Differences

This shows you the differences between two versions of the page.

--- notes:openssl [2023/10/10 23:51] – david
+++ notes:openssl [2024/06/01 21:18] (current) – [openssl s_client] david
@@ Line 3: / Line 3: @@
 Create a ECC private key using the prime256v1 algorithm ((https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm))
 <code>openssl ecparam -out server.key -name prime256v1 -genkey</code>
-<code>openssl req -new -key server.key -nodes \
+using secp384r1
--out example.com.csr \
+<code>openssl ecparam -out server.key -name prime256v1 -genkey</code>
--subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com"\
--addext "subjectAltName=DNS:example.com"</code>
+Create CSR from key
+<code>openssl req -new -nodes -key server.key -out $(hostname -f).csr\
+-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
+-addext "subjectAltName=DNS:$(hostname -f)"</code>
+One-liner for ECC key
+<code>openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
+-keyout $(hostname -f).key -out $(hostname -f).csr \
+-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
+-addext "subjectAltName=DNS:$(hostname -f)"
+</code>
 ==== Create a RSA key ====
 <code>openssl req -new -nodes -keyout newkey.pem -out newreq.pem</code>
+Create rsa key and csr
 <code>openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \
 -keyout example.com.key \
 -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \
 -addext "subjectAltName=DNS:example.com"</code>
+one liner for RSA key and csr using system FQDN
+<code>openssl req -new -sha256 -nodes  -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \
+-addext "subjectAltName=DNS:$(hostname -f)"
+</code>
 =====  get cert modulus and compare to private key =====
@@ Line 68: / Line 88: @@
 With certificate verification
     openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem
+Retrieve just the RSA public key if the site has both ECDSA & RSA
+    openssl s_client -sigalgs "RSA-PSS+SHA256"  -connect google.com:443
+    to retrieve the EC cert use "ECDSA+SHA256" for sigalgs
+For more examples of using signature algorithms see https://node-security.com/posts/openssl-testing-signature-algorithm/
 wget and openssl s_client
@@ Line 76: / Line 104: @@
 ===== Encrypting using openssl =====
 openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc
+openssl enc -e -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
+openssl enc -d -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc
 #Signing files
@@ Line 138: / Line 171: @@
 https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
+https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc
+https://blog.dnsimple.com/2022/10/ecc-support-for-certificates/
+https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/