1.openssl 2.Testing 3.Best Practices last
1.openssl
1.1.Key and Cerificate Management
- Run a web server that supports SSL:
- generate a strong private key,
- create a Certificate Signing Request(CSR) and send it to a CA,
- install the CA-provided certificate in web server.
- Key Generation:RSA
openssl genrsa -out argor.key
See a Key's structure:
openssl rsa -text -in argor.key
Get the public part of a key separately:
openssl rsa -in argor.key -pubout
- Key Generation:DSA
openssl dsaparam -genkey | openssl dsa -out dsa.key
DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.
- Key Generation:ECDSA
openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
- Creating Certificate Signing Requests:
openssl req -new -key rsa.key -out rsa.csr
If want a field to be empty, must enter a single dot on the line, rather than just hit Return.
- Signing Certificates
openssl x509 -req -days -in rsa.csr -signkey rsa.key -out rsa.crt
openssl req -new -x509 -days -key rsa.key -out rsa2.crtSee a CRT's structure:
openssl x509 -text -in rsa.crt
openssl x509 -text -in rsa2.crt - Key and Certificate Conversion
- The most common formats are:
- Binary(DER) certificate,
- ASCII(PEM) certificate(s),
- Binary(DER) key (called PKCS#8),
- ASCII(PEM) key,
- PKCS#7 certificate(s),
- PKCS#12 (PFX) key and certificate(s),
- PEM & DER Conversion
openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem - PKCS#12(pfx) Conversion
- PKCS#7 Conversion
- The most common formats are:
1.2.Configuration
- Cipher Suite Selection
- Performance
1.3.Creating a Private Certification Authority
- Creating a Root CA:
- Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
- Root CA Configuration:
- Root CA Directory Structure
mkdir root-ca
cd root-ca
mkdir certs db private
chmod private
touch db/index
openssl rand -hex > db/serial
echo > db/crlnumber - Root CA Generation
$ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_extTake two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.
In the second step, we create a self-signed certificate. The -extentions that are appropriate fro a root CA.
- Root CA Operations
- Create a Certificate for OCSP Signing
- Creating a Subordinate CA:
- Subordinate CA Configuration
- Subordinate CA Generation
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_extFirst, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.
In the second stop, we get the root CA to issue a certificate.
- Subordinate CA Operations
openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext
2.Testing
2.1.Connecting to SSL Services
2.2.Testing Protocols that Upgrade to SSL
2.3.Using Different Handshake Formats
2.4.Extracting Remote Certificates
2.5.Testing Protocol Support
2.6.Testing Cipher Suite Support
2.7.Testing Servers that Require SNI
2.8.Testing Session Reuse
2.9.Checking OCSP Revocation
2.10.Testing OCSP Stapling
2.11.Checking CRL Revocation
2.12.Testing Renegotiation
2.13.Testing for the BEAST Vulnerability
2.14.Testing for heartbleed
2.15.Determining the Strength of Diffie-Hellman Parameters
3.Best Practices
3.1.Private Key and Certificate
3.2.Configuration
3.3.Performance
3.4.HTTP and Application Security
openssl .