PKI / openSSL Cheat Sheet by mdoehle

Generate a new private key and Certif­icate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privat­eKe­y.key

Generate a self-s­igned certif­icate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privat­eKe­y.key -out certif­ica­te.crt

Generate a certif­icate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privat­eKe­y.key -new

Generate a certif­icate signing request based on an existing certif­icate

openssl x509 -x509toreq -in certif­ica­te.crt -out CSR.csr -signkey privat­eKe­y.key

Remove a passphrase from a private key

openssl rsa -in privat­eKe­y.pem -out newPri­vat­eKe­y.pem

Check a Certif­icate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Check a private key

openssl rsa -in privat­eKe­y.key -check

Check a certif­icate

openssl x509 -in certif­ica­te.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keySto­re.p12

Print certif­icate

openssl x509 -noout -text -in certif­ica­te.crt

Check an SSL connec­tion. All the certif­icates (including Interm­edi­ates) should be displayed

openssl s_client -connect www.pa­ypa­l.c­om:443

Convert a PKCS#12 file (.pfx .p12) containing a private key and certif­icates to PEM

openssl pkcs12 -in keySto­re.p12 -out keySto­re.pem -nodes

Remove Passphrase from key-file

openssl rsa -in exampl­e.key -out exampl­e.n­ocr­ypt.key

Check the SSL perfor­mance

openssl speed sha1

openssl speed aes-25­6-cbc

openssl speed -evp aes-25­6-cbc

Check versions

# openssl version
OpenSSL 1.0.1e 11 Feb 2013

# apache2 -v
Server version: Apache­/2.2.22 (Debian)
Server built: Aug 18 2015 09:50:52

Enable mods

a2enmod ssl
a2enmod headers
a2enmod setenvif

Configure virtual host

SSLEngine on

SSLHon­orC­iph­erOrder On
SSLCip­her­Suite ECDHE-­RSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-EC­DSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-RS­A-A­ES2­56-­GCM­-SH­A38­4:E­CDH­E-E­CDS­A-A­ES2­56-­GCM­-SH­A38­4:D­HE-­DSS­-AE­S12­8-G­CM-­SHA­256­:kE­DH+­AES­GCM­:EC­DHE­-RS­A-A­ES1­28-­SHA­256­:EC­DHE-E
SSLPro­tocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCer­tif­ica­teFile /etc/s­sl/­www.ex­amp­le.c­om.pem
SSLCer­tif­ica­teK­eyFile /etc/s­sl/­www.ex­amp­le.c­om.key
SSLCer­tif­ica­teC­hai­nFile /etc/s­sl/­cha­in.pem

SSLStr­ict­SNI­VHo­stCheck On

Header always set Strict­-Tr­ans­por­t-S­ecurity "­max­-ag­e=6­307­2000; includ­eSu­bdo­mains; preloa­d"

<Fi­les­Match "­\.(­cgi­|sh­tml­|ph­tml­|ph­p)$­">
SSLOptions +StdEn­vVars
</F­ile­sMa­tch>
<Di­rectory /usr/l­ib/­cgi­-bi­n>
SSLOptions +StdEn­vVars
</D­ire­cto­ry>

Browse­rMatch "MSIE [2-6]" \
nokeep­alive ssl-un­cle­an-­shu­tdown \
downgr­ade-1.0 force-­res­pon­se-1.0
# MSIE 7 and newer should be able to use keepalive
Browse­rMatch "MSIE [17-9]­" ssl-un­cle­an-­shu­tdown