rtfd/in/public/security/openssl/index.rst

214 lines
2.9 KiB
ReStructuredText
Raw Normal View History

2017-12-02 22:02:37 +00:00
#######
OpenSSL
#######
2017-12-05 22:30:24 +00:00
2019-08-05 08:42:57 +00:00
List secure ciphers
===================
2019-08-04 16:44:18 +00:00
.. code:: shell
2019-08-05 08:07:16 +00:00
openssl ciphers ALL \
| sed "s/:/\n/g" \
| grep "\(TLS\|ECDHE\)" \
| grep --invert-match "\(DSA\|PSK\)" \
| grep "\(POLY1305\|GCM\)"
2019-08-04 16:44:18 +00:00
2019-08-05 08:42:57 +00:00
Select cipher suites
====================
* /etc/ssl/openssl.cnf
::
[system_default_sect]
2019-08-05 09:06:20 +00:00
CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
2019-08-05 08:42:57 +00:00
2019-08-04 17:47:59 +00:00
List curves
===========
.. code:: shell
openssl ecparam -list_curves
2019-08-04 19:28:42 +00:00
Generate DHparam file
=====================
.. code:: shell
openssl dhparam -out dhparam 4096
2017-12-05 22:30:24 +00:00
Generate private key
====================
2019-08-04 12:50:06 +00:00
RSA
---
2017-12-05 22:30:24 +00:00
.. code:: shell
openssl \
genrsa \
-out "private_key.pem" \
2019-08-04 14:06:41 +00:00
4096
2017-12-05 22:30:24 +00:00
Human readable:
.. code:: shell
openssl \
rsa \
-in "private_key.pem" \
2019-08-04 12:50:06 +00:00
-text \
2017-12-05 22:30:24 +00:00
-noout \
2019-08-04 12:50:06 +00:00
> "private_key.txt"
ED25519
-------
.. code:: shell
openssl \
genpkey \
-algorithm ED25519 \
> "private_key.pem"
Human readable:
.. code:: shell
openssl \
pkey \
-in "private_key.pem" \
2017-12-05 22:30:24 +00:00
-text \
2019-08-04 12:50:06 +00:00
-noout \
> "private_key.txt"
2017-12-05 22:30:24 +00:00
Generate a certificate request
==============================
* generate a private key
* using . for empty fields, generate the request with:
* Country Name (2 letter code)
* State or Province Name (full name)
* Locality Name (eg, city)
* Organization Name (eg, company)
* Organizational Unit Name (eg, section)
* Common Name (e.g. server FQDN or YOUR name)
* Email Address
* A challenge password
* An optional company name
.. code:: shell
echo -n "\
US
Region / County (code)
City / Place
Group / Management / Unit
Section
certificate_name
alias@domain.tld
.
.
" \
| \
openssl \
req \
-new \
-utf8 \
2019-08-04 12:50:06 +00:00
-key "private_key.pem" \
2019-08-04 14:06:41 +00:00
-out "certificate_request.csr" \
-addext "subjectAltName=DNS:domain.tld"
2017-12-05 22:30:24 +00:00
Human readable:
.. code:: shell
openssl \
req \
-in "certificate_request.csr" \
-text \
2019-08-04 12:50:06 +00:00
-noout \
> "certificate_request.txt"
2017-12-05 22:30:24 +00:00
Create a Certification Authority
================================
init
----
.. code:: shell
rm --force --recursive "demoCA"
mkdir --parents "demoCA/newcerts"
echo -n "" > "demoCA/index.txt"
echo "00" > "demoCA/serial"
request
-------
.. code:: shell
echo -n "\
US
Region / County (code)
City / Place
Decreasing / Hierarchy
Name
Name
alias@domain.tld
.
.
" \
| \
openssl \
req \
-new \
-key "name.pem" \
-out "name.csr" \
-utf8 \
signature
---------
.. code:: shell
openssl \
ca \
-selfsign \
-in "name.csr" \
-keyfile "name.pem" \
-notext \
-out "name.crt" \
-startdate 20160801000000Z \
-enddate 20180801000000Z \
-batch \
-extensions "v3_ca" \
----
quick & dirty variant
---------------------
.. code:: shell
openssl \
ca \
-selfsign \
-keyfile "private_key.pem" \
Sign request
============
.. code:: shell
openssl \
req \
-in "certificate_request.csr" \
-key "private_key.pem" \
-x509 \
-set_serial 0 \
-days 730 \
-out "certificate.crt" \