leonklingele · February 9, 2018 22:22
diff --git a/openssl.cnf b/openssl.cnf
 [ req ]
 default_bits = 4096
 default_md = sha256
 default_keyfile = private.key
 distinguished_name = req_distinguished_name
 attributes = req_attributes
 x509_extensions = v3_user_req
 req_extensions = v3_user_req

 [ req_distinguished_name ]
 countryName = Country Name (2 letter code)
 countryName_default = DE
 countryName_min = 2
 countryName_max = 2

 stateOrProvinceName = State or Province Name (full name)
 stateOrProvinceName_default = Baden-Wuerttemberg

 localityName = Locality Name (eg, city)
 localityName_default = Stuttgart

 0.organizationName = Organization Name (eg, company)
 0.organizationName_default = Klingele

 organizationalUnitName = Organizational Unit Name (eg, section)
 organizationalUnitName_default =

 commonName = Common Name (eg, fully qualified host name)
 commonName_max = 64

 emailAddress = Email Address
 emailAddress_default = [email protected]
 emailAddress_max = 64

 [ req_attributes ]
 challengePassword = A challenge password
 challengePassword_min = 4
 challengePassword_max = 20

 [ v3_ca ]
 basicConstraints = critical,CA:TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always

 [ v3_user_req ]
 basicConstraints = critical,CA:FALSE
 subjectKeyIdentifier = hash
 keyUsage = digitalSignature, keyEncipherment
diff --git a/useful-openssl-commands.sh b/useful-openssl-commands.sh
 # CSR, RSA 4096 bit
 umask 0177
 openssl genrsa 4096 > private.key
 umask 0022
 openssl req -new -key private.key -sha256 -nodes -out request.csr

 # CSR, Curve secp384r1
 umask 0177
 openssl ecparam -genkey -name secp384r1 -out private.key
 umask 0022
 openssl req -new -nodes -key private.key -out request.csr

 # Self-signed certificate, RSA 4096, validity: 1 year
 umask 0177
 openssl genrsa 4096 > private.key
 umask 0022
 openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt

 # Show certificate fingerprint
 openssl x509 -noout -sha1 -fingerprint -in public.crt
 openssl x509 -noout -sha256 -fingerprint -in public.crt

 # View certificate
 openssl x509 -noout -text -in public.crt

 # View CSR
 openssl req -noout -text -verify -in request.csr

 # HPKP
 openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 openssl req -noout -pubkey -in request.csr | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

 # TLSA
 openssl x509 -outform der -in public.crt | openssl sha256
 openssl x509 -noout -pubkey -in public.crt | openssl rsa -pubin -outform der | openssl sha256

 # Generate Diffie-Hellman parameters
 openssl dhparam -out dhparam4096.pem 4096

 # Supported TLS1.0+ ciphers
 openssl ciphers -v -tls1

 # Benchmark
 openssl speed
 openssl speed aes
 openssl speed rsa
 openssl speed ecdsa

 # Show curves
 openssl ecparam -list_curves

 # Test TLS
 openssl s_client -connect leonklingele.de:443 -tlsextdebug -showcerts -status

 # Check certificate validity date (notBefore / notAfter)
 openssl s_client -connect leonklingele.de:443 2> /dev/null | openssl x509 -noout -dates

 # Check if private key and certificate match, both need to have same pubkey checksum
 ## 1. Validate private key
 openssl rsa -noout -check -in private.key
 ## 2. Verify that private key and certificate use the same public key
 openssl pkey -pubout -in private.key | openssl dgst -sha256
 openssl x509 -noout -pubkey -in public.crt | openssl dgst -sha256
 ## 3. If the last two commands did return the same hash: the private key was used to generate the certificate
	[ req ]
	default_bits = 4096
	default_md = sha256
	default_keyfile = private.key
	distinguished_name = req_distinguished_name
	attributes = req_attributes
	x509_extensions = v3_user_req
	req_extensions = v3_user_req

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = DE
	countryName_min = 2
	countryName_max = 2

	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Baden-Wuerttemberg

	localityName = Locality Name (eg, city)
	localityName_default = Stuttgart

	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = Klingele

	organizationalUnitName = Organizational Unit Name (eg, section)
	organizationalUnitName_default =

	commonName = Common Name (eg, fully qualified host name)
	commonName_max = 64

	emailAddress = Email Address
	emailAddress_default = [email protected]
	emailAddress_max = 64

	[ req_attributes ]
	challengePassword = A challenge password
	challengePassword_min = 4
	challengePassword_max = 20

	[ v3_ca ]
	basicConstraints = critical,CA:TRUE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer:always

	[ v3_user_req ]
	basicConstraints = critical,CA:FALSE
	subjectKeyIdentifier = hash
	keyUsage = digitalSignature, keyEncipherment
	# CSR, RSA 4096 bit
	umask 0177
	openssl genrsa 4096 > private.key
	umask 0022
	openssl req -new -key private.key -sha256 -nodes -out request.csr

	# CSR, Curve secp384r1
	umask 0177
	openssl ecparam -genkey -name secp384r1 -out private.key
	umask 0022
	openssl req -new -nodes -key private.key -out request.csr

	# Self-signed certificate, RSA 4096, validity: 1 year
	umask 0177
	openssl genrsa 4096 > private.key
	umask 0022
	openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt

	# Show certificate fingerprint
	openssl x509 -noout -sha1 -fingerprint -in public.crt
	openssl x509 -noout -sha256 -fingerprint -in public.crt

	# View certificate
	openssl x509 -noout -text -in public.crt

	# View CSR
	openssl req -noout -text -verify -in request.csr

	# HPKP
	openssl x509 -noout -pubkey -in public.crt \| openssl rsa -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64
	openssl req -noout -pubkey -in request.csr \| openssl rsa -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64

	# TLSA
	openssl x509 -outform der -in public.crt \| openssl sha256
	openssl x509 -noout -pubkey -in public.crt \| openssl rsa -pubin -outform der \| openssl sha256

	# Generate Diffie-Hellman parameters
	openssl dhparam -out dhparam4096.pem 4096

	# Supported TLS1.0+ ciphers
	openssl ciphers -v -tls1

	# Benchmark
	openssl speed
	openssl speed aes
	openssl speed rsa
	openssl speed ecdsa

	# Show curves
	openssl ecparam -list_curves

	# Test TLS
	openssl s_client -connect leonklingele.de:443 -tlsextdebug -showcerts -status

	# Check certificate validity date (notBefore / notAfter)
	openssl s_client -connect leonklingele.de:443 2> /dev/null \| openssl x509 -noout -dates

	# Check if private key and certificate match, both need to have same pubkey checksum
	## 1. Validate private key
	openssl rsa -noout -check -in private.key
	## 2. Verify that private key and certificate use the same public key
	openssl pkey -pubout -in private.key \| openssl dgst -sha256
	openssl x509 -noout -pubkey -in public.crt \| openssl dgst -sha256
	## 3. If the last two commands did return the same hash: the private key was used to generate the certificate