[[https://www.ssllabs.com|SSL Labs]]

[[https://testssl.sh]]

[[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]]

=== Certificate order ===
leaf certificate followed by intermediaries and root, see "certificate_list" in section 7.4.2 below.\\
[[https://www.rfc-editor.org/rfc/rfc5246|RFC 5246]]
[[https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 |  7.4.2 Server Certificate ]]



[[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

use the Mozilla SSL Config generator to generate strong SSL configuration
https://ssl-config.mozilla.org/

===ECC===
  * Use NIST SuiteB P-256 or P-384 curves
  * Choosing an Elliptic Curve in 2022

https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/

https://support.globalsign.com/ssl/ssl-certificates-life-cycle/ecc

Guidelines for the Selection,Configuration, and Use of Transport Layer Security (TLS) Implementations

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186)


If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate


ECDSA key lengths page 6 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf



==== Certificate management ====

https://www.nccoe.nist.gov/tls-server-certificate-management

NIST SP 800-131A Rev. 2

Transitioning the Use of Cryptographic Algorithms and Key Lengths

https://csrc.nist.gov/pubs/sp/800/131/a/r2/final


Recommendation for Key Management: \\
Part 2 - Best Practices for Key Management Organizations \\
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf



CAB Forum
https://cabforum.org/documents/

RFC 9325\\
Recommendations for Secure Use of Transport Layer\\
Security (TLS) and Datagram Transport LayerSecurity (DTLS)

RFC-8446 - The Transport Layer Security (TLS) Protocol Version 1.3 





https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
Table 2
Acceptable key lengths
>= 224 bits of security strength for ECDSA and EdDSA
RSA >= 2048



NIST Special Publication 800-56A\\
Revision 3\\
Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete
Logarithm Cryptography\\
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf

===== Cipher Suites ====
https://ciphersuite.info/