which openssl openssl version #1.1.1g or 3.0.0-dev openssl ecparam -list_curves
mainly those two are supported by average clients
secp384r1 : NIST/SECG curve over a 384 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field
so let’s proceed with the supposedly fastest one
cd /etc/ssl/ domain=DOMAIN.TLD #openssl ecparam -genkey -name prime256v1 | openssl ec -out $domain.key openssl ecparam -genkey -name prime256v1 > $domain.key ls -lhF $domain.key chmod 400 $domain.key
netbsd does not have any .cnf by default
cp -i /usr/local/ssl/openssl.cnf.dist /usr/local/ssl/openssl.cnf vi /usr/local/ssl/openssl.cnf
anyways take the chance to tune it on ubuntu
cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist vi /etc/ssl/openssl.cnf [ req_distinguished_name ] countryName_default = FR #stateOrProvinceName_default = localityName_default = Paris #0.organizationName_default = Internet Widgits Pty Ltd emailAddress_default = pbraun@nethence.com openssl req -new -sha256 -key $domain.key -out $domain.csr -config /etc/ssl/openssl.cnf ls -lhF *.csr
See dehydrated
notice there are both certs in there, including the intermediate at the end, and check
cat $domain.crt
openssl x509 -in $domain.crt -noout -text | less
look at the CA Issuers field and obtain the intermediate certificate
wget -O lex3.der cert.int-x3.letsencrypt.org openssl x509 -in lex3.der -inform der -noout -text | less openssl x509 -in lex3.der -inform der -out lex3.crt -outform pem
draft but optional
#wget http://apps.identrust.com/roots/dstrootcax3.p7c #openssl pkcs7 -print_certs -in dstrootcax3.p7c -out dstrootcax3.crt
Upcoming Features https://letsencrypt.org/upcoming-features/
Documentation https://www.ssllabs.com/projects/documentation/index.html
SSL Labs Known Issues https://discussions.qualys.com/docs/DOC-4865
Testing out ECDSA certificates https://scotthelme.co.uk/ecdsa-certificates/
Howto obtain ECDSA cert (in addition to RSA) with certbot? https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687/3
Obtaining an Elliptic Curve certificate from Let’s Encrypt https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc
How to obtain an ECDSA wildcard certificate from Let’s Encrypt https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe
Using ECDSA certificates with Let’s Encrypt https://www.ericlight.com/using-ecdsa-certificates-with-lets-encrypt
ACME Client Implementations https://letsencrypt.org/docs/client-options/
ACMEv2 client written in plain C code with minimal dependencies https://github.com/ndilieto/uacme/
A pure Unix shell script implementing ACME client protocol https://acme.sh https://github.com/Neilpang/acme.sh
Testing TLS/SSL encryption https://testssl.sh/
Algorithms and Identifiers https://tools.ietf.org/html/rfc3279
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
How to convert a certificate into the appropriate format https://knowledge.digicert.com/solution/SO26449.html