|
Size: 2834
Comment:
|
Size: 5252
Comment: Verifying hosts
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| == Poor man's benchmark == Quick way to compare processing power of CPUs. {{{#!highlight sh numbers=off openssl speed sha1 }}} To test whether the CPU and installed version of OpenSSL can work with crypto acceleration (i.e. AES-NI): {{{#!highlight sh numbers=off openssl speed aes-256-cbc openssl speed -evp aes-256-cbc }}} throughput should be faster (bigger numbers) with the second command. |
|
| Line 7: | Line 24: |
| {{{#!highlight sh openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem |
{{{#!highlight sh numbers=off # Create a key at the same time openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem # Use an existing key openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem |
| Line 11: | Line 31: |
| blah.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache | $DOMAIN.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache. == Create certificate request w/ SubjectAltName fields == SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line. Create a configuration file, $DOMAIN.conf: {{{#!highlight sh cat > $DOMAIN.conf << EOF [req] distinguished_name = req_distinguished_name req_extensions = req_ext [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = New York localityName = Locality Name (eg, city) localityName_default = New York City organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name commonName_default = $DOMAIN commonName_max = 64 [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = $DOMAIN DNS.2 = www.$DOMAIN EOF }}} Then use this configuration file to create a CSR: {{{#!highlight sh numbers=off openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf }}} |
| Line 15: | Line 76: |
| {{{#!highlight sh openssl x509 -subject -dates -fingerprint -in blah.key.pem |
{{{#!highlight sh numbers=off openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem |
| Line 21: | Line 82: |
| {{{#!highlight sh openssl genrsa -out blah.key.pem |
{{{#!highlight sh numbers=off # RSA key openssl genrsa -out $DOMAIN.key.pem 4096 # EC key (using prime256v1 curve) openssl ecparam -out $DOMAIN.key.pem -name prime256v1 -genkey |
| Line 27: | Line 91: |
| {{{#!highlight sh openssl x509 -in blah.crt.pem -noout -text |
{{{#!highlight sh numbers=off # For a certificate signing request openssl req -text -noout -in $DOMAIN.csr.pem # For a generated certificate openssl x509 -in $DOMAIN.crt.pem -noout -text |
| Line 33: | Line 100: |
| {{{#!highlight sh cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem |
{{{#!highlight sh numbers=off cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem |
| Line 41: | Line 108: |
| {{{#!highlight sh openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates" |
{{{#!highlight sh numbers=off openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates" |
| Line 49: | Line 116: |
| {{{#!highlight sh openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem |
{{{#!highlight sh numbers=off openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem |
| Line 59: | Line 126: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 65: | Line 132: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 73: | Line 140: |
| {{{#!highlight sh openssl ca -revoke blah.crt.pem |
{{{#!highlight sh numbers=off openssl ca -revoke $DOMAIN.crt.pem |
| Line 79: | Line 146: |
| {{{#!highlight sh openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl |
{{{#!highlight sh numbers=off openssl ca -gencrl -out crl/$DOMAIN-CA.crl |
| Line 85: | Line 152: |
| {{{#!highlight sh openssl ca -out blah.crt.pem -in blah.req.pem |
{{{#!highlight sh numbers=off openssl ca -out blah.crt.pem -in $DOMAIN.req.pem |
| Line 93: | Line 160: |
| {{{#!highlight sh openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536 |
{{{#!highlight sh numbers=off openssl dhparam -out $DOMAIN-CA.dhp.pem 1536 |
| Line 99: | Line 166: |
| {{{#!highlight sh openssl req -new -x509 -key blah.key.pem -out blah.crt.pem |
{{{#!highlight sh numbers=off openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem |
| Line 109: | Line 176: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 115: | Line 182: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 118: | Line 185: |
= Verify hosts = {{{#!highlight sh # IMAP openssl s_client -connect localhost:993 -quiet > /dev/null # SMTP openssl s_client -connect localhost:465 -quiet > /dev/null # HTTP echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null }}} Depth (first line) should be 2, with a return value of 0. |
|
| Line 119: | Line 199: |
| CategoryCheetSheet | CategoryCheatSheet |
End-user stuff
Poor man's benchmark
Quick way to compare processing power of CPUs.
openssl speed sha1
To test whether the CPU and installed version of OpenSSL can work with crypto acceleration (i.e. AES-NI):
openssl speed aes-256-cbc
openssl speed -evp aes-256-cbc
throughput should be faster (bigger numbers) with the second command.
Create certificate request/unsigned key
# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem
$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.
Create certificate request w/ SubjectAltName fields
SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.
Create a configuration file, $DOMAIN.conf:
1 cat > $DOMAIN.conf << EOF
2
3 [req]
4 distinguished_name = req_distinguished_name
5 req_extensions = req_ext
6
7 [req_distinguished_name]
8 countryName = Country Name (2 letter code)
9 countryName_default = US
10 stateOrProvinceName = State or Province Name (full name)
11 stateOrProvinceName_default = New York
12 localityName = Locality Name (eg, city)
13 localityName_default = New York City
14 organizationalUnitName = Organizational Unit Name (eg, section)
15 commonName = Common Name
16 commonName_default = $DOMAIN
17 commonName_max = 64
18
19 [req_ext]
20 subjectAltName = @alt_names
21
22 [alt_names]
23 DNS.1 = $DOMAIN
24 DNS.2 = www.$DOMAIN
25
26 EOF
Then use this configuration file to create a CSR:
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf
Show key fingerprint
openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem
Generate key
# RSA key
openssl genrsa -out $DOMAIN.key.pem 4096
# EC key (using prime256v1 curve)
openssl ecparam -out $DOMAIN.key.pem -name prime256v1 -genkey
Display certificate information
# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text
Creating a PEM file for servers
cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem
Used by courier-imap, etc.
Creating a PKCS12-format file
openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"
Used for creating certificates used in e-mail clients and web browsers
Signing e-mails
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem
Certificate Authority stuff
When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.
Create CA certificate
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
Export CA certificate in DER format
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
Used by web browsers.
Revoke certificate
openssl ca -revoke $DOMAIN.crt.pem
Generate Certificate Revocation List (CRL)
openssl ca -gencrl -out crl/$DOMAIN-CA.crl
Sign Certificate Request
openssl ca -out blah.crt.pem -in $DOMAIN.req.pem
blah.crt.pem acts as SSLCertificateFile for Apache
Create Diffie-Hoffman Parameters for Current CA
openssl dhparam -out $DOMAIN-CA.dhp.pem 1536
Create self-signed certificate from generated key
openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem
Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)
Command-line tricks
Simple file encryption
openssl enc -bf -A -in file_to_encrypt.txt
Simple file decryption
openssl enc -bf -d -A -in file_to_encrypt.txt
Verify hosts
Depth (first line) should be 2, with a return value of 0.
