1.openssl  2.Testing  3.Best Practices  last

1.openssl

1.1.Key and Cerificate Management

  • Run a web server that supports SSL:
    1. generate a strong private key,
    2. create a Certificate Signing Request(CSR) and send it to a CA,
    3. install the CA-provided certificate in web server.
  • Key Generation:RSA 
    openssl genrsa -out argor.key

    See a Key's structure:

    openssl rsa -text -in argor.key

    Get the public part of a key separately:

    openssl rsa -in argor.key -pubout
  • Key Generation:DSA 
    openssl dsaparam -genkey  | openssl dsa -out dsa.key

    DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.

  • Key Generation:ECDSA 
    openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
  • Creating Certificate Signing Requests: 
    openssl req -new -key rsa.key -out rsa.csr

    If want a field to be empty, must enter a single dot on the line, rather than just hit Return.

  • Signing Certificates 
    openssl x509 -req -days  -in rsa.csr -signkey rsa.key -out rsa.crt
    
openssl req -new -x509 -days  -key rsa.key -out rsa2.crt

    See a CRT's structure:

    openssl x509 -text -in rsa.crt
    
openssl x509 -text -in rsa2.crt
  • Key and Certificate Conversion
    1. The most common formats are:
      1. Binary(DER) certificate,
      2. ASCII(PEM) certificate(s),
      3. Binary(DER) key (called PKCS#8),
      4. ASCII(PEM) key,
      5. PKCS#7 certificate(s),
      6. PKCS#12 (PFX) key and certificate(s),
    2. PEM & DER Conversion 
      openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
      
openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
    3. PKCS#12(pfx) Conversion
    4. PKCS#7 Conversion

1.2.Configuration

  • Cipher Suite Selection
  • Performance

1.3.Creating a Private Certification Authority

  • Creating a Root CA:
    1. Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
    2. Root CA Configuration:
    3. Root CA Directory Structure 
      mkdir root-ca
      
cd root-ca
      
mkdir certs db private
      
chmod  private
      
touch db/index
      
openssl rand -hex  > db/serial
      
echo  > db/crlnumber
    4. Root CA Generation 
      $ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
      
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

      Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.

      In the second step, we create a self-signed certificate. The -extentions  that are appropriate fro a root CA.

    5. Root CA Operations
    6. Create a Certificate for OCSP Signing
  • Creating a Subordinate CA:
    1. Subordinate CA Configuration
    2. Subordinate CA Generation 
      openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
      
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

      First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.

      In the second stop, we get the root CA to issue a certificate.

    3. Subordinate CA Operations 
      openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
      
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext

2.Testing

2.1.Connecting to SSL Services

2.2.Testing Protocols that Upgrade to SSL

2.3.Using Different Handshake Formats

2.4.Extracting Remote Certificates

2.5.Testing Protocol Support

2.6.Testing Cipher Suite Support

2.7.Testing Servers that Require SNI

2.8.Testing Session Reuse

2.9.Checking OCSP Revocation

2.10.Testing OCSP Stapling

2.11.Checking CRL Revocation

2.12.Testing Renegotiation

2.13.Testing for the BEAST Vulnerability

2.14.Testing for heartbleed

2.15.Determining the Strength of Diffie-Hellman Parameters

3.Best Practices

3.1.Private Key and Certificate

3.2.Configuration

3.3.Performance

3.4.HTTP and Application Security

openssl .

openssl - cookbook的更多相关文章

  1. [译]OpenSSL Cookbook

    记录个人学习过程吧,顺便翻译一下.另外,本文并不会包括原连接中的所有内容,仅包括个人在工作中会经常遇到的. 参考:OpenSSL Cookbook 前言 由于协议特性和实现的复杂性,有时很难确定安全服 ...

  2. Chef 自动化运维:初探 cookbook

    cookbook 概述 Chef 意为"厨房",我们要做"菜",自然需要有"菜谱".事实上在 Chef 中分发到各服务器节点的不是" ...

  3. RSA非对称加密,使用OpenSSL生成证书,iOS加密,java解密

    最近换了一份工作,工作了大概一个多月了吧.差不多得有两个月没有更新博客了吧.在新公司自己写了一个iOS的比较通用的可以架构一个中型应用的不算是框架的一个结构,并已经投入使用.哈哈 说说文章标题的相关的 ...

  4. 显示本地openssl支持的加密算法

    参考页面: http://www.yuanjiaocheng.net/webapi/parameter-binding.html http://www.yuanjiaocheng.net/webapi ...

  5. 非阻塞/异步(epoll) openssl

    前段时间在自己的异步网络框架handy中添加openssl的支持,当时在网络上搜索了半天也没有找到很好的例子,后来自己慢慢的摸索,耗费不少时间,终于搞定.因此把相关的资料整理一下,并给出简单的例子,让 ...

  6. PHPmailer关于Extension missing: openssl报错的解决

    最近在写一个网页的时候,需要用到PHPmailer来发送邮件,按照官网上给出的demo写出一个例子,却报错Extension missing: openssl 最后发现需要修改php.ini中的配置: ...

  7. openssl、x509、crt、cer、key、csr、ssl、tls 这些都是什么鬼?

    今天尝试在mac机上搭建docker registry私有仓库时,杯具的发现最新的registry出于安全考虑,强制使用ssl认证,于是又详细了解linux/mac上openssl的使用方法,接触了一 ...

  8. Windows10下安装OpenSSL

    Windows10下安装的方法 安装环境:Windows10专业版+VS2013 工具:ActivePerl-5.22.1.2201-MSWin32-x64-299574.msi,下载地址:http: ...

  9. CentOS升级openssl

    才设置了http2,结果蓝狗说我网站不安全,检测一下发现openssl有漏洞,于是准备升级一下openssl 检测网站: www.ssllabs.com/ssltest/analyze.html # ...

随机推荐

  1. FZU OJ:2230 翻翻棋

    Problem 2230 翻翻棋 Accept: 872    Submit: 2132Time Limit: 1000 mSec    Memory Limit : 32768 KB  Proble ...

  2. SUST OJ 1642: 绝地求生—死亡顺序

    1642: 绝地求生-死亡顺序 时间限制: 1 Sec  内存限制: 128 MB提交: 81  解决: 53[提交][状态][讨论版] 题目描述 最近陕西科技大学六公寓的小东同学深深的入迷了一款游戏 ...

  3. 【java规则引擎】《Drools7.0.0.Final规则引擎教程》第4章 4.1 规则文件

    转载至:https://blog.csdn.net/wo541075754/article/details/75150267 一个标准的规则文件的格式为已“.drl”结尾的文本文件,因此可以通过记事本 ...

  4. pycharm PYTHONPATH

    Hi brandenju! I believe os.chdir doesn't affect PYTHONPATH so changing your working directory at run ...

  5. PostgREST docker-compose 试用

    PostgREST 是一款很不错的直接将pg 数据库暴露为restapi ,使用了基于行级别安全访问控制, 比较全的restapi 查询以及集成了swagger openapi docker-comp ...

  6. hasura graphql 集成pipelinedb测试

    实际上因为pipelinedb 是原生支持pg的,所以应该不存在太大的问题,以下为测试 使用doker-compose 运行 配置 docker-compose 文件 version: '3.6' s ...

  7. android 图片解码显示流程

    版权声明:本文为博主原创文章,未经博主同意不得转载. https://blog.csdn.net/jingxia2008/article/details/32327699 问题来源 android 能 ...

  8. android 工具类 数据库管理

    版权声明:本文为博主原创文章,未经博主同意不得转载. https://blog.csdn.net/xuduzhoud/article/details/27540301 数据库工具类,优雅的管理andr ...

  9. baidu手机浏览器安卓4.5版公布:由于快,所以爱

    watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvdTAxNDUyMzk4OA==/font/5a6L5L2T/fontsize/400/fill/I0JBQk ...

  10. vue-echarts-v3 使用

    github地址:https://github.com/xlsdg/vue-echarts-v3 官方说明:无论多少个组件代码里写 import IEcharts from 'vue-echarts- ...