# TL;dr
```bash
root@debian:~$ openssl version
OpenSSL 1.1.1c  28 May 2019
```
# tlsv3


## I
```bash
openssl req -newkey rsa:2048 -nodes -keyout server.key -sha256 -x509 -days 3650 -out server.crt;

#C：Country ，单位所在国家，为两位数的国家缩写，如： CN 就是中国
#ST 字段： State/Province ，单位所在州或省
#L 字段： Locality ，单位所在城市 / 或县区
#O 字段： Organization ，此网站的单位名称;
#OU 字段： Organization Unit，下属部门名称;也常常用于显示其他证书相关信息，如证书类型，证书产品名称或身份验证类型或验证内容等;
#CN 字段： Common Name ，网站的域名;

openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 3650 -out server.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=hello.com/emailAddress=yy@vivo.com"
```

## II
```bash
openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=harborCA" -keyout harbor-ca.key -out harbor-ca.cert -days 3650

openssl genrsa -out harbor-reg-domain.key 2048
openssl req -new -key harbor-reg-domain.key -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com" -out harbor-reg-domain.csr
openssl x509 -req -days 3650 -in harbor-reg-domain.csr -CA harbor-ca.cert -CAkey harbor-ca.key -CAcreateserial -out harbor-reg-domain.cert

sudo cp harbor-ca.cert /etc/pki/ca-trust/source/anchors/
sudo yum install -y ca-certificates
sudo update-ca-trust force-enable
sudo update-ca-trust
```

## III
```bash
openssl dhparam -out dhparam.pem 4096
# or
curl https://ssl-config.mozilla.org/ffdhe2048.txt > dhparam.pem
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;
# curl -sSL -O https://gist.githubusercontent.com/7error/356855733d51d5c37f89bb8613c6a495/raw/b662454b0dc2d86b315efffcfa3427a1c8ba7656/config.txt
cat > config.txt <<EOF
[ intermediate_ca_ext ]
basicConstraints	= critical, CA:true, pathlen:0
keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

[ server_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

[ client_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, clientAuth, emailProtection
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

[ user_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth, emailProtection
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

[ v3_vpn_server ]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement 
extendedKeyUsage        = critical, serverAuth

[ v3_vpn_client ]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, clientAuth
EOF



openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/CN=rootCA" -keyout rootCA.key -out root-ca.cert.pem -days 3650
openssl req -nodes -new -subj "/CN=intermediateCA" -keyout intermediate-ca.key  -out intermediate-ca.csr
openssl x509 -req -sha512 -extfile config.txt  -extensions intermediate_ca_ext -in intermediate-ca.csr -CA root-ca.cert.pem -CAkey rootCA.key -CAcreateserial -out intermediate-ca.cert.pem -days 3650

cat > req.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = Dev Use
O = Dev Use
OU = Dev Use Only
CN = demo.local
[v3_req]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
subjectKeyIdentifier    = hash
subjectAltName = @alt_names
[alt_names]
DNS.1 = development.somethingsomething.us-east-1.elasticbeanstalk.com
DNS.2 = demo.local
DNS.3 = demo2
IP.1 = 127.0.0.1
IP.2 = 192.168.1.163
EOF

# Error Loading extension section v3_req
# 139692187862336:error:22077079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509v3/v3_akey.c:131:
# 139692187862336:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=authorityKeyIdentifier, value=keyid:always, issuer:always
# 解决
# req.conf中不能包含`authorityKeyIdentifier  = keyid:always, issuer:always`


openssl req -nodes -new -keyout democert.key -out democert.csr -config req.conf

openssl x509 -req -in democert.csr -extfile req.conf -extensions v3_req -CA intermediate-ca.cert.pem -CAkey intermediate-ca.key -out democert.pem -CAcreateserial -days 3650


openssl req -nodes -new -subj "/CN=clientcert" -keyout clientcert.key  -out clientcert.csr
openssl x509 -req -extfile config.txt  -extensions user_ext -in clientcert.csr -CA intermediate-ca.cert.pem -CAkey intermediate-ca.key -out clientcert.cert.pem -CAcreateserial -days 30



# ca-chain
cat intermediate-ca.cert.pem root-ca.cert.pem  > chain.pem

# 查看
openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./intermediate-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./democert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl x509 -in ./clientcert.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline

## debian
cp intermediate-ca.cert.pem /usr/lib/ssl/certs && cp root-ca.cert.pem /usr/lib/ssl/certs \
&& c_rehash

rm -rf /usr/lib/ssl/certs/intermediate-ca.cert.pem && rm -rf /usr/lib/ssl/certs/root-ca.cert.pem \
&& c_rehash

# Extracting the CA Certificate using OpenSSL
openssl s_client -showcerts -connect 192.168.1.183:11443
openssl s_client -showcerts -connect demo.local:8443 	</dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > cert3.pem
# Export certificate to .der format
openssl x509 -outform der -in <xyz.pem> -out <xyz.der>
```

## IV
```bash
openssl genrsa -des3 -out ca.key -passout pass:newman123 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -passin pass:newman123
openssl genrsa -des3 -out deck.key -passout pass:newman123 4096
openssl req -new -key deck.key -out deck.csr -passin pass:newman123
openssl x509 -req -days 365 -in deck.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out deck.crt -passin pass:newman123
openssl genrsa -des3 -out gate.key -passout pass:newman123 4096
openssl req -new -key gate.key -out gate.csr -passin pass:newman123
openssl x509 -req -days 365 -in gate.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gate.crt -passin pass:newman123
openssl pkcs12 -export -clcerts -in gate.crt -inkey gate.key -out gate.p12 -name gate -passin pass:newman123 -password pass:newman123
keytool -importkeystore -srckeystore gate.p12 -srcstoretype pkcs12 -srcalias gate -destkeystore gate.jks -destalias gate -deststoretype pkcs12 -deststorepass newman123 -destkeypass newman123 -srcstorepass newman123
keytool -importcert -keystore gate.jks -alias ca -file ca.crt -storepass newman123 -noprompt
keytool -list -keystore gate.jks -storepass newman123

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.shellhacks.com
$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=www.shellhacks.com
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=26:F8:D5:E4:3E:7A:7B:7E:72:20:15:77:FE:C7:89:E7:E4:8A:15:CF

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
    Signature Algorithm: sha256WithRSAEncryption
[...]

data=`echo | openssl s_client -connect "${server}:443" -servername "${server}" 2>/dev/null | openssl x509 -noout -dates | grep notAfter | sed -e 's#notAfter=##'`
####
echo | openssl s_client -showcerts -connect blog.ziki.cn:443 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##' | xargs --no-run-if-empty -I$ date -d "$" '+%s'
####
openssl s_client -connect ${DTR_IPADDR}:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/${DTR_IPADDR}.crt
sudo update-ca-certificates
```


## V
```bash
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.cert
```
## VI
```bash
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt

openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
openssl x509 -in server.crt -text -noout
```

```bash
#
# Required OpenSSL 1.1.1, providing subjectAltName directly on command line:
# https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
#
openssl req -x509 \
    -nodes \
    -subj "/CN=yourdomain.com" \
    -newkey rsa:4096 \
    -sha256 \
    -keyout key.pem \
    -out cert.pem \
    -addext "subjectAltName=DNS:yourdomain.com,IP:192.168.11.11,DNS:domain1.com,DNS:domain2.com,IP:127.0.0.1" \
    -days 36500

#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -addext "subjectAltName = DNS:localhost,DNS:localhost.localdomain,DNS:lvh.me,DNS:*.lvh.me,IP:127.0.0.1" -keyout localhost.key -out localhost.crt


openssl x509 -in cert.pem -text -noout
```                  

# HSTS

* HTTP Strict Transport Security (HSTS)
  
# CSP

# cfssl
```bash
go get -u github.com/cloudflare/cfssl/cmd/...
# https://gist.github.com/detiber/81b515df272f5911959e81e39137a8bb
###
ver='1.4.1'
for i in "cfssl" "cfssl-bundle" "cfssl-certinfo" "cfssl-newkey" "cfssl-scan" "cfssljson" "mkbundle" "multirootca"; do
    curl -sSL -o ${i} https://github.com/cloudflare/cfssl/releases/download/v${ver}/${i}_${ver}_linux_amd64
done
```



# ref

* [Mozilla Observatory](https://observatory.mozilla.org/)
* [PageSpeed Insights](https://developers.google.com/speed/pagespeed/insights/)
* [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
* [SSL Server Test (Powered by Qualys SSL Labs)](https://www.ssllabs.com/ssltest/)
* [SSL/TLS安全评估报告](https://myssl.com/)
* [Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd](https://cipherli.st)
* [MySSL相关术语](https://blog.myssl.com/myssl-term/)
* [HTTPS 安全最佳实践（一）之SSL/TLS部署](https://blog.myssl.com/ssl-and-tls-deployment-best-practices/)
* [HTTPS 安全最佳实践（二）之安全加固](https://blog.myssl.com/https-security-best-practices/)
* [HTTPS 安全最佳实践（三）之服务器软件](https://blog.myssl.com/https-security-best-practices-2/)
* [Security/Server Side TLS - MozillaWiki](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
* [SSL and TLS Deployment Best Practices · ssllabs/research Wiki · GitHub](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices)
* [SSL Decoder](https://ssldecoder.org)
* [NGINX Config | DigitalOcean](http://nginxconfig.io/)
* [SSL Test](https://ssl.hakase.io)
* [certificates - Parse expirydate from openssl command - Unix &amp; Linux Stack Exchange](https://unix.stackexchange.com/questions/154251/parse-expirydate-from-openssl-command)
* [OpenSSL: Check SSL Certificate Expiration Date and More - ShellHacks](https://www.shellhacks.com/openssl-check-ssl-certificate-expiration-date/)
* [GitHub - jason-riddle/generating-certs: Guides on generating, installing, and rotating SSL certs.](https://github.com/jason-riddle/generating-certs)
* [GitHub - cloudflare/cfssl: CFSSL: Cloudflare&#39;s PKI and TLS toolkit](https://github.com/cloudflare/cfssl)
* [Generates self-signed x509/TLS/SSL certificates useful for development](https://github.com/michaelklishin/tls-gen)