leonklingele/openssl.cnf

## openssl.cnf
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = private.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_user_req
req_extensions = v3_user_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Baden-Wuerttemberg

localityName = Locality Name (eg, city)
localityName_default = Stuttgart

0.organizationName = Organization Name (eg, company)
0.organizationName_default = Klingele

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =

commonName = Common Name (eg, fully qualified host name)
commonName_max = 64

emailAddress = Email Address
emailAddress_default = security@leonklingele.de
emailAddress_max = 64

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_user_req ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment

## useful-openssl-commands.sh
# CSR, RSA 4096 bit
umask 0177
openssl genrsa 4096 > private.key
umask 0022
openssl req -new -key private.key -sha256 -nodes -out request.csr

# CSR, Curve secp384r1
umask 0177
openssl ecparam -genkey -name secp384r1 -out private.key
umask 0022
openssl req -new -nodes -key private.key -out request.csr

# Self-signed certificate, RSA 4096, validity: 1 year
umask 0177
openssl genrsa 4096 > private.key
umask 0022
openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt

# Show certificate fingerprint
openssl x509 -noout -sha1 -fingerprint -in public.crt
openssl x509 -noout -sha256 -fingerprint -in public.crt

# View certificate
openssl x509 -noout -text -in public.crt

# View CSR
openssl req -noout -text -verify -in request.csr

# HPKP
openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl req -noout -pubkey -in request.csr | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

# TLSA
openssl x509 -outform der -in public.crt | openssl sha256
openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl sha256

# Generate Diffie-Hellman parameters
openssl dhparam -out dhparam4096.pem 4096

# Supported TLS1.0+ ciphers
openssl ciphers -v -tls1

# Benchmark
openssl speed
openssl speed aes
openssl speed rsa
openssl speed ecdsa

# Show curves
openssl ecparam -list_curves

# Test TLS
openssl s_client -connect leonklingele.de:443 -tlsextdebug -showcerts -status

# Check certificate validity date (notBefore / notAfter)
openssl s_client -connect leonklingele.de:443 2> /dev/null | openssl x509 -noout -dates

# Check if private key and certificate match, both need to have same pubkey checksum
## 1. Validate private key
openssl rsa -noout -check -in private.key
## 2. Verify that private key and certificate use the same public key
openssl pkey -pubout -in private.key | openssl dgst -sha256
openssl x509 -noout -pubkey -in public.crt | openssl dgst -sha256
## 3. If the last two commands did return the same hash: the private key was used to generate the certificate
	[ req ]
	default_bits = 4096
	default_md = sha256
	default_keyfile = private.key
	distinguished_name = req_distinguished_name
	attributes = req_attributes
	x509_extensions = v3_user_req
	req_extensions = v3_user_req

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = DE
	countryName_min = 2
	countryName_max = 2

	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Baden-Wuerttemberg

	localityName = Locality Name (eg, city)
	localityName_default = Stuttgart

	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = Klingele

	organizationalUnitName = Organizational Unit Name (eg, section)
	organizationalUnitName_default =

	commonName = Common Name (eg, fully qualified host name)
	commonName_max = 64

	emailAddress = Email Address
	emailAddress_default = security@leonklingele.de
	emailAddress_max = 64

	[ req_attributes ]
	challengePassword = A challenge password
	challengePassword_min = 4
	challengePassword_max = 20

	[ v3_ca ]
	basicConstraints = critical,CA:TRUE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer:always

	[ v3_user_req ]
	basicConstraints = critical,CA:FALSE
	subjectKeyIdentifier = hash
	keyUsage = digitalSignature, keyEncipherment
	# CSR, RSA 4096 bit
	umask 0177
	openssl genrsa 4096 > private.key
	umask 0022
	openssl req -new -key private.key -sha256 -nodes -out request.csr

	# CSR, Curve secp384r1
	umask 0177
	openssl ecparam -genkey -name secp384r1 -out private.key
	umask 0022
	openssl req -new -nodes -key private.key -out request.csr

	# Self-signed certificate, RSA 4096, validity: 1 year
	umask 0177
	openssl genrsa 4096 > private.key
	umask 0022
	openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt

	# Show certificate fingerprint
	openssl x509 -noout -sha1 -fingerprint -in public.crt
	openssl x509 -noout -sha256 -fingerprint -in public.crt

	# View certificate
	openssl x509 -noout -text -in public.crt

	# View CSR
	openssl req -noout -text -verify -in request.csr

	# HPKP
	openssl x509 -noout -pubkey -in public.crt \| openssl rsa -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64
	openssl req -noout -pubkey -in request.csr \| openssl rsa -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64

	# TLSA
	openssl x509 -outform der -in public.crt \| openssl sha256
	openssl x509 -noout -pubkey -in public.crt \| openssl rsa -pubin -outform der \| openssl sha256

	# Generate Diffie-Hellman parameters
	openssl dhparam -out dhparam4096.pem 4096

	# Supported TLS1.0+ ciphers
	openssl ciphers -v -tls1

	# Benchmark
	openssl speed
	openssl speed aes
	openssl speed rsa
	openssl speed ecdsa

	# Show curves
	openssl ecparam -list_curves

	# Test TLS
	openssl s_client -connect leonklingele.de:443 -tlsextdebug -showcerts -status

	# Check certificate validity date (notBefore / notAfter)
	openssl s_client -connect leonklingele.de:443 2> /dev/null \| openssl x509 -noout -dates

	# Check if private key and certificate match, both need to have same pubkey checksum
	## 1. Validate private key
	openssl rsa -noout -check -in private.key
	## 2. Verify that private key and certificate use the same public key
	openssl pkey -pubout -in private.key \| openssl dgst -sha256
	openssl x509 -noout -pubkey -in public.crt \| openssl dgst -sha256
	## 3. If the last two commands did return the same hash: the private key was used to generate the certificate