Differences

This shows you the differences between two versions of the page.

--- notes:openssl [2021/11/02 18:33] – created david
+++ notes:openssl [2024/06/01 21:18] (current) – [openssl s_client] david
@@ Line 1: / Line 1: @@
-Create a certificate request
+===== Create a certificate request =====
+==== Create a ECC key ====
+Create a ECC private key using the prime256v1 algorithm ((https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm))
+<code>openssl ecparam -out server.key -name prime256v1 -genkey</code>
+using secp384r1
+<code>openssl ecparam -out server.key -name prime256v1 -genkey</code>
+Create CSR from key
+<code>openssl req -new -nodes -key server.key -out $(hostname -f).csr\
+-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
+-addext "subjectAltName=DNS:$(hostname -f)"</code>
+One-liner for ECC key
+<code>openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
+-keyout $(hostname -f).key -out $(hostname -f).csr \
+-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
+-addext "subjectAltName=DNS:$(hostname -f)"
+</code>
+==== Create a RSA key ====
 <code>openssl req -new -nodes -keyout newkey.pem -out newreq.pem</code>
+Create rsa key and csr
+<code>openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \
+-keyout example.com.key \
+-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \
+-addext "subjectAltName=DNS:example.com"</code>
+one liner for RSA key and csr using system FQDN
+<code>openssl req -new -sha256 -nodes  -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \
+-addext "subjectAltName=DNS:$(hostname -f)"
+</code>
+=====  get cert modulus and compare to private key =====
+<code>
+if [[ "$(openssl x509 -noout -in ${SIGNED_CERT}  -modulus)" !=  "$(openssl rsa -noout -in ${PRIVATE_KEY}  -modulus)" ]] ; then
+echo "they don't match"
+fi
+</code>
 =====pkcs12 =====
@@ Line 48: / Line 88: @@
 With certificate verification
     openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem
+Retrieve just the RSA public key if the site has both ECDSA & RSA
+    openssl s_client -sigalgs "RSA-PSS+SHA256"  -connect google.com:443
+    to retrieve the EC cert use "ECDSA+SHA256" for sigalgs
+For more examples of using signature algorithms see https://node-security.com/posts/openssl-testing-signature-algorithm/
 wget and openssl s_client
@@ Line 56: / Line 104: @@
 ===== Encrypting using openssl =====
 openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc
+openssl enc -e -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
+openssl enc -d -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
 #Signing files
@@ Line 108: / Line 161: @@
 <code> revoke_date=`date +%y%m%d%H%M%SZ`</code>
+===== compare key with signed cert =====
+    openssl x509 -noout -modulus -in <signed_cert.crt>
+    openssl rsa -noout -modulus -in <cert.key>
+and compare the two
+===== References =====
+https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm
+https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
+https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc
+https://blog.dnsimple.com/2022/10/ecc-support-for-certificates/
+https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/