1.openssl 2.Testing 3.Best Practices last
1.openssl
1.1.Key and Cerificate Management
- Run a web server that supports SSL:
- generate a strong private key,
- create a Certificate Signing Request(CSR) and send it to a CA,
- install the CA-provided certificate in web server.
- Key Generation:RSA
View Codeopenssl genrsa -out argor.key
See a Key's structure:
View Codeopenssl rsa -text -in argor.keyGet the public part of a key separately:
View Codeopenssl rsa -in argor.key -pubout - Key Generation:DSA
View Code
openssl dsaparam -genkey 2048 | openssl dsa -out dsa.keyDSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.
- Key Generation:ECDSA
View Code
openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
- Creating Certificate Signing Requests:
View Code
openssl req -new -key rsa.key -out rsa.csr
If want a field to be empty, must enter a single dot on the line, rather than just hit Return.
- Signing Certificates
View Code
openssl x509 -req -days 1000 -in rsa.csr -signkey rsa.key -out rsa.crt openssl req -new -x509 -days 1000 -key rsa.key -out rsa2.crt
See a CRT's structure:
View Codeopenssl x509 -text -in rsa.crt openssl x509 -text -in rsa2.crt
- Key and Certificate Conversion
- The most common formats are:
- Binary(DER) certificate,
- ASCII(PEM) certificate(s),
- Binary(DER) key (called PKCS#8),
- ASCII(PEM) key,
- PKCS#7 certificate(s),
- PKCS#12 (PFX) key and certificate(s),
- PEM & DER Conversion
View Code
openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
- PKCS#12(pfx) Conversion
- PKCS#7 Conversion
- The most common formats are:
1.2.Configuration
- Cipher Suite Selection
- Performance
1.3.Creating a Private Certification Authority
- Creating a Root CA:
- Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
- Root CA Configuration:
- Root CA Directory Structure
View Code
mkdir root-ca cd root-ca mkdir certs db private chmod 700 private touch db/index openssl rand -hex 16 > db/serial echo 1001 > db/crlnumber
- Root CA Generation
View Code
$ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr $ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.
In the second step, we create a self-signed certificate. The -extentions that are appropriate fro a root CA. - Root CA Operations
- Create a Certificate for OCSP Signing
- Creating a Subordinate CA:
- Subordinate CA Configuration
- Subordinate CA Generation
View Code
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.
In the second stop, we get the root CA to issue a certificate. - Subordinate CA Operations
View Code
openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext
2.Testing
2.1.Connecting to SSL Services
2.2.Testing Protocols that Upgrade to SSL
2.3.Using Different Handshake Formats
2.4.Extracting Remote Certificates
2.5.Testing Protocol Support
2.6.Testing Cipher Suite Support
2.7.Testing Servers that Require SNI
2.8.Testing Session Reuse
2.9.Checking OCSP Revocation
2.10.Testing OCSP Stapling
2.11.Checking CRL Revocation
2.12.Testing Renegotiation
2.13.Testing for the BEAST Vulnerability
2.14.Testing for heartbleed
2.15.Determining the Strength of Diffie-Hellman Parameters
3.Best Practices
3.1.Private Key and Certificate
3.2.Configuration
3.3.Performance
3.4.HTTP and Application Security
openssl .