openssl/split
This commit is contained in:
Marc Beninca
parent
7dd636cf1c
commit
89ae174833
3 changed files with 266 additions and 264 deletions
150
in/public/openssl/dispatch.rst
Normal file
150
in/public/openssl/dispatch.rst
Normal file
|
|
@ -0,0 +1,150 @@
|
|||
List secure ciphers
|
||||
===================
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl ciphers ALL \
|
||||
| sed "s/:/\n/g" \
|
||||
| grep "\(TLS\|ECDHE\)" \
|
||||
| grep "\(POLY1305\|GCM\)" \
|
||||
| grep --invert-match "\(DSA\|PSK\|128\)"
|
||||
|
||||
Select cipher suites
|
||||
====================
|
||||
|
||||
* /etc/ssl/openssl.cnf
|
||||
|
||||
::
|
||||
|
||||
[system_default_sect]
|
||||
CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
|
||||
|
||||
List curves
|
||||
===========
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl ecparam -list_curves
|
||||
|
||||
Generate DHparam file
|
||||
=====================
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl dhparam -out dhparam 4096
|
||||
|
||||
Generate private key
|
||||
====================
|
||||
|
||||
RSA
|
||||
---
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
genrsa \
|
||||
-out "private_key.pem" \
|
||||
4096
|
||||
|
||||
Human readable:
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
rsa \
|
||||
-in "private_key.pem" \
|
||||
-text \
|
||||
-noout \
|
||||
> "private_key.txt"
|
||||
|
||||
ED25519
|
||||
-------
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
genpkey \
|
||||
-algorithm ED25519 \
|
||||
> "private_key.pem"
|
||||
|
||||
Human readable:
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
pkey \
|
||||
-in "private_key.pem" \
|
||||
-text \
|
||||
-noout \
|
||||
> "private_key.txt"
|
||||
|
||||
Generate a certificate request
|
||||
==============================
|
||||
|
||||
* generate a private key
|
||||
|
||||
* using . for empty fields, generate the request with:
|
||||
|
||||
* Country Name (2 letter code)
|
||||
* State or Province Name (full name)
|
||||
* Locality Name (eg, city)
|
||||
* Organization Name (eg, company)
|
||||
* Organizational Unit Name (eg, section)
|
||||
* Common Name (e.g. server FQDN or YOUR name)
|
||||
* Email Address
|
||||
* A challenge password
|
||||
* An optional company name
|
||||
|
||||
.. code:: shell
|
||||
|
||||
echo -n "\
|
||||
US
|
||||
Region / County (code)
|
||||
City / Place
|
||||
Group / Management / Unit
|
||||
Section
|
||||
certificate_name
|
||||
alias@domain.tld
|
||||
.
|
||||
.
|
||||
" \
|
||||
| \
|
||||
openssl \
|
||||
req \
|
||||
-new \
|
||||
-utf8 \
|
||||
-key "private_key.pem" \
|
||||
-out "certificate_request.csr" \
|
||||
-addext "subjectAltName=DNS:*.domain.tld,DNS:*.sub.domain.tld"
|
||||
|
||||
.. warning:: must staple, problems with nginx and apache
|
||||
|
||||
.. code:: shell
|
||||
|
||||
-addext "tlsfeature=status_request"
|
||||
|
||||
Human readable:
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
req \
|
||||
-in "certificate_request.csr" \
|
||||
-text \
|
||||
-noout \
|
||||
> "certificate_request.txt"
|
||||
|
||||
Export client P12/PFX
|
||||
=====================
|
||||
|
||||
* client private key
|
||||
* client certificate
|
||||
|
||||
.. code:: shell
|
||||
|
||||
openssl \
|
||||
pkcs12 \
|
||||
-export \
|
||||
-out client.pfx \
|
||||
-inkey client.key \
|
||||
-in client.crt
|
||||
Loading…
Add table
Add a link
Reference in a new issue