PKI / openSSL Cheat Sheet by mdoehle

Generate a new private key and Certif­icate Signing Request openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privat­eKe­y.key Generate a self-s­igned certif­icate openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privat­eKe­y.key -out certif­ica­te.crt Generate a certif­icate signing request (CSR) for an existing private key openssl req -out CSR.csr -key privat­eKe­y.key -new Generate a certif­icate signing request based on an existing certif­icate openssl x509 -x509toreq -in certif­ica­te.crt -out CSR.csr -signkey privat­eKe­y.key Remove a passphrase from a private key openssl rsa -in privat­eKe­y.pem -out newPri­vat­eKe­y.pem

Check a Certif­icate Signing Request (CSR) openssl req -text -noout -verify -in CSR.csr Check a private key openssl rsa -in privat­eKe­y.key -check Check a certif­icate openssl x509 -in certif­ica­te.crt -text -noout Check a PKCS#12 file (.pfx or .p12) openssl pkcs12 -info -in keySto­re.p12

Print certif­icate openssl x509 -noout -text -in certif­ica­te.crt Check an SSL connec­tion. All the certif­icates (including Interm­edi­ates) should be displayed openssl s_client -connect www.pa­ypa­l.c­om:443

Convert a PKCS#12 file (.pfx .p12) containing a private key and certif­icates to PEM openssl pkcs12 -in keySto­re.p12 -out keySto­re.pem -nodes Remove Passphrase from key-file openssl rsa -in exampl­e.key -out exampl­e.n­ocr­ypt.key

Check the SSL perfor­mance openssl speed sha1 openssl speed aes-25­6-cbc openssl speed -evp aes-25­6-cbc

Check versions # openssl version OpenSSL 1.0.1e 11 Feb 2013 # apache2 -v Server version: Apache­/2.2.22 (Debian) Server built: Aug 18 2015 09:50:52 Enable mods a2enmod ssl a2enmod headers a2enmod setenvif Configure virtual host SSLEngine on SSLHon­orC­iph­erOrder On SSLCip­her­Suite ECDHE-­RSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-EC­DSA­-AE­S12­8-G­CM-­SHA­256­:EC­DHE­-RS­A-A­ES2­56-­GCM­-SH­A38­4:E­CDH­E-E­CDS­A-A­ES2­56-­GCM­-SH­A38­4:D­HE-­DSS­-AE­S12­8-G­CM-­SHA­256­:kE­DH+­AES­GCM­:EC­DHE­-RS­A-A­ES1­28-­SHA­256­:EC­DHE-E SSLPro­tocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 SSLCer­tif­ica­teFile /etc/s­sl/­www.ex­amp­le.c­om.pem SSLCer­tif­ica­teK­eyFile /etc/s­sl/­www.ex­amp­le.c­om.key SSLCer­tif­ica­teC­hai­nFile /etc/s­sl/­cha­in.pem SSLStr­ict­SNI­VHo­stCheck On Header always set Strict­-Tr­ans­por­t-S­ecurity "­max­-ag­e=6­307­2000; includ­eSu­bdo­mains; preloa­d" <Fi­les­Match "­\.(­cgi­|sh­tml­|ph­tml­|ph­p)$­"> SSLOptions +StdEn­vVars </F­ile­sMa­tch> <Di­rectory /usr/l­ib/­cgi­-bi­n> SSLOptions +StdEn­vVars </D­ire­cto­ry> Browse­rMatch "MSIE [2-6]" \ nokeep­alive ssl-un­cle­an-­shu­tdown \ downgr­ade-1.0 force-­res­pon­se-1.0 # MSIE 7 and newer should be able to use keepalive Browse­rMatch "MSIE [17-9]­" ssl-un­cle­an-­shu­tdown