List secure ciphers

openssl ciphers ALL \
| sed "s/:/\n/g" \
| grep "\(TLS\|ECDHE\)" \
| grep "\(POLY1305\|GCM\)" \
| grep --invert-match "\(DSA\|PSK\|128\)"

Select cipher suites

  • /etc/ssl/openssl.cnf

[system_default_sect]
CipherSuites="TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"

List curves

openssl ecparam -list_curves

Generate DHparam file

openssl dhparam -out dhparam 4096

Generate private key

RSA

openssl \
genrsa \
-out "private_key.pem" \
4096

Human readable:

openssl \
rsa \
-in "private_key.pem" \
-text \
-noout \
> "private_key.txt"

ED25519

openssl \
genpkey \
-algorithm ED25519 \
> "private_key.pem"

Human readable:

openssl \
pkey \
-in "private_key.pem" \
-text \
-noout \
> "private_key.txt"

Generate a certificate request

  • generate a private key

  • using . for empty fields, generate the request with:

    • Country Name (2 letter code)

    • State or Province Name (full name)

    • Locality Name (eg, city)

    • Organization Name (eg, company)

    • Organizational Unit Name (eg, section)

    • Common Name (e.g. server FQDN or YOUR name)

    • Email Address

    • A challenge password

    • An optional company name

echo -n "\
US
Region / County (code)
City / Place
Group / Management / Unit
Section
certificate_name
alias@domain.tld
.
.
" \
| \
openssl \
req \
-new \
-utf8 \
-key "private_key.pem" \
-out "certificate_request.csr" \
-addext "subjectAltName=DNS:*.domain.tld,DNS:*.sub.domain.tld"

Warning

must staple, problems with nginx and apache

-addext "tlsfeature=status_request"

Human readable:

openssl \
req \
-in "certificate_request.csr" \
-text \
-noout \
> "certificate_request.txt"

Export client P12/PFX

  • client private key

  • client certificate

openssl \
pkcs12 \
-export \
-out client.pfx \
-inkey client.key \
-in client.crt