OpenSSL - Documentation

Link to this headingOpenSSL/GPG

Link to this headingGenerating Randomness

Link to this headingGenerating Keys

Set some ENV Variables:

# Base domain to create certificates for. DOMAIN=*.generalzero.org # Optional. The domain to create certificates for. # If not specified, common name will be "*.$DOMAIN". COMMON_NAME=generalzero.org # Number of days to expire the certificates NUM_OF_DAYS=3650 # Country name in 2 letters COUNTRY="US" # State or large administrative district STATE="NY" # City LOCALITY="NY" # Organization name. e.g. company ORGANIZATION="GeneralZer0" # Organizatinal unit. e.g. company sub-division or product name ORGANIZATION_UNIT=""

Link to this headingGenerating a CA and Key

#!/bin/bash # This script creates your server certificates and .p12 file for client authentication. # Based on the answer in StackOverflow: https://stackoverflow.com/a/43666288 if [ ! -f .env ]; then echo "Please provide .env file. See .env.dist for example." exit fi source .env COMMON_NAME=${COMMON_NAME:-*.$DOMAIN} SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=$COMMON_NAME" echo "SUBJECT: $SUBJECT" openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout server.key -subj "$SUBJECT" -out server.csr cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext openssl x509 -req -in server.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext # Create p12 file for client openssl pkcs12 -export -inkey server.key -in server.crt -certfile root_ca.crt -out $DOMAIN.p12 # move output files to final filenames mv server.csr $DOMAIN.csr cp server.crt $DOMAIN.crt # remove temp file rm -f server.crt;

Link to this headingGenerating a Client Certificate

#!/bin/bash # This script creates your own root authority certificates. # Based on the answer in StackOverflow: https://stackoverflow.com/a/43666288 if [ ! -f .env ]; then echo "Please provide .env file. See .env.dist for example." exit fi source .env SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=$ORGANIZATION" echo "SUBJECT: " $SUBJECT openssl genrsa -out root_ca.key 4096 openssl req -x509 -new -nodes -days $NUM_OF_DAYS -key root_ca.key -sha256 -out root_ca.crt -subj "$SUBJECT"

Link to this headingTesting the Client Certificate

Testing a p12 cert

curl --insecure --cert-type P12 --cert \*.generalzero.org.p12:password https://test.example.org/

Testing with a break out cert:

openssl pkcs12 -in \*.generalzero.org.p12 -out file.key.pem -nocerts -nodes openssl pkcs12 -in \*.generalzero.org.p12 -out file.crt.pem -clcerts -nokeys curl -E ./file.crt.pem --key ./file.key.pem -v -k https://test.example.org/

Link to this headingSigning Keys

Link to this headingSigning Files

Link to this headingEncrypting

Link to this headingMisc Keys Commands

Show Private Key Algorithm:

>>> sudo openssl pkey -in /var/lib/sbctl/keys/db/db.key -text -noout Private-Key: (4096 bit, 2 primes) modulus: [...]

Link to this headingTLS

Testing Specific SSL/TLS Versions:

openssl s_client -connect example.com:443 -ssl2 openssl s_client -connect example.com:443 -ssl3 openssl s_client -connect example.com:443 -tls1 openssl s_client -connect example.com:443 -tls1_1 openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3 openssl s_client -connect example.com:443 -cipher NULL-SHA