1.openssl  2.Testing  3.Best Practices  last

1.openssl

1.1.Key and Cerificate Management

  • Run a web server that supports SSL:
    1. generate a strong private key,
    2. create a Certificate Signing Request(CSR) and send it to a CA,
    3. install the CA-provided certificate in web server.
  • Key Generation:RSA 
    openssl genrsa -out argor.key

    See a Key's structure:

    openssl rsa -text -in argor.key

    Get the public part of a key separately:

    openssl rsa -in argor.key -pubout
  • Key Generation:DSA 
    openssl dsaparam -genkey  | openssl dsa -out dsa.key

    DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.

  • Key Generation:ECDSA 
    openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
  • Creating Certificate Signing Requests: 
    openssl req -new -key rsa.key -out rsa.csr

    If want a field to be empty, must enter a single dot on the line, rather than just hit Return.

  • Signing Certificates 
    openssl x509 -req -days  -in rsa.csr -signkey rsa.key -out rsa.crt
    
openssl req -new -x509 -days  -key rsa.key -out rsa2.crt

    See a CRT's structure:

    openssl x509 -text -in rsa.crt
    
openssl x509 -text -in rsa2.crt
  • Key and Certificate Conversion
    1. The most common formats are:
      1. Binary(DER) certificate,
      2. ASCII(PEM) certificate(s),
      3. Binary(DER) key (called PKCS#8),
      4. ASCII(PEM) key,
      5. PKCS#7 certificate(s),
      6. PKCS#12 (PFX) key and certificate(s),
    2. PEM & DER Conversion 
      openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
      
openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
    3. PKCS#12(pfx) Conversion
    4. PKCS#7 Conversion

1.2.Configuration

  • Cipher Suite Selection
  • Performance

1.3.Creating a Private Certification Authority

  • Creating a Root CA:
    1. Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
    2. Root CA Configuration:
    3. Root CA Directory Structure 
      mkdir root-ca
      
cd root-ca
      
mkdir certs db private
      
chmod  private
      
touch db/index
      
openssl rand -hex  > db/serial
      
echo  > db/crlnumber
    4. Root CA Generation 
      $ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
      
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

      Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.

      In the second step, we create a self-signed certificate. The -extentions  that are appropriate fro a root CA.

    5. Root CA Operations
    6. Create a Certificate for OCSP Signing
  • Creating a Subordinate CA:
    1. Subordinate CA Configuration
    2. Subordinate CA Generation 
      openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
      
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

      First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.

      In the second stop, we get the root CA to issue a certificate.

    3. Subordinate CA Operations 
      openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
      
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext

2.Testing

2.1.Connecting to SSL Services

2.2.Testing Protocols that Upgrade to SSL

2.3.Using Different Handshake Formats

2.4.Extracting Remote Certificates

2.5.Testing Protocol Support

2.6.Testing Cipher Suite Support

2.7.Testing Servers that Require SNI

2.8.Testing Session Reuse

2.9.Checking OCSP Revocation

2.10.Testing OCSP Stapling

2.11.Checking CRL Revocation

2.12.Testing Renegotiation

2.13.Testing for the BEAST Vulnerability

2.14.Testing for heartbleed

2.15.Determining the Strength of Diffie-Hellman Parameters

3.Best Practices

3.1.Private Key and Certificate

3.2.Configuration

3.3.Performance

3.4.HTTP and Application Security

openssl .

openssl - cookbook的更多相关文章

  1. [译]OpenSSL Cookbook

    记录个人学习过程吧,顺便翻译一下.另外,本文并不会包括原连接中的所有内容,仅包括个人在工作中会经常遇到的. 参考:OpenSSL Cookbook 前言 由于协议特性和实现的复杂性,有时很难确定安全服 ...

  2. Chef 自动化运维:初探 cookbook

    cookbook 概述 Chef 意为"厨房",我们要做"菜",自然需要有"菜谱".事实上在 Chef 中分发到各服务器节点的不是" ...

  3. RSA非对称加密,使用OpenSSL生成证书,iOS加密,java解密

    最近换了一份工作,工作了大概一个多月了吧.差不多得有两个月没有更新博客了吧.在新公司自己写了一个iOS的比较通用的可以架构一个中型应用的不算是框架的一个结构,并已经投入使用.哈哈 说说文章标题的相关的 ...

  4. 显示本地openssl支持的加密算法

    参考页面: http://www.yuanjiaocheng.net/webapi/parameter-binding.html http://www.yuanjiaocheng.net/webapi ...

  5. 非阻塞/异步(epoll) openssl

    前段时间在自己的异步网络框架handy中添加openssl的支持,当时在网络上搜索了半天也没有找到很好的例子,后来自己慢慢的摸索,耗费不少时间,终于搞定.因此把相关的资料整理一下,并给出简单的例子,让 ...

  6. PHPmailer关于Extension missing: openssl报错的解决

    最近在写一个网页的时候,需要用到PHPmailer来发送邮件,按照官网上给出的demo写出一个例子,却报错Extension missing: openssl 最后发现需要修改php.ini中的配置: ...

  7. openssl、x509、crt、cer、key、csr、ssl、tls 这些都是什么鬼?

    今天尝试在mac机上搭建docker registry私有仓库时,杯具的发现最新的registry出于安全考虑,强制使用ssl认证,于是又详细了解linux/mac上openssl的使用方法,接触了一 ...

  8. Windows10下安装OpenSSL

    Windows10下安装的方法 安装环境:Windows10专业版+VS2013 工具:ActivePerl-5.22.1.2201-MSWin32-x64-299574.msi,下载地址:http: ...

  9. CentOS升级openssl

    才设置了http2,结果蓝狗说我网站不安全,检测一下发现openssl有漏洞,于是准备升级一下openssl 检测网站: www.ssllabs.com/ssltest/analyze.html # ...

随机推荐

  1. linux shell except tcl login ssh Automatic interaction

    /*************************************************************************************** * linux she ...

  2. TJU Problem 1015 Gridland

    最重要的是找规律. 下面是引用 http://blog.sina.com.cn/s/blog_4dc813b20100snyv.html 的讲解: 做这题时,千万不要被那个图给吓着了,其实这题就是道简 ...

  3. 浏览器中的data类型的Url格式,data:image/png,data:image/jpeg!(源自:http://blog.csdn.net/roadmore/article/details/38498719)

    所谓"data"类型的Url格式,是在RFC2397中 提出的,目的对于一些“小”的数据,可以在网页中直接嵌入,而不是从外部文件载入.例如对于img这个Tag,哪怕这个图片非常非常 ...

  4. 【spring源码分析】面向切面编程架构设计

    2 注解说明 2.1 @Aspect 作用是把当前类标识为一个切面供容器读取 2.2 @Before标识一个前置增强方法,相当于BeforeAdvice的功能,相似功能的还有 2.3 @AfterRe ...

  5. MySQL--lsblk命令查看块设备

    lsblk命令用于列出所有可用块设备的信息,而且还能显示他们之间的依赖关系,但是它不会列出RAM盘的信息.块设备有硬盘,闪存盘,cd-ROM等等. lsblk命令包含在util-linux-ng包中, ...

  6. window.open()与window.showModalDialog

    弹出窗口两种方式:    1.window.showModalDialog:      var feature = "dialogWidth:615px;dialogHeight:505px ...

  7. gridview 自动序号 合计

    第一种方式,直接在Aspx页面GridView模板列中.这种的缺点是到第二页分页时又重新开始了. <asp:TemplateField HeaderText="序号" Ins ...

  8. smarty学习——编程知识

    smarty 提供了丰富的api 接口可以方便我们进行操作: 1.clear_all_assign清除所有赋值 2.clear_all_cache清除所有缓存 3.clear_assign清除赋值 4 ...

  9. KindEditor 上传文件 在Asp.net中的使用

    以前一直用FCK编辑器,因为配置比较简单,但是发现Kindeditor这个编辑器更加好看,更加灵活,就用了下. 但是发现在上传文件的时候,出现了大问题,弄了我好久的时间,为了记录下,或许能帮助到您,共 ...

  10. mysql常用语法操作

    一.用户管理: 1.新建用户: >CREATE USER name IDENTIFIED BY 'ssapdrow'; 2.更改密码: >SET PASSWORD FOR name=PAS ...