PKI // Playing with OpenSSL

Self-signed

RSA

openssl req -x509 -days 365 -newkey rsa:2048 -nodes -keyout self.key -out self.crt
#-sha256

ECDSA with a 256-bit curve

openssl ecparam -name prime256v1
openssl req -x509 -days 365 -newkey ec:<(openssl ecparam -name prime256v1) -nodes -keyout prime256v1.key -out prime256v1.crt

ECDSA with a 384-bit curve

openssl ecparam -name secp384r1
openssl req -x509 -days 3650 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout secp384r1.key -out secp384r1.crt

answer at least country, email, and most importantly CN. You may enter an empty space for the rest.

as an alternative and instead of tweaking openssl.cnf you may also use a shortcut

#openssl req -x509 -newkey rsa:2048 -out selfsign.crt -keyout selfsign.key -nodes -sha256 -days 365
#-subj /CN=$domain
#-subj "/C=RU/L=Innopolis/O=Innopolis University/OU=SNE/CN=$domain/emailAddress=root@$domain"

review the newly created certificate

ls -lF *.crt *.key
openssl x509 -in self.crt -text -noout -fingerprint
openssl x509 -in self.crt -text -noout | less

Notes

you can also use stdout instead of -out and stdin instead of -in
-nodes to avoid encrypting the private key hence no passphrase

PKCS12

in case you need a container

openssl pkcs12 -export -inkey self.key -in self.crt -out self.p12
openssl pkcs12 -export -inkey prime256v1.key -in prime256v1.crt -out prime256v1.p12
openssl pkcs12 -export -inkey secp384r1.key -in secp384r1.crt -out secp384r1.p12

Ubuntu’s Sake-oil

You already have a pair on Ubuntu

ls -lF /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key

but in case you need to re-generate those

make-ssl-cert generate-default-snakeoil --force-overwrite

#openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
#   -keyout /etc/ssl/private/ssl-cert-snakeoil.key \
#   -out /etc/ssl/certs/ssl-cert-snakeoil.pem

NetBSD fix

On NetBSD you need to fix the config first

cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/
cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/openssl.cnf.dist
vi /etc/openssl/openssl.cnf

#default_md             = sha2

Concat an official certificate chain

Once you sent your CSR to your SSL provider, it will respond you with the PEM certificate, possibly as .crt. You will also need their root CA and intermediate certificates – if those aren’t delivered, you might find it on their website. Eventually concatenate those two

cd /etc/httpd/ssl/
cat intermediatecert rootcert > issuer-concat-cert.crt
chmod 400 issuer-concat-cert.crt

Comparing trust stores

See https://lab.nethence.com/ca-bundles/

Assessing SSL end-points

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://github.com/nmap/nmap/blob/master/scripts/ssl-enum-ciphers.nse

nmap -sV --script ssl-enum-ciphers -p 443 nethence.com
nmap -sV --script ssl-enum-ciphers -p 25 xc.os3.su # finds starttls on its own

https://testssl.sh/ https://github.com/drwetter/testssl.sh

./testssl.sh -h
./testssl.sh nethence.com:443
./testssl.sh --starttls smtp xc.os3.su:25

https://github.com/nabla-c0d3/sslyze https://github.com/iSECPartners/sslyze https://nabla-c0d3.github.io/sslyze/documentation/testing-connectivity.html#additional-settings-starttls-sni-etc

Testing SSL/TLS certificates (SSLyze) https://vk9-sec.com/testing-ssl-tls-certificates-sslyze/

pip install --upgrade setuptools
pip install --upgrade sslyze

sslyze -h
sslyze --regular --sni=nethence.com nethence.com:443
sslyze --starttls=smtp xc.os3.su:25