Skip to content

Instantly share code, notes, and snippets.

@rodde177

rodde177/openssl-notes.txt

Forked from tsaarni/openssl-notes.txt
Created November 12, 2021 15:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rodde177/ce307b2a9d0c7a79ef220ee0815e32c1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rodde177/ce307b2a9d0c7a79ef220ee0815e32c1 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @tsaarni tsaarni created this gist Oct 22, 2016.
    68 changes: 68 additions & 0 deletions openssl-notes.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,68 @@
    *** RSA

    # Generate self-signed certificate with RSA 4096 key-pair
    openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout rsakey.pem -out rsacert.pem

    # print private and public key
    openssl rsa -in rsakey.pem -text -noout

    # print certificate
    openssl x509 -in rsacert.pem -text -noout

    # generate PKCS#12 container
    openssl pkcs12 -export -inkey rsakey.pem -in rsacert.pem -out rsacred.p12


    *** ECDSA

    # Generate self-signed certificate with ECDSA using two common curves
    openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout ecdsakey.pem -out ecdsacert.pem
    openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name secp384r1) -keyout ecdsakey.pem -out ecdsacert.pem

    # print private and public key + curve name
    openssl ec -in ecdsakey.pem -text -noout

    # print certificate
    openssl x509 -in ecdsacert.pem -text -noout

    # generate container
    openssl pkcs12 -export -inkey ecdsakey.pem -in ecdsacert.pem -out ecdsacred.p12


    Which curve to choose?

    http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use

    "Interoperability" means that you would probably prefer it if SSL clients can actually
    connect to your server; otherwise, having a SSL server would be rather pointless.
    This simplifies the question a lot: in practice, average clients only support two curves,
    the ones which are designated in so-called NSA Suite B: these are NIST curves P-256 and
    P-384 (in OpenSSL, they are designated as, respectively, "prime256v1" and "secp384r1").
    If you use any other curve, then some widespread Web browsers (e.g. Internet Explorer,
    Firefox...) will be unable to talk to your server.


    *** DSA

    # generate both key and DSA parameters (both will be stored in dsakey.pem)
    openssl dsaparam -genkey 1024 -out dsakey.pem
    openssl req -x509 -new -days 3650 -key dsakey.pem -out dsacert.pem

    # print private and public key with DSA params
    openssl dsa -in dsakey.pem -text -noout

    # print certificate
    openssl x509 -in dsacert.pem -text -noout

    # print only DSA params from key file
    openssl dsaparam -in dsakey.pem -text -noout

    # generate container
    openssl pkcs12 -export -inkey dsakey.pem -in dsacert.pem -out dsacred.p12



    *** Test TLS connection

    openssl s_server -accept 1443 -www -key key.pem -cert cert.pem
    openssl s_client -showcerts -connect localhost:1443 -CAfile cert.pem