1.openssl  2.Testing  3.Best Practices  last

1.openssl

1.1.Key and Cerificate Management

  • Run a web server that supports SSL:
    1. generate a strong private key,
    2. create a Certificate Signing Request(CSR) and send it to a CA,
    3. install the CA-provided certificate in web server.
  • Key Generation:RSA 
    openssl genrsa -out argor.key

    See a Key's structure:

    openssl rsa -text -in argor.key

    Get the public part of a key separately:

    openssl rsa -in argor.key -pubout
  • Key Generation:DSA 
    openssl dsaparam -genkey  | openssl dsa -out dsa.key

    DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.

  • Key Generation:ECDSA 
    openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
  • Creating Certificate Signing Requests: 
    openssl req -new -key rsa.key -out rsa.csr

    If want a field to be empty, must enter a single dot on the line, rather than just hit Return.

  • Signing Certificates 
    openssl x509 -req -days  -in rsa.csr -signkey rsa.key -out rsa.crt
    
openssl req -new -x509 -days  -key rsa.key -out rsa2.crt

    See a CRT's structure:

    openssl x509 -text -in rsa.crt
    
openssl x509 -text -in rsa2.crt
  • Key and Certificate Conversion
    1. The most common formats are:
      1. Binary(DER) certificate,
      2. ASCII(PEM) certificate(s),
      3. Binary(DER) key (called PKCS#8),
      4. ASCII(PEM) key,
      5. PKCS#7 certificate(s),
      6. PKCS#12 (PFX) key and certificate(s),
    2. PEM & DER Conversion 
      openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
      
openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
    3. PKCS#12(pfx) Conversion
    4. PKCS#7 Conversion

1.2.Configuration

  • Cipher Suite Selection
  • Performance

1.3.Creating a Private Certification Authority

  • Creating a Root CA:
    1. Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
    2. Root CA Configuration:
    3. Root CA Directory Structure 
      mkdir root-ca
      
cd root-ca
      
mkdir certs db private
      
chmod  private
      
touch db/index
      
openssl rand -hex  > db/serial
      
echo  > db/crlnumber
    4. Root CA Generation 
      $ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
      
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

      Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.

      In the second step, we create a self-signed certificate. The -extentions  that are appropriate fro a root CA.

    5. Root CA Operations
    6. Create a Certificate for OCSP Signing
  • Creating a Subordinate CA:
    1. Subordinate CA Configuration
    2. Subordinate CA Generation 
      openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
      
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

      First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.

      In the second stop, we get the root CA to issue a certificate.

    3. Subordinate CA Operations 
      openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
      
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext

2.Testing

2.1.Connecting to SSL Services

2.2.Testing Protocols that Upgrade to SSL

2.3.Using Different Handshake Formats

2.4.Extracting Remote Certificates

2.5.Testing Protocol Support

2.6.Testing Cipher Suite Support

2.7.Testing Servers that Require SNI

2.8.Testing Session Reuse

2.9.Checking OCSP Revocation

2.10.Testing OCSP Stapling

2.11.Checking CRL Revocation

2.12.Testing Renegotiation

2.13.Testing for the BEAST Vulnerability

2.14.Testing for heartbleed

2.15.Determining the Strength of Diffie-Hellman Parameters

3.Best Practices

3.1.Private Key and Certificate

3.2.Configuration

3.3.Performance

3.4.HTTP and Application Security

openssl .

openssl - cookbook的更多相关文章

  1. [译]OpenSSL Cookbook

    记录个人学习过程吧,顺便翻译一下.另外,本文并不会包括原连接中的所有内容,仅包括个人在工作中会经常遇到的. 参考:OpenSSL Cookbook 前言 由于协议特性和实现的复杂性,有时很难确定安全服 ...

  2. Chef 自动化运维:初探 cookbook

    cookbook 概述 Chef 意为"厨房",我们要做"菜",自然需要有"菜谱".事实上在 Chef 中分发到各服务器节点的不是" ...

  3. RSA非对称加密,使用OpenSSL生成证书,iOS加密,java解密

    最近换了一份工作,工作了大概一个多月了吧.差不多得有两个月没有更新博客了吧.在新公司自己写了一个iOS的比较通用的可以架构一个中型应用的不算是框架的一个结构,并已经投入使用.哈哈 说说文章标题的相关的 ...

  4. 显示本地openssl支持的加密算法

    参考页面: http://www.yuanjiaocheng.net/webapi/parameter-binding.html http://www.yuanjiaocheng.net/webapi ...

  5. 非阻塞/异步(epoll) openssl

    前段时间在自己的异步网络框架handy中添加openssl的支持,当时在网络上搜索了半天也没有找到很好的例子,后来自己慢慢的摸索,耗费不少时间,终于搞定.因此把相关的资料整理一下,并给出简单的例子,让 ...

  6. PHPmailer关于Extension missing: openssl报错的解决

    最近在写一个网页的时候,需要用到PHPmailer来发送邮件,按照官网上给出的demo写出一个例子,却报错Extension missing: openssl 最后发现需要修改php.ini中的配置: ...

  7. openssl、x509、crt、cer、key、csr、ssl、tls 这些都是什么鬼?

    今天尝试在mac机上搭建docker registry私有仓库时,杯具的发现最新的registry出于安全考虑,强制使用ssl认证,于是又详细了解linux/mac上openssl的使用方法,接触了一 ...

  8. Windows10下安装OpenSSL

    Windows10下安装的方法 安装环境:Windows10专业版+VS2013 工具:ActivePerl-5.22.1.2201-MSWin32-x64-299574.msi,下载地址:http: ...

  9. CentOS升级openssl

    才设置了http2,结果蓝狗说我网站不安全,检测一下发现openssl有漏洞,于是准备升级一下openssl 检测网站: www.ssllabs.com/ssltest/analyze.html # ...

随机推荐

  1. CodeForces - 547D: Mike and Fish (转化为欧拉回路)(优化dfs稠密图)(定向问题)

    As everyone knows, bears love fish. But Mike is a strange bear; He hates fish! The even more strange ...

  2. python表单验证封装

    在Web程序中往往包含大量的表单验证的工作,如:判断输入是否为空,是否符合规则. <!DOCTYPE html><html><head lang="en&quo ...

  3. HBase scan shell操作详解

    创建表 create 'test1', 'lf', 'sf' lf: column family of LONG values (binary value) -- sf: column family ...

  4. socat 简单试用

    socat的主要特点就是在两个数据流之间建立通道:且支持众多协议和链接方式: ip, tcp, udp, ipv6, pipe,exec,system,open,proxy,openssl,socke ...

  5. 转 sql 优化

    1.关于SQL查询效率,100w数据,查询只要1秒,与您分享: 机器情况p4: 2.4内存: 1 Gos: windows 2003数据库: ms sql server 2000目的: 查询性能测试, ...

  6. FastAdmin 开发时对数据库进行版本管理 (非 think-migration)

    因为开必项目,暂时还不没用 think-migration,先用 脚本处理. 在导出 SQL 时将相关字段数据还原,比如 admin logitime updatetime token. 把 admi ...

  7. Huawei E1750 Asterisk

    http://wiki.e1550.mobi/doku.php?id=installation https://wiki.asterisk.org/wiki/display/AST/Mobile+Ch ...

  8. JUC线程池之 Callable和Future

    Callable 和 Future 简介 Callable 和 Future 是比较有趣的一对组合.当我们需要获取线程的执行结果时,就需要用到它们.Callable用于产生结果,Future用于获取结 ...

  9. Apache Spark 内存管理详解

    在spark里面,内存管理有两块组成,一部分是JVM的堆内内存(on-heap memory),这部分内存是通过spark dirver参数executor-memory以及spark.executo ...

  10. Servlet是单例的吗?

    如题,是吗?首先我们得搞清楚啥是单例.一聊起单例,条件反射的第一个想到的自然是单例模式.单例模式的定义:一个类有且仅有一个实例,并且自行实例化向整个系统提供.如果按照Java中单例的定义,那么当Ser ...