List secure ciphers
openssl ciphers ALL \
| sed "s/:/\n/g" \
| grep "\(TLS\|ECDHE\)" \
| grep "\(POLY1305\|GCM\)" \
| grep --invert-match "\(DSA\|PSK\|128\)"
Select cipher suites
/etc/ssl/openssl.cnf
[system_default_sect]
CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
List curves
openssl ecparam -list_curves
Generate DHparam file
openssl dhparam -out dhparam 4096
Generate private key
RSA
openssl \
genrsa \
-out "private_key.pem" \
4096
Human readable:
openssl \
rsa \
-in "private_key.pem" \
-text \
-noout \
> "private_key.txt"
ED25519
openssl \
genpkey \
-algorithm ED25519 \
> "private_key.pem"
Human readable:
openssl \
pkey \
-in "private_key.pem" \
-text \
-noout \
> "private_key.txt"
Generate a certificate request
generate a private key
using . for empty fields, generate the request with:
Country Name (2 letter code)
State or Province Name (full name)
Locality Name (eg, city)
Organization Name (eg, company)
Organizational Unit Name (eg, section)
Common Name (e.g. server FQDN or YOUR name)
Email Address
A challenge password
An optional company name
echo -n "\
US
Region / County (code)
City / Place
Group / Management / Unit
Section
certificate_name
alias@domain.tld
.
.
" \
| \
openssl \
req \
-new \
-utf8 \
-key "private_key.pem" \
-out "certificate_request.csr" \
-addext "subjectAltName=DNS:*.domain.tld,DNS:*.sub.domain.tld"
Warning
must staple, problems with nginx and apache
-addext "tlsfeature=status_request"
Human readable:
openssl \
req \
-in "certificate_request.csr" \
-text \
-noout \
> "certificate_request.txt"
Export client P12/PFX
client private key
client certificate
openssl \
pkcs12 \
-export \
-out client.pfx \
-inkey client.key \
-in client.crt