1.openssl 2.Testing 3.Best Practices last
1.openssl
1.1.Key and Cerificate Management
- Run a web server that supports SSL:
- generate a strong private key,
- create a Certificate Signing Request(CSR) and send it to a CA,
- install the CA-provided certificate in web server.
- Key Generation:RSA
openssl genrsa -out argor.key
See a Key's structure:
openssl rsa -text -in argor.key
Get the public part of a key separately:
openssl rsa -in argor.key -pubout
- Key Generation:DSA
openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key
DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.
- Key Generation:ECDSA
openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
- Creating Certificate Signing Requests:
openssl req -new -key rsa.key -out rsa.csr
If want a field to be empty, must enter a single dot on the line, rather than just hit Return.
- Signing Certificates
openssl x509 -req -days 1000 -in rsa.csr -signkey rsa.key -out rsa.crt openssl req -new -x509 -days 1000 -key rsa.key -out rsa2.crt
See a CRT's structure:
openssl x509 -text -in rsa.crt openssl x509 -text -in rsa2.crt
- Key and Certificate Conversion
- The most common formats are:
- Binary(DER) certificate,
- ASCII(PEM) certificate(s),
- Binary(DER) key (called PKCS#8),
- ASCII(PEM) key,
- PKCS#7 certificate(s),
- PKCS#12 (PFX) key and certificate(s),
- PEM & DER Conversion
openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
- PKCS#12(pfx) Conversion
- PKCS#7 Conversion
- The most common formats are:
1.2.Configuration
- Cipher Suite Selection
- Performance
1.3.Creating a Private Certification Authority
- Creating a Root CA:
- Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
- Root CA Configuration:
- Root CA Directory Structure
mkdir root-ca cd root-ca mkdir certs db private chmod 700 private touch db/index openssl rand -hex 16 > db/serial echo 1001 > db/crlnumber
- Root CA Generation
$ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr $ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.
In the second step, we create a self-signed certificate. The -extentions that are appropriate fro a root CA. - Root CA Operations
- Create a Certificate for OCSP Signing
- Creating a Subordinate CA:
- Subordinate CA Configuration
- Subordinate CA Generation
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.
In the second stop, we get the root CA to issue a certificate. - Subordinate CA Operations
openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext
2.Testing
2.1.Connecting to SSL Services
2.2.Testing Protocols that Upgrade to SSL
2.3.Using Different Handshake Formats
2.4.Extracting Remote Certificates
2.5.Testing Protocol Support
2.6.Testing Cipher Suite Support
2.7.Testing Servers that Require SNI
2.8.Testing Session Reuse
2.9.Checking OCSP Revocation
2.10.Testing OCSP Stapling
2.11.Checking CRL Revocation
2.12.Testing Renegotiation
2.13.Testing for the BEAST Vulnerability
2.14.Testing for heartbleed
2.15.Determining the Strength of Diffie-Hellman Parameters
3.Best Practices
3.1.Private Key and Certificate
3.2.Configuration
3.3.Performance
3.4.HTTP and Application Security
openssl .