Introduction
OpenSSL is great for creating TLS (Transport Layer Security) private keys
and CSR's (Certificate Signing Requests) for enabling encryption in transit,
such as HTTPS, SMTPS & IMAP website and mail server network traffic etc.
OpenSSL 1.1.1 (or later) is recommended and available with the latest version of
popular LTS (Long Term Support) based Linux distributions.
To verify you are using the latest openssl version:
openssl version OpenSSL 1.1.1d 10 Sep 2019
openssl speed sha256 sha512 rsa2048 rsa3072 rsa4096
1. Generate private keys
Change directory to your certificate folder, e.g.:
cd /etc/ssl/ openssl genrsa -out example.rsa.key 3072 openssl ecparam -genkey -name secp384r1 -noout -out example.ec.key
2. Create CSR's
a) Using an OpenSSL config file:
e.g. example.cnf
[ req ] default_bits = 3072 default_md = sha384 # default_keyfile = example.key prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = "AU" # C= stateOrProvinceName = "NSW" # ST= localityName = "Lane Cove" # L= organizationName = "Example Company" # O= organizationalUnitName = "Network Operations" # OU= commonName = "www.example.com" # CN= # commonName = "*.example.com" # CN= (Wildcard) emailAddress = "alias@example.com" [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com # hostname # DNS.1 = *.example.com # wildcard DNS.2 = example.com # "naked" domain # DNS.3 = webmail.example.com # SAN
openssl req -new -config example.cnf -key example.rsa.key -out example.rsa.csr openssl req -new -config example.cnf -key example.ec.key -out example.ec.csr
openssl req -new -subj "\ /C=AU\ /ST=NSW\ /L=Lane Cove\ /O=Example Company\ /OU=Network Operations\ /CN=www.example.com\ /emailAddress=alias@example.com" \ -addext "subjectAltName = DNS:www.example.com,DNS:example.com" \ -sha384 \ -key example.rsa.key -out example.rsa.csr openssl req -new -subj "/C=AU/ST=NSW/L=Lane Cove/O=Example Company/OU=Network Operations\ /CN=www.example.com/emailAddress=alias@example.com" \ -addext "subjectAltName = DNS:www.example.com,DNS:example.com" \ -sha384 \ -key example.ec.key -out example.ec.csr
3. Check CSR's
openssl req -noout -text -in example.rsa.csr openssl req -noout -text -in example.ec.csre.g.
X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com
4. Check issued certificate
To check certificate contents:
openssl x509 -noout -text -serial -fingerprint -sha256 -in example.crt openssl crl2pkcs7 -nocrl -certfile example.ca-bundle | openssl pkcs7 -print_certs -noout -text openssl x509 -in example.crt -noout -ocsp_uri e.g. http://ocsp.usertrust.com openssl ocsp -no_nonce -issuer example.ca-bundle -VAfile example.ca-bundle -cert example.crt -url http://ocsp.usertrust.com
Resources:
Wikipedia: Transport Layer Security (TLS) including deprecated Secure Sockets Layer (SSL)
- Wikipedia: OpenSSL
- OpenSSL
- OpenSSL 1.1.1 Series Release Notes
- Vulnerabilities
- CVE Details: Security Vulnerabilities Shows scores
- commands e.g. crl2pkcs7, ecparam, genrsa, ocsp, req, x509
- config
- OpenSSL Binaries e.g. Win 64
- Feisty Duck: OpenSSL Cookbook
- Wikipedia: Comparison of SHA functions SHA-384 provides better resistance against length extension attacks
Wikipedia: Public key certificate
- Certificate Signing Request (CSR)
- X.509 most common format
- Subject Alternative Name (SAN), also known as Unified Communications Certificates (UCC)
- Wildcard certificate
- Server Name Indication (SNI)
- DNS Certificate Authority Authorisation (CAA)
- Online Certificate Status Protocol (OCSP)
- Certificate Authority (CA)
- Extended Validation Certificate: Removal of special UI indicators (EV) green bar
- Troy Hunt: Extended Validation Certificates: End of life
Sectigo: Notices e.g. Privacy Policy, Certificate Practice Statement & Certificate Subscriber Agreement
- DNS Checker: CAA
- Sectigo Chain Hierarchy and Intermediate Roots
- ECC Compatibility
- Elliptic Curve Cryptography (ECC)
- Safe Curves e.g. TLS 1.3 Additions
- Curve25519 P-256 alternative
- Curve448 (Goldilocks)
Sectigo: Certificate Transparency log
- Censys Certificate search
- Facebook: Certificate Transparency Monitor Subscribe to track changes
- Certificate Tools: OCSP Checker
- End of Life for 3-Year OV & DV Certificates
- Common CA Database: Mozilla Included CA Certificate List (CCADB)
- Wikipedia: CA/Browser Forum
- CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
Australian Business Register (ABR) ABN (Australian Business Number) lookup
- Wikipedia: Data Universal Numbering System (DUNS)
- DUNS search e.g. Using your ABN
- DUNS Number Obtain and/or update
- Wikipedia: Legal Entity Identifiers (LEI)
- LEI Search
- White Pages
- Yellow Pages
- ASIC: Certificate of the Registration of a Company Example
Sectigo: Certificate Installation - NGINX
- nginx: Configuring HTTPS servers - SSL certificate chains
- nginx: SSL Module - SSL Certificate directive
- Introducing NGINX 1.12 and 1.13 (Apr 17) New features include: Dual-stack RSA/ECC certificates
- SSL Labs: Server Test For privacy, tick: Do not show the results on the boards
- DH (Diffie-Hellman) parameters
- CAA (Certification Authority Authorisation) DNS records
- Replace your Symantec SSL/TLS Certificates including DigiCert, Thawte, GeoTrust, and RapidSSL
- Bad SSL
Related links:
- Linux
- Windows Subsystem for Linux
- Cygwin
- Firewall
- Mail
- Encryption