diff --git a/in/public/openssl/ca.rst b/in/public/openssl/ca.rst new file mode 100644 index 0000000..3426657 --- /dev/null +++ b/in/public/openssl/ca.rst @@ -0,0 +1,111 @@ +Create a Certification Authority +================================ + +init +---- + +.. code:: shell + + rm --force --recursive "demoCA" + mkdir --parents "demoCA/newcerts" + echo -n "" > "demoCA/index.txt" + echo "00" > "demoCA/serial" + +request +------- + +.. code:: shell + + echo -n "\ + US + Region / County (code) + City / Place + Decreasing / Hierarchy + Name + Name + alias@domain.tld + . + . + " \ + | \ + openssl \ + req \ + -new \ + -key "name.pem" \ + -out "name.csr" \ + -utf8 \ + +signature +--------- + +.. code:: shell + + openssl \ + ca \ + -selfsign \ + -in "name.csr" \ + -keyfile "name.pem" \ + -notext \ + -out "name.crt" \ + -startdate 20160801000000Z \ + -enddate 20180801000000Z \ + -batch \ + -extensions "v3_ca" \ + +---- + +quick & dirty variant +--------------------- + +.. code:: shell + + openssl \ + ca \ + -selfsign \ + -keyfile "private_key.pem" \ + +---- + +dirtier certificate only variant +-------------------------------- + +.. code:: shell + + openssl \ + req \ + -new \ + -x509 \ + -days 365 \ + -key ca.key \ + -out ca.crt + +Sign request +============ + +.. code:: shell + + openssl \ + req \ + -in "certificate_request.csr" \ + -key "private_key.pem" \ + -x509 \ + -set_serial 0 \ + -days 730 \ + -out "certificate.crt" \ + +---- + +from CA key & certificate +------------------------- + +.. code:: shell + + openssl \ + x509 \ + -CA ca.crt \ + -CAkey ca.key \ + -req \ + -in "client.csr" \ + -days 365 \ + -out "client.crt" \ + -set_serial nn diff --git a/in/public/openssl/dispatch.rst b/in/public/openssl/dispatch.rst new file mode 100644 index 0000000..23959f3 --- /dev/null +++ b/in/public/openssl/dispatch.rst @@ -0,0 +1,150 @@ +List secure ciphers +=================== + +.. code:: shell + + openssl ciphers ALL \ + | sed "s/:/\n/g" \ + | grep "\(TLS\|ECDHE\)" \ + | grep "\(POLY1305\|GCM\)" \ + | grep --invert-match "\(DSA\|PSK\|128\)" + +Select cipher suites +==================== + +* /etc/ssl/openssl.cnf + +:: + + [system_default_sect] + CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" + +List curves +=========== + +.. code:: shell + + openssl ecparam -list_curves + +Generate DHparam file +===================== + +.. code:: shell + + openssl dhparam -out dhparam 4096 + +Generate private key +==================== + +RSA +--- + +.. code:: shell + + openssl \ + genrsa \ + -out "private_key.pem" \ + 4096 + +Human readable: + +.. code:: shell + + openssl \ + rsa \ + -in "private_key.pem" \ + -text \ + -noout \ + > "private_key.txt" + +ED25519 +------- + +.. code:: shell + + openssl \ + genpkey \ + -algorithm ED25519 \ + > "private_key.pem" + +Human readable: + +.. code:: shell + + openssl \ + pkey \ + -in "private_key.pem" \ + -text \ + -noout \ + > "private_key.txt" + +Generate a certificate request +============================== + +* generate a private key + +* using . for empty fields, generate the request with: + + * Country Name (2 letter code) + * State or Province Name (full name) + * Locality Name (eg, city) + * Organization Name (eg, company) + * Organizational Unit Name (eg, section) + * Common Name (e.g. server FQDN or YOUR name) + * Email Address + * A challenge password + * An optional company name + +.. code:: shell + + echo -n "\ + US + Region / County (code) + City / Place + Group / Management / Unit + Section + certificate_name + alias@domain.tld + . + . + " \ + | \ + openssl \ + req \ + -new \ + -utf8 \ + -key "private_key.pem" \ + -out "certificate_request.csr" \ + -addext "subjectAltName=DNS:*.domain.tld,DNS:*.sub.domain.tld" + +.. warning:: must staple, problems with nginx and apache + +.. code:: shell + + -addext "tlsfeature=status_request" + +Human readable: + +.. code:: shell + + openssl \ + req \ + -in "certificate_request.csr" \ + -text \ + -noout \ + > "certificate_request.txt" + +Export client P12/PFX +===================== + +* client private key +* client certificate + +.. code:: shell + + openssl \ + pkcs12 \ + -export \ + -out client.pfx \ + -inkey client.key \ + -in client.crt diff --git a/in/public/openssl/index.rst b/in/public/openssl/index.rst index 1d9f932..a011457 100644 --- a/in/public/openssl/index.rst +++ b/in/public/openssl/index.rst @@ -1,266 +1,7 @@ -####### -OpenSSL -####### +openssl +======= -List secure ciphers -=================== +.. toctree:: -.. code:: shell - - openssl ciphers ALL \ - | sed "s/:/\n/g" \ - | grep "\(TLS\|ECDHE\)" \ - | grep "\(POLY1305\|GCM\)" \ - | grep --invert-match "\(DSA\|PSK\|128\)" - -Select cipher suites -==================== - -* /etc/ssl/openssl.cnf - -:: - - [system_default_sect] - CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" - -List curves -=========== - -.. code:: shell - - openssl ecparam -list_curves - -Generate DHparam file -===================== - -.. code:: shell - - openssl dhparam -out dhparam 4096 - -Generate private key -==================== - -RSA ---- - -.. code:: shell - - openssl \ - genrsa \ - -out "private_key.pem" \ - 4096 - -Human readable: - -.. code:: shell - - openssl \ - rsa \ - -in "private_key.pem" \ - -text \ - -noout \ - > "private_key.txt" - -ED25519 -------- - -.. code:: shell - - openssl \ - genpkey \ - -algorithm ED25519 \ - > "private_key.pem" - -Human readable: - -.. code:: shell - - openssl \ - pkey \ - -in "private_key.pem" \ - -text \ - -noout \ - > "private_key.txt" - -Generate a certificate request -============================== - -* generate a private key - -* using . for empty fields, generate the request with: - - * Country Name (2 letter code) - * State or Province Name (full name) - * Locality Name (eg, city) - * Organization Name (eg, company) - * Organizational Unit Name (eg, section) - * Common Name (e.g. server FQDN or YOUR name) - * Email Address - * A challenge password - * An optional company name - -.. code:: shell - - echo -n "\ - US - Region / County (code) - City / Place - Group / Management / Unit - Section - certificate_name - alias@domain.tld - . - . - " \ - | \ - openssl \ - req \ - -new \ - -utf8 \ - -key "private_key.pem" \ - -out "certificate_request.csr" \ - -addext "subjectAltName=DNS:*.domain.tld,DNS:*.sub.domain.tld" - -.. warning:: must staple, problems with nginx and apache - -.. code:: shell - - -addext "tlsfeature=status_request" - -Human readable: - -.. code:: shell - - openssl \ - req \ - -in "certificate_request.csr" \ - -text \ - -noout \ - > "certificate_request.txt" - -Create a Certification Authority -================================ - -init ----- - -.. code:: shell - - rm --force --recursive "demoCA" - mkdir --parents "demoCA/newcerts" - echo -n "" > "demoCA/index.txt" - echo "00" > "demoCA/serial" - -request -------- - -.. code:: shell - - echo -n "\ - US - Region / County (code) - City / Place - Decreasing / Hierarchy - Name - Name - alias@domain.tld - . - . - " \ - | \ - openssl \ - req \ - -new \ - -key "name.pem" \ - -out "name.csr" \ - -utf8 \ - -signature ---------- - -.. code:: shell - - openssl \ - ca \ - -selfsign \ - -in "name.csr" \ - -keyfile "name.pem" \ - -notext \ - -out "name.crt" \ - -startdate 20160801000000Z \ - -enddate 20180801000000Z \ - -batch \ - -extensions "v3_ca" \ - ----- - -quick & dirty variant ---------------------- - -.. code:: shell - - openssl \ - ca \ - -selfsign \ - -keyfile "private_key.pem" \ - ----- - -dirtier certificate only variant --------------------------------- - -.. code:: shell - - openssl \ - req \ - -new \ - -x509 \ - -days 365 \ - -key ca.key \ - -out ca.crt - -Sign request -============ - -.. code:: shell - - openssl \ - req \ - -in "certificate_request.csr" \ - -key "private_key.pem" \ - -x509 \ - -set_serial 0 \ - -days 730 \ - -out "certificate.crt" \ - ----- - -from CA key & certificate -------------------------- - -.. code:: shell - - openssl \ - x509 \ - -CA ca.crt \ - -CAkey ca.key \ - -req \ - -in "client.csr" \ - -days 365 \ - -out "client.crt" \ - -set_serial nn - -Export client P12/PFX -===================== - -* client private key -* client certificate - -.. code:: shell - - openssl \ - pkcs12 \ - -export \ - -out client.pfx \ - -inkey client.key \ - -in client.crt + dispatch + ca