Netro Support: TLS

OpenSSL is great for creating TLS (Transport Layer Security) private keys
and CSR's (Certificate Signing Requests) for enabling encryption in transit,
such as HTTPS, SMTPS & IMAP website and mail server network traffic etc.
OpenSSL 1.1.1 (or later) is recommended and available with the latest version of
popular LTS (Long Term Support) based Linux distributions.

To verify you are using the latest openssl version:

openssl version
OpenSSL 1.1.1d  10 Sep 2019

To compare various digest and cipher algorithm speed:
openssl speed sha256 sha512 rsa2048 rsa3072 rsa4096

1. Generate private keys
Change directory to your certificate folder, e.g.:

cd /etc/ssl/
openssl genrsa -out example.rsa.key 3072
openssl ecparam -genkey -name secp384r1 -noout -out

- If you are creating multiple certificates, use a different private key and filename for each one for security.
- Remember to backup your private keys to a safe onsite and offsite location.

2. Create CSR's
a) Using an OpenSSL config file:
e.g. example.cnf

[ req ]
default_bits		= 3072
default_md		= sha384
# default_keyfile	= example.key
prompt			= no
encrypt_key		= no
distinguished_name	= req_distinguished_name
req_extensions		= v3_req

[ req_distinguished_name ]
countryName		= "AU"			# C=
stateOrProvinceName	= "NSW"			# ST=
localityName		= "Lane Cove"		# L=
organizationName	= "Example Company"	# O=
organizationalUnitName	= "Network Operations"	# OU=
commonName		= ""	# CN=
# commonName		= "*"	# CN= (Wildcard)
emailAddress		= ""

[ v3_req ]
subjectAltName = @alt_names

DNS.1 			=	# hostname
# DNS.1			= *		# wildcard
DNS.2		 	=		# "naked" domain
# DNS.3			= 	# SAN

- Not all certificate authorities support SHA-384, they may issue certificate with SHA-256 instead.
- Specify your main hostname after commonName (CN), then include all hostnames under alt_names section.
- If using wildcard and/or SAN, please add/remove the appropriate # commented lines.
- To use config file, simply use -config example.cnf, e.g.:
openssl req -new -config example.cnf -key example.rsa.key -out example.rsa.csr
openssl req -new -config example.cnf -key -out

b) OR using CLI (Command Line Interface)
openssl req -new -subj "\
/L=Lane Cove\
/O=Example Company\
/OU=Network Operations\
/" \
-addext "subjectAltName =," \
-sha384 \
-key example.rsa.key -out example.rsa.csr

openssl req -new -subj "/C=AU/ST=NSW/L=Lane Cove/O=Example Company/OU=Network Operations\
/" \
-addext "subjectAltName =," \
-sha384 \
-key -out

- Not all certificate authorities support SHA-384, they may issue certificate with SHA-256 instead.
- Specify your main hostname after CN= (commonName), then include all hostnames under subjectAltName =.
- For a SAN, simply change/add hostnames as needed, e.g.,,
- For a wildcard, substitute with * for both the CN and subjectAltName.
- For an EC vs RSA, have shown compact vs expanded format, only the filenames in the last line are different,
  this makes it easy to reuse as a template for EC or RSA.

3. Check CSR's

openssl req -noout -text -in example.rsa.csr
openssl req -noout -text -in
X509v3 Subject Alternative Name:,

4. Check issued certificate
To check certificate contents:

openssl x509 -noout -text -serial -fingerprint -sha256 -in example.crt
openssl crl2pkcs7 -nocrl -certfile | openssl pkcs7 -print_certs -noout -text
openssl x509 -in example.crt -noout -ocsp_uri
openssl ocsp -no_nonce -issuer -VAfile -cert example.crt -url

The CA (Certificate Authority) bundle contains the root & intermediate certificates as part of the chain of trust.

Wikipedia: Transport Layer Security (TLS) including deprecated Secure Sockets Layer (SSL)
- Wikipedia: OpenSSL
- OpenSSL
  - OpenSSL 1.1.1 Series Release Notes
  - Vulnerabilities
  - CVE Details: Security Vulnerabilities Shows scores
  - commands e.g. crl2pkcs7, ecparam, genrsa, ocsp, req, x509
  - config
  - OpenSSL Binaries e.g. Win 64
- Feisty Duck: OpenSSL Cookbook
- Wikipedia: Comparison of SHA functions SHA-384 provides better resistance against length extension attacks

Wikipedia: Public key certificate
- Certificate Signing Request (CSR)
- X.509 most common format
- Subject Alternative Name (SAN), also known as Unified Communications Certificates (UCC)
- Wildcard certificate
- Server Name Indication (SNI)
- DNS Certificate Authority Authorisation (CAA)
- Online Certificate Status Protocol (OCSP)
- Certificate Authority (CA)
- Extended Validation Certificate: Removal of special UI indicators (EV) green bar
- Troy Hunt: Extended Validation Certificates: End of life

Sectigo: Notices e.g. Privacy Policy, Certificate Practice Statement & Certificate Subscriber Agreement
- DNS Checker: CAA
- Sectigo Chain Hierarchy and Intermediate Roots
- ECC Compatibility
- Elliptic Curve Cryptography (ECC)
- Safe Curves e.g. TLS 1.3 Additions
  - Curve25519 P-256 alternative
  - Curve448 (Goldilocks)

Sectigo: Certificate Transparency log
- Censys Certificate search
- Facebook: Certificate Transparency Monitor Subscribe to track changes
- Certificate Tools: OCSP Checker
- End of Life for 3-Year OV & DV Certificates
- Common CA Database: Mozilla Included CA Certificate List (CCADB)
- Wikipedia: CA/Browser Forum
- CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

Australian Business Register (ABR) ABN (Australian Business Number) lookup
- Wikipedia: Data Universal Numbering System (DUNS)
- DUNS search e.g. Using your ABN
- DUNS Number Obtain and/or update
- Wikipedia: Legal Entity Identifiers (LEI)
- LEI Search
- White Pages
- Yellow Pages
- ASIC: Certificate of the Registration of a Company Example

Sectigo: Certificate Installation - NGINX
- nginx: Configuring HTTPS servers - SSL certificate chains
- nginx: SSL Module - SSL Certificate directive
- Introducing NGINX 1.12 and 1.13 (Apr 17) New features include: Dual-stack RSA/ECC certificates
- SSL Labs: Server Test For privacy, tick: Do not show the results on the boards
- DH (Diffie-Hellman) parameters
- CAA (Certification Authority Authorisation) DNS records
- Replace your Symantec SSL/TLS Certificates including DigiCert, Thawte, GeoTrust, and RapidSSL
- Bad SSL

Related links:
- Linux
- Windows Subsystem for Linux
- Cygwin
- Firewall
- Mail
- Encryption

Updated Jan-21.