Skip to content

OpenSSL

OpenSSL/GPG

Generating Randomness

Generating Keys

Set some ENV Varables:

# Base domain to create certificates for.
DOMAIN=*.generalzero.org

# Optional. The domain to create certificates for.
# If not specified, common name will be "*.$DOMAIN".
COMMON_NAME=generalzero.org

# Number of days to expire the certificates
NUM_OF_DAYS=3650

# Country name in 2 letters
COUNTRY="US"

# State or large administrative district
STATE="NY"

# City
LOCALITY="NY"

# Organization name. e.g. company
ORGANIZATION="GeneralZer0"

# Organizatinal unit. e.g. company sub-division or product name
ORGANIZATION_UNIT=""

Generating a CA and Key

#!/bin/bash
# This script creates your server certificates and .p12 file for client authentication.
# Based on the answer in StackOverflow: https://stackoverflow.com/a/43666288

if [ ! -f .env ]; then
    echo "Please provide .env file. See .env.dist for example."
    exit
fi

source .env

COMMON_NAME=${COMMON_NAME:-*.$DOMAIN}

SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=$COMMON_NAME"

echo "SUBJECT: $SUBJECT"

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout server.key -subj "$SUBJECT" -out server.csr
cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
openssl x509 -req -in server.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext

# Create p12 file for client
openssl pkcs12 -export -inkey server.key -in server.crt -certfile root_ca.crt -out $DOMAIN.p12

# move output files to final filenames
mv server.csr $DOMAIN.csr
cp server.crt $DOMAIN.crt

# remove temp file
rm -f server.crt;

Generating a Client Certificate

#!/bin/bash
# This script creates your own root authority certificates.
# Based on the answer in StackOverflow: https://stackoverflow.com/a/43666288

if [ ! -f .env ]; then
    echo "Please provide .env file. See .env.dist for example."
    exit
fi

source .env

SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=$ORGANIZATION"

echo "SUBJECT: " $SUBJECT

openssl genrsa -out root_ca.key 4096
openssl req -x509 -new -nodes -days $NUM_OF_DAYS -key root_ca.key -sha256 -out root_ca.crt -subj "$SUBJECT"

Testing the Client Certificate

Testing a p12 cert

curl --insecure --cert-type P12 --cert \*.generalzero.org.p12:password https://test.example.org/

Testing with a break out cert:

openssl pkcs12 -in \*.generalzero.org.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in \*.generalzero.org.p12 -out file.crt.pem -clcerts -nokeys
curl -E ./file.crt.pem --key ./file.key.pem -v -k https://test.example.org/

Signing Keys

Signing Files

Encrypting

TLS

Testing Specific SSL/TLS Versions:

openssl s_client -connect example.com:443 -ssl2
openssl s_client -connect example.com:443 -ssl3
openssl s_client -connect example.com:443 -tls1
openssl s_client -connect example.com:443 -tls1_1
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
openssl s_client -connect example.com:443 -cipher NULL-SHA