1.openssl  2.Testing  3.Best Practices  last

1.openssl

1.1.Key and Cerificate Management

  • Run a web server that supports SSL:
    1. generate a strong private key,
    2. create a Certificate Signing Request(CSR) and send it to a CA,
    3. install the CA-provided certificate in web server.
  • Key Generation:RSA 
    openssl genrsa -out argor.key

    See a Key's structure:

    openssl rsa -text -in argor.key

    Get the public part of a key separately:

    openssl rsa -in argor.key -pubout
  • Key Generation:DSA 
    openssl dsaparam -genkey  | openssl dsa -out dsa.key

    DSA key generation is a two-step process: DSA parameters are created in the first step and the key in the second.

  • Key Generation:ECDSA 
    openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128
  • Creating Certificate Signing Requests: 
    openssl req -new -key rsa.key -out rsa.csr

    If want a field to be empty, must enter a single dot on the line, rather than just hit Return.

  • Signing Certificates 
    openssl x509 -req -days  -in rsa.csr -signkey rsa.key -out rsa.crt
    
openssl req -new -x509 -days  -key rsa.key -out rsa2.crt

    See a CRT's structure:

    openssl x509 -text -in rsa.crt
    
openssl x509 -text -in rsa2.crt
  • Key and Certificate Conversion
    1. The most common formats are:
      1. Binary(DER) certificate,
      2. ASCII(PEM) certificate(s),
      3. Binary(DER) key (called PKCS#8),
      4. ASCII(PEM) key,
      5. PKCS#7 certificate(s),
      6. PKCS#12 (PFX) key and certificate(s),
    2. PEM & DER Conversion 
      openssl x509 -inform PEM -in rsa.pem -outform DER -out rsa.der
      
openssl x509 -inform DER -in rsa.der -outform PEM -out rsa.pem
    3. PKCS#12(pfx) Conversion
    4. PKCS#7 Conversion

1.2.Configuration

  • Cipher Suite Selection
  • Performance

1.3.Creating a Private Certification Authority

  • Creating a Root CA:
    1. Setp: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate.
    2. Root CA Configuration:
    3. Root CA Directory Structure 
      mkdir root-ca
      
cd root-ca
      
mkdir certs db private
      
chmod  private
      
touch db/index
      
openssl rand -hex  > db/serial
      
echo  > db/crlnumber
    4. Root CA Generation 
      $ openssl req -new -config root-ca.conf -keyout private/root-ca.key -out root-ca.csr
      
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

      Take two steps to create the root CA. First, we generate the key and the CSR. All the necessary information will be picked uo from the configuration file when wu use the -config swith.

      In the second step, we create a self-signed certificate. The -extentions  that are appropriate fro a root CA.

    5. Root CA Operations
    6. Create a Certificate for OCSP Signing
  • Creating a Subordinate CA:
    1. Subordinate CA Configuration
    2. Subordinate CA Generation 
      openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
      
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

      First, we generate the key and the CSR. All the necessary information will be picked up from the configuration file when use the -config switch.

      In the second stop, we get the root CA to issue a certificate.

    3. Subordinate CA Operations 
      openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
      
openssl ca -config sub-ca.conf -in client.csr -out client.crt -extensions client_ext

2.Testing

2.1.Connecting to SSL Services

2.2.Testing Protocols that Upgrade to SSL

2.3.Using Different Handshake Formats

2.4.Extracting Remote Certificates

2.5.Testing Protocol Support

2.6.Testing Cipher Suite Support

2.7.Testing Servers that Require SNI

2.8.Testing Session Reuse

2.9.Checking OCSP Revocation

2.10.Testing OCSP Stapling

2.11.Checking CRL Revocation

2.12.Testing Renegotiation

2.13.Testing for the BEAST Vulnerability

2.14.Testing for heartbleed

2.15.Determining the Strength of Diffie-Hellman Parameters

3.Best Practices

3.1.Private Key and Certificate

3.2.Configuration

3.3.Performance

3.4.HTTP and Application Security

openssl .

openssl - cookbook的更多相关文章

  1. [译]OpenSSL Cookbook

    记录个人学习过程吧,顺便翻译一下.另外,本文并不会包括原连接中的所有内容,仅包括个人在工作中会经常遇到的. 参考:OpenSSL Cookbook 前言 由于协议特性和实现的复杂性,有时很难确定安全服 ...

  2. Chef 自动化运维:初探 cookbook

    cookbook 概述 Chef 意为"厨房",我们要做"菜",自然需要有"菜谱".事实上在 Chef 中分发到各服务器节点的不是" ...

  3. RSA非对称加密,使用OpenSSL生成证书,iOS加密,java解密

    最近换了一份工作,工作了大概一个多月了吧.差不多得有两个月没有更新博客了吧.在新公司自己写了一个iOS的比较通用的可以架构一个中型应用的不算是框架的一个结构,并已经投入使用.哈哈 说说文章标题的相关的 ...

  4. 显示本地openssl支持的加密算法

    参考页面: http://www.yuanjiaocheng.net/webapi/parameter-binding.html http://www.yuanjiaocheng.net/webapi ...

  5. 非阻塞/异步(epoll) openssl

    前段时间在自己的异步网络框架handy中添加openssl的支持,当时在网络上搜索了半天也没有找到很好的例子,后来自己慢慢的摸索,耗费不少时间,终于搞定.因此把相关的资料整理一下,并给出简单的例子,让 ...

  6. PHPmailer关于Extension missing: openssl报错的解决

    最近在写一个网页的时候,需要用到PHPmailer来发送邮件,按照官网上给出的demo写出一个例子,却报错Extension missing: openssl 最后发现需要修改php.ini中的配置: ...

  7. openssl、x509、crt、cer、key、csr、ssl、tls 这些都是什么鬼?

    今天尝试在mac机上搭建docker registry私有仓库时,杯具的发现最新的registry出于安全考虑,强制使用ssl认证,于是又详细了解linux/mac上openssl的使用方法,接触了一 ...

  8. Windows10下安装OpenSSL

    Windows10下安装的方法 安装环境:Windows10专业版+VS2013 工具:ActivePerl-5.22.1.2201-MSWin32-x64-299574.msi,下载地址:http: ...

  9. CentOS升级openssl

    才设置了http2,结果蓝狗说我网站不安全,检测一下发现openssl有漏洞,于是准备升级一下openssl 检测网站: www.ssllabs.com/ssltest/analyze.html # ...

随机推荐

  1. 批处理设置IP地址 - imsoft.cnblogs

    批处理设置IP地址 不知朋友们是否有这样的经历,把本本带到单位上网时,由于单位需要配固定IP地址,而家里是自动获得IP地址的,所以每天都要对这个IP地址设置来设置去,那么有没有简单方便的办法呢?其实我 ...

  2. [Boolan-C++学习笔记]第一周整理

    1.两种典型类 Complex 无指针 String 有指针 编写思路差异较大 2.使用Class声明:Object Based.类与类之间的关系:Object Oriented 3.头文件的布局 # ...

  3. LeetCode Majority Element Python

    Given an array of size n, find the majority element. The majority element is the element that appear ...

  4. Git Authoritative Guide 学习

    一.git命令1.git add -u : 将工作区中所有改动的文件添加到暂存区(修改.删除),但是不提交未被git跟踪的文件 -i : 可以进入交互界面选择性提交 -A : 相对于-u,它还提交新建 ...

  5. Cocos2d-x 2.2.3 使用NDK配置编译环境

    版权声明:本文为博主原创文章.未经博主同意不得转载. https://blog.csdn.net/wwj_748/article/details/30072379 Cocos2d-x 2.2.3 使用 ...

  6. 编辑文章 - 博客频道 - CSDN.NET

    站点连接 :http://www.gaoshou.me/uid/19125624    不用不知道,一用吓一跳. 每一个月的手机话费不用愁了. 仅限苹果手机 1.同步请求能够从因特网请求数据.一旦发送 ...

  7. Python函数 dict()

    dict() 作用:dict() 函数用于创建一个字典.返回一个字典. 语法: class dict(**kwarg) class dict(mapping, **kwarg) class dict( ...

  8. FP-growth算法发现频繁项集(二)——发现频繁项集

    上篇介绍了如何构建FP树,FP树的每条路径都满足最小支持度,我们需要做的是在一条路径上寻找到更多的关联关系. 抽取条件模式基 首先从FP树头指针表中的单个频繁元素项开始.对于每一个元素项,获得其对应的 ...

  9. java中<load-on-startup>含义

    java中 load-on-startup 含义 java中的 load-on-startup 用于表示该servlet是否在servlet容器启动的时候加载. 示例: <load-on-sta ...

  10. ZedGraph 柱状图、饼图、折线图演示源码

    http://code1.okbase.net/codefile/ZedGraphControl.ContextMenu.cs_201211225626_97.htm // //This librar ...