rimball wiki

User Tools

Site Tools

Trace: openssl backups
notes:openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
notes:openssl [2023/03/08 15:25] davidnotes:openssl [2024/06/01 21:18] (current) – [openssl s_client] david
Line 1: Line 1:
-Create a certificate request+===== Create a certificate request ===== 
 +==== Create a ECC key ==== 
 +Create a ECC private key using the prime256v1 algorithm ((https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm)) 
 +<code>openssl ecparam -out server.key -name prime256v1 -genkey</code> 
 +using secp384r1 
 +<code>openssl ecparam -out server.key -name prime256v1 -genkey</code> 
 + 
 +Create CSR from key 
 +<code>openssl req -new -nodes -key server.key -out $(hostname -f).csr\ 
 +-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"
 +-addext "subjectAltName=DNS:$(hostname -f)"</code> 
 + 
 + 
 +One-liner for ECC key 
 +<code>openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \ 
 +-keyout $(hostname -f).key -out $(hostname -f).csr \ 
 +-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"
 +-addext "subjectAltName=DNS:$(hostname -f)" 
 +</code> 
 + 
 + 
 +==== Create a RSA key ====
 <code>openssl req -new -nodes -keyout newkey.pem -out newreq.pem</code> <code>openssl req -new -nodes -keyout newkey.pem -out newreq.pem</code>
 +
 +Create rsa key and csr
 +<code>openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \
 +-keyout example.com.key \
 +-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \
 +-addext "subjectAltName=DNS:example.com"</code>
 +
 +one liner for RSA key and csr using system FQDN
 +<code>openssl req -new -sha256 -nodes  -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \
 +-addext "subjectAltName=DNS:$(hostname -f)"
 +</code>
 +
 +
 +=====  get cert modulus and compare to private key ===== 
 +<code>
 +if [[ "$(openssl x509 -noout -in ${SIGNED_CERT}  -modulus)" !=  "$(openssl rsa -noout -in ${PRIVATE_KEY}  -modulus)" ]] ; then
 +echo "they don't match"
 +fi
 +</code>
  
 =====pkcs12 ===== =====pkcs12 =====
Line 48: Line 88:
 With certificate verification With certificate verification
     openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem     openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem
 +
 +Retrieve just the RSA public key if the site has both ECDSA & RSA
 +    openssl s_client -sigalgs "RSA-PSS+SHA256"  -connect google.com:443
 +    to retrieve the EC cert use "ECDSA+SHA256" for sigalgs
 +
 +For more examples of using signature algorithms see https://node-security.com/posts/openssl-testing-signature-algorithm/
 +
 +
  
 wget and openssl s_client wget and openssl s_client
Line 56: Line 104:
 ===== Encrypting using openssl ===== ===== Encrypting using openssl =====
 openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc
 +
 +
 +openssl enc -e -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
 +
 +openssl enc -d -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
  
 #Signing files #Signing files
Line 113: Line 166:
 and compare the two and compare the two
  
 +
 +===== References =====
 +https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm
 +
 +https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
 +
 +https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc
 +
 +https://blog.dnsimple.com/2022/10/ecc-support-for-certificates/
 +
 +https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
notes/openssl.1678307140.txt.gz · Last modified: by david