SSL enhances TCP with confidentiality, data integrity, server authentication, and client authentication.
openssl command [ command_opts ] [ command_args ]
openssl list [ commands | digest-commands | cipher-commands | cipher-algorithms | digest-algorithms | public-key-algorithms]
openssl no-XXX [ arbitrary options ]
Key generation RSA Generate unencrypted private key openssl genrsa -out rsa_private.key 2048
Generate encrypted private key
openssl genrsa -aes128 -out rsa.key 2048
Change to unencrypted private key
openssl rsa -in rsa.key -passin pass:1111 -out rsa_private.key
Change to encrypted private key
openssl rsa -in rsa_private.key -aes128 -passout pass:1111 -out rsa.key
openssl rsa -text -in rsa.key
openssl rsa -in rsa.key -pubout -out rsa-public.key
DSA
openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key -aes128
ECDSA
openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
Creating Certificate Signing Requests(CSR)
send CSR to request digital identity certificate
application -------------------------------------------------> certificate authority (CA)
<------------------------------------------------
public key certificate (crt)
public key certificate: used to prove the ownership of a public key
public key
identity of its owner
digital signature of CA
openssl req -new -key rsa.key -out rsa.csr
CSR used in:
1) sign your own certificate
2) send it to a public CA and ask CA to sign the certificate
Check the CSR is corrected
openssl req -text -in rsa.csr -noout
Creating CSRs from Existing Certificates openssl x509 -x509toreq -in fd.crt -out fd.csr -signkey fd.key
Sign your own certificate
openssl x509 -req -days 365 -in rsa.csr -signkey rsa.key -out rsa.crt
or
openssl req -new -x509 -days 365 -key fd.key -out fd.crt
-subj "/C=GB/L=London/O=Feisty Duck Ltd/CN=www.feistyduck.com"
without create a CSR in a separate step
openssl req -new -x509 -days 365 -key fd.key -out fd.crt
Creating Certificates Valid for Multiple Hostnames 1) use Subject Alternative Name(SAN) 2) use wildcards
Create a separae text file
echo "subjectAltName = DNS:*.feistyduck.com, DNS:feistyduck.com" > fd.ext
openssl x509 -req -days 365 \
-in rsa.csr -signkey rsa.key -out multipleHostname.crt \
-extfile fd.ext
Examine Certificates openssl x509 -text -in multipleHostname.crt -noout