web Security
文章目录
TL;dr
root@debian:~$ openssl version
OpenSSL 1.1.1c 28 May 2019
tlsv3
I
openssl req -newkey rsa:2048 -nodes -keyout server.key -sha256 -x509 -days 3650 -out server.crt;
#C:Country ,单位所在国家,为两位数的国家缩写,如: CN 就是中国
#ST 字段: State/Province ,单位所在州或省
#L 字段: Locality ,单位所在城市 / 或县区
#O 字段: Organization ,此网站的单位名称;
#OU 字段: Organization Unit,下属部门名称;也常常用于显示其他证书相关信息,如证书类型,证书产品名称或身份验证类型或验证内容等;
#CN 字段: Common Name ,网站的域名;
openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 3650 -out server.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=hello.com/emailAddress=yy@vivo.com"
II
openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=harborCA" -keyout harbor-ca.key -out harbor-ca.cert -days 3650
openssl genrsa -out harbor-reg-domain.key 2048
openssl req -new -key harbor-reg-domain.key -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com" -out harbor-reg-domain.csr
openssl x509 -req -days 3650 -in harbor-reg-domain.csr -CA harbor-ca.cert -CAkey harbor-ca.key -CAcreateserial -out harbor-reg-domain.cert
sudo cp harbor-ca.cert /etc/pki/ca-trust/source/anchors/
sudo yum install -y ca-certificates
sudo update-ca-trust force-enable
sudo update-ca-trust
III
openssl dhparam -out dhparam.pem 4096
# or
curl https://ssl-config.mozilla.org/ffdhe2048.txt > dhparam.pem
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;
# curl -sSL -O https://gist.githubusercontent.com/7error/356855733d51d5c37f89bb8613c6a495/raw/b662454b0dc2d86b315efffcfa3427a1c8ba7656/config.txt
cat > config.txt <<EOF
[ intermediate_ca_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ server_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ client_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ user_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3_vpn_server ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
[ v3_vpn_client ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
EOF
openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/CN=rootCA" -keyout rootCA.key -out root-ca.cert.pem -days 3650
openssl req -nodes -new -subj "/CN=intermediateCA" -keyout intermediate-ca.key -out intermediate-ca.csr
openssl x509 -req -sha512 -extfile config.txt -extensions intermediate_ca_ext -in intermediate-ca.csr -CA root-ca.cert.pem -CAkey rootCA.key -CAcreateserial -out intermediate-ca.cert.pem -days 3650
cat > req.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = Dev Use
O = Dev Use
OU = Dev Use Only
CN = demo.local
[v3_req]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names
[alt_names]
DNS.1 = development.somethingsomething.us-east-1.elasticbeanstalk.com
DNS.2 = demo.local
DNS.3 = demo2
IP.1 = 127.0.0.1
IP.2 = 192.168.1.163
EOF
# Error Loading extension section v3_req
# 139692187862336:error:22077079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509v3/v3_akey.c:131:
# 139692187862336:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=authorityKeyIdentifier, value=keyid:always, issuer:always
# 解决
# req.conf中不能包含`authorityKeyIdentifier = keyid:always, issuer:always`
openssl req -nodes -new -keyout democert.key -out democert.csr -config req.conf
openssl x509 -req -in democert.csr -extfile req.conf -extensions v3_req -CA intermediate-ca.cert.pem -CAkey intermediate-ca.key -out democert.pem -CAcreateserial -days 3650
openssl req -nodes -new -subj "/CN=clientcert" -keyout clientcert.key -out clientcert.csr
openssl x509 -req -extfile config.txt -extensions user_ext -in clientcert.csr -CA intermediate-ca.cert.pem -CAkey intermediate-ca.key -out clientcert.cert.pem -CAcreateserial -days 30
# ca-chain
cat intermediate-ca.cert.pem root-ca.cert.pem > chain.pem
# 查看
openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./intermediate-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./democert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./clientcert.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
## debian
cp intermediate-ca.cert.pem /usr/lib/ssl/certs && cp root-ca.cert.pem /usr/lib/ssl/certs \
&& c_rehash
rm -rf /usr/lib/ssl/certs/intermediate-ca.cert.pem && rm -rf /usr/lib/ssl/certs/root-ca.cert.pem \
&& c_rehash
# Extracting the CA Certificate using OpenSSL
openssl s_client -showcerts -connect 192.168.1.183:11443
openssl s_client -showcerts -connect demo.local:8443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > cert3.pem
# Export certificate to .der format
openssl x509 -outform der -in <xyz.pem> -out <xyz.der>
IV
openssl genrsa -des3 -out ca.key -passout pass:newman123 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -passin pass:newman123
openssl genrsa -des3 -out deck.key -passout pass:newman123 4096
openssl req -new -key deck.key -out deck.csr -passin pass:newman123
openssl x509 -req -days 365 -in deck.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out deck.crt -passin pass:newman123
openssl genrsa -des3 -out gate.key -passout pass:newman123 4096
openssl req -new -key gate.key -out gate.csr -passin pass:newman123
openssl x509 -req -days 365 -in gate.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gate.crt -passin pass:newman123
openssl pkcs12 -export -clcerts -in gate.crt -inkey gate.key -out gate.p12 -name gate -passin pass:newman123 -password pass:newman123
keytool -importkeystore -srckeystore gate.p12 -srcstoretype pkcs12 -srcalias gate -destkeystore gate.jks -destalias gate -deststoretype pkcs12 -deststorepass newman123 -destkeypass newman123 -srcstorepass newman123
keytool -importcert -keystore gate.jks -alias ca -file ca.crt -storepass newman123 -noprompt
keytool -list -keystore gate.jks -storepass newman123
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.shellhacks.com
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=www.shellhacks.com
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT
$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=26:F8:D5:E4:3E:7A:7B:7E:72:20:15:77:FE:C7:89:E7:E4:8A:15:CF
$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
Signature Algorithm: sha256WithRSAEncryption
[...]
data=`echo | openssl s_client -connect "${server}:443" -servername "${server}" 2>/dev/null | openssl x509 -noout -dates | grep notAfter | sed -e 's#notAfter=##'`
####
echo | openssl s_client -showcerts -connect blog.ziki.cn:443 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##' | xargs --no-run-if-empty -I$ date -d "$" '+%s'
####
openssl s_client -connect ${DTR_IPADDR}:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/${DTR_IPADDR}.crt
sudo update-ca-certificates
V
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.cert
VI
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
openssl x509 -in server.crt -text -noout
#
# Required OpenSSL 1.1.1, providing subjectAltName directly on command line:
# https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
#
openssl req -x509 \
-nodes \
-subj "/CN=yourdomain.com" \
-newkey rsa:4096 \
-sha256 \
-keyout key.pem \
-out cert.pem \
-addext "subjectAltName=DNS:yourdomain.com,IP:192.168.11.11,DNS:domain1.com,DNS:domain2.com,IP:127.0.0.1" \
-days 36500
#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -addext "subjectAltName = DNS:localhost,DNS:localhost.localdomain,DNS:lvh.me,DNS:*.lvh.me,IP:127.0.0.1" -keyout localhost.key -out localhost.crt
openssl x509 -in cert.pem -text -noout
HSTS
- HTTP Strict Transport Security (HSTS)
CSP
cfssl
go get -u github.com/cloudflare/cfssl/cmd/...
# https://gist.github.com/detiber/81b515df272f5911959e81e39137a8bb
###
ver='1.4.1'
for i in "cfssl" "cfssl-bundle" "cfssl-certinfo" "cfssl-newkey" "cfssl-scan" "cfssljson" "mkbundle" "multirootca"; do
curl -sSL -o ${i} https://github.com/cloudflare/cfssl/releases/download/v${ver}/${i}_${ver}_linux_amd64
done
ref
- Mozilla Observatory
- PageSpeed Insights
- Mozilla SSL Configuration Generator
- SSL Server Test (Powered by Qualys SSL Labs)
- SSL/TLS安全评估报告
- Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd
- MySSL相关术语
- HTTPS 安全最佳实践(一)之SSL/TLS部署
- HTTPS 安全最佳实践(二)之安全加固
- HTTPS 安全最佳实践(三)之服务器软件
- Security/Server Side TLS - MozillaWiki
- SSL and TLS Deployment Best Practices · ssllabs/research Wiki · GitHub
- SSL Decoder
- NGINX Config | DigitalOcean
- SSL Test
- certificates - Parse expirydate from openssl command - Unix & Linux Stack Exchange
- OpenSSL: Check SSL Certificate Expiration Date and More - ShellHacks
- GitHub - jason-riddle/generating-certs: Guides on generating, installing, and rotating SSL certs.
- GitHub - cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit
- Generates self-signed x509/TLS/SSL certificates useful for development
上次更新 2019-12-01
原始文档 查看本文 Markdown 版本 »