openssl - cookbook

　1.openssl　　2.Testing　　3.Best Practices　　last

---

1.openssl

1.1.Key and Cerificate Management

• Run a web server that supports SSL:
  1. generate a strong private key,
  2. create a Certificate Signing Request(CSR) and send it to a CA,
  3. install the CA-provided certificate in web server.
• Key Generation:RSA

  openssl genrsa -out argor.key

  See a Key's structure:

  openssl rsa -text -in argor.key

  Get the public part of a key separately:

  openssl rsa -in argor.key -pubout

• Key Generation:DSA

  openssl dsaparam -genkey  | openssl dsa -out dsa.key

  DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.

• Key Generation:ECDSA

  openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128

• Creating Certificate Signing Requests:

  openssl req -new -key rsa.key -out rsa.csr

  If want a field to be empty, must enter a single dot on the line, rather than just hit Return.

• Signing Certificates

  openssl x509 -req -days  -in rsa.csr -signkey rsa.key -out rsa.crt
  openssl req -new -x509 -days  -key rsa.key -out rsa2.crt

  See a CRT's structure:

  openssl x509 -text -in rsa.crt
  openssl x509 -text -in rsa2.crt

• Key and Certificate Conversion
  1. The most common formats are:
     1. Binary(DER) certificate,
     2. ASCII(PEM) certificate(s),
     3. Binary(DER) key (called PKCS#8),
     4. ASCII(PEM) key,
     5. PKCS#7 certificate(s),
     6. PKCS#12 (PFX) key and certificate(s),
  2. PEM & DER Conversion

     openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
     openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem

  3. PKCS#12(pfx) Conversion
  4. PKCS#7 Conversion

1.2.Configuration

• Cipher Suite Selection
• Performance

1.3.Creating a Private Certification Authority

• Creating a Root CA:
  1. Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
  2. Root CA Configuration:
  3. Root CA Directory Structure

     mkdir root-ca
     cd root-ca
     mkdir certs db private
     chmod  private
     touch db/index
     openssl rand -hex  > db/serial
     echo  > db/crlnumber

  4. Root CA Generation

     $ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
     $ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

     Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.

     In the second step, we create a self-signed certificate. The -extentions  that are appropriate fro a root CA.

  5. Root CA Operations
  6. Create a Certificate for OCSP Signing
• Creating a Subordinate CA:
  1. Subordinate CA Configuration
  2. Subordinate CA Generation

     openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
     openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

     First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.

     In the second stop, we get the root CA to issue a certificate.

  3. Subordinate CA Operations

     openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
     openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext

2.Testing

2.1.Connecting to SSL Services

2.2.Testing Protocols that Upgrade to SSL

2.3.Using Different Handshake Formats

2.4.Extracting Remote Certificates

2.5.Testing Protocol Support

2.6.Testing Cipher Suite Support

2.7.Testing Servers that Require SNI

2.8.Testing Session Reuse

2.9.Checking OCSP Revocation

2.10.Testing OCSP Stapling

2.11.Checking CRL Revocation

2.12.Testing Renegotiation

2.13.Testing for the BEAST Vulnerability

2.14.Testing for heartbleed

2.15.Determining the Strength of Diffie-Hellman Parameters

3.Best Practices

3.1.Private Key and Certificate

3.2.Configuration

3.3.Performance

3.4.HTTP and Application Security

openssl .