Cheatography
https://cheatography.com
Create and manage PKI Certs with openSSL
Certificate Signing Request (CSR)Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privateKey.key
Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem |
Check FilesCheck a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
Check a private key
openssl rsa -in privateKey.key -check
Check a certificate
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12 |
DebuggingPrint certificate
openssl x509 -noout -text -in certificate.crt
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443 |
Remove PassphraseConvert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes
Remove Passphrase from key-file
openssl rsa -in example.key -out example.nocrypt.key |
| | PerformanceCheck the SSL performance
openssl speed sha1
openssl speed aes-256-cbc
openssl speed -evp aes-256-cbc |
How to get a A+ at SSL-LabsCheck versions
# openssl version
OpenSSL 1.0.1e 11 Feb 2013
# apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built: Aug 18 2015 09:50:52
Enable mods
a2enmod ssl
a2enmod headers
a2enmod setenvif
Configure virtual host
SSLEngine on
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/ssl/www.example.com.pem
SSLCertificateKeyFile /etc/ssl/www.example.com.key
SSLCertificateChainFile /etc/ssl/chain.pem
SSLStrictSNIVHostCheck On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown |
|
Help Us Go Positive!
We offset our carbon usage with Ecologi. Click the link below to help us!
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets