just another method to do it with bash.

Get info from network

Using s_client arg

echo | openssl s_client -servername -connect 2>/dev/null

Get from file

Using x509 arg

openssl x509 --in /etc/ssl/certs/ca_server.pem
openssl x509 --in /etc/ssl/certs/ca_server.pem | openssl x509 --text
openssl x509 --in /etc/ssl/certs/ca_server.pem | openssl x509 --text --noout --dates

debian 7, openssl style

openssl x509 -in /etc/ssl/private/sub.domain.tld.pem

Get OCSP Status

Use the flag -status, it should respond successful obviously. If not, you have to fix your nginx config.

openssl s_client -servername -connect -status < /dev/null | grep -i 'OCSP Response'

OCSP enabled

OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

OCSP diabled

OCSP response: no response sent

Force cipher

RSA or EC ?

-cipher ECDHE-RSA-AES128-GCM-SHA256
echo | openssl s_client \
-servername \
-connect \
-cipher ECDHE-RSA-AES128-GCM-SHA256 \
2>/dev/null | \
openssl x509 -text | \
grep "Public Key Algorithm"

echo | \
openssl s_client \
-servername \
-connect \
-cipher ECDHE-ECDSA-AES128-GCM-SHA256 \
2>/dev/null | \
openssl x509 -text | \
grep "Public Key Algorithm"

Test full chain

OpenSSL verify with -CAfile

openssl verify ./
CN =
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./ verification failed

openssl verify -CAfile ./bdauphin.io_intermediate_certificate.pem ./
./ OK


Subject Alternative Name AKA DNS

Common usage

Test certificate validation + right adresses

for certif in * ; do openssl verify -CAfile ../baptiste-dauphin.io_intermediate_certificate.pem $certif ; done OK OK OK

for certif in * ; do openssl x509 -in $certif -noout -text | egrep '(Subject|DNS):' ; done
        Subject: CN =
        Subject: CN =
        Subject: CN =

Converting PEM to PKCS12

(using intermediate certificate)

cat certificate.crt intermediate.crt > bundle.crt
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in bundle.crt

openssl pkcs12 \
-export \
-in cert.pem \
-inkey key.key \
-certfile ca.pem \
-out cert.pfx

get system CA

ls -l /usr/local/share/ca-certificates
ls -l /etc/ssl/certs/

refresh system CA after changing files in the folder

sudo update-ca-certificates

CSR / Private key

Generate Certificate Signing Request (csr) + the associate private key Will generates both private key and csr token

RSA style

Considered as maybe deprecated

openssl req -nodes -newkey rsa:4096 -sha256 -keyout $(SUB.MYDOMAIN.TLD).key -out $(SUB.MYDOMAIN.TLD).csr -subj "/C=FR/ST=France/L=PARIS/O=My Company/CN=$(SUB.MYDOMAIN.TLD)"

Elliptic Curve (ECDSA)

much more secure

# generate private key
openssl ecparam -out $(SUB.MYDOMAIN.TLD).key -name sect571r1 -genkey
# generate csr
openssl req -new -sha256 -key $(SUB.MYDOMAIN.TLD).key -nodes -out $(SUB.MYDOMAIN.TLD).csr -subj "/C=FR/ST=France/L=PARIS/O=My Company/CN=$(SUB.MYDOMAIN.TLD)"

You can verify the content of your csr token here : DigiCert Tool

Encrypt manually

echo '<190>Apr 20 17:21:03 ostoto plop2[5847695]: {"plop2":"miaou"}' | \
openssl s_client -showcerts -connect

Chose a sage curves for elliptic-curve cryptography

AIA (Authority Information Access)

L'extension Authority Information Access (AIA) permet aux clients SSL/TLS (le plus souvent des navigateurs web) d'aller rechercher des certificats intermédiaires manquants, non-présentés par le serveur.

Il est utile de préciser que les serveurs qui n'envoient pas la chaine complète sont en infraction vis à vis de la norme SSL/TLS.

Cette extension, qui place dans le certificat final un "CA Issuer" contenant une URL, permet au navigateur d'aller chercher le certificat manquant, puis de retenter la vérification de la chaine avec.

You can try by yourself, I setup specific endpoints ;)


<!DOCTYPE html>
<title>Welcome to nginx!</title>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href=""></a>.<br/>
Commercial support is available at
<a href=""></a>.</p>

<p><em>Thank you for using nginx.</em></p>
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Let's encrypt Certbot

Generate a wildcard certificate

Install Certbot

apt-get install certbot python-certbot-nginx

Install correct DNS plugin

sudo apt-get install python3-certbot-dns-ovh

Set up credentials

To be able to request a wildcard certificate against let's encrypt api, you need to have access to your dns-provider api.
For example : I want to secure all of my existing + futures subdomain. *
So first step : Get your dns-provider, credentials. In my case (ovh) I need

  • application_key
  • application_secret
  • consumer_key

Follow my dns-provider tutorial and get your keys and feed ./certbot.ini.

For other dns-provider see the official certbot doc

Request your cert against let's encrypt

certbot certonly \
  --dns-ovh \
  --dns-ovh-credentials ./certbot.ini \
  -d \*
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-12-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Edit your nginx vhost

    ssl_certificate     /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

Confirm that Certbot worked

echo | openssl s_client \
-servername \
-connect 2>/dev/null \
| openssl x509 -noout -issuer -subject
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
subject=CN = *


Setup automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-ovh, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The command to renew certbot is installed in one of the following locations:

ls -l /etc/crontab/
ls -l /etc/cron.*/*
systemctl list-timers

Official doc

Config file

cert, private key, chain, full chain, LE account, authenticator, dns provider credentiels, server LE.

cat /etc/letsencrypt/renewal/
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
account = ***************************
authenticator = dns-ovh
dns_ovh_credentials = /root/ovh_credentials/certbot.ini
server =

Confirm that Certbot worked

To confirm that your site is set up properly, visit in your browser and look for the lock icon in the URL bar.
If you want to check that you have the top-of-the-line installation, you can head to



print jails

fail2ban-client status

get banned ip and other info about a specific jail

fail2ban-client status ssh

set banip triggers email send

fail2ban-client set ssh banip


fail2ban-client set ssh unbanip

check a specific fail2ban chain

iptables -nvL f2b-sshd
fail2ban-client get dbpurgeage
fail2ban-client get dbfile

fail2ban will send mail using the MTA (mail transfer agent)

grep "mta =" /etc/fail2ban/jail.conf
mta = sendmail

File locations

global default config

  • /etc/fail2ban/jail.conf

will be override with this parameters Centralized Control file This is here we enable jails

  • /etc/fail2ban/jail.local


Htpasswd –c [password file name] [username]

htpasswd -c .htpasswd

Keepass (xc)

Is exists tree implementation of keepass

  • KeePass (2)
  • KeePassX
  • KeePassXC

Why KeepassXC over other implement ?

from the FAQ of KeePassXC

Question : Why KeePassXC instead of KeePass (2) ?

KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.

Question : Why KeePassXC instead of KeePassX?

KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes.

Check the latest commit date for KeePassX project

Common usage


merge database_1 database_2 into database_1

keepassxc-cli merge database_1 database_2
Successfully merged database_2 into database_1.


official doc

apparmor module is loaded.

results matching ""

    No results matching ""

    results matching ""

      No results matching ""