Differences between revisions 17 and 18
Revision 17 as of 2015-06-09 09:48:35
Size: 2837
Editor: dz
Revision 18 as of 2015-06-17 08:52:39
Size: 2964
Editor: dz
Deletions are marked like this. Additions are marked like this.
Line 63: Line 63:
 * Security Settings, recommendations from Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite


Private Key
  • Create: openssl genrsa -out 'keyfile' 2048

  • Output: openssl rsa -in 'keyfile' -text

Certificate Signing Request
  • Create: openssl req -new -key 'keyfile' -out 'csrfile', at least the CN must be set to the full hostname

  • Output: openssl req -in 'csrfile' -text

  • Create
    • CA key: openssl x509 -req -days 730 -CAserial 'ca-serialfile' -CA 'ca-certfile' -CAkey 'ca-keyfile' -in 'csrfile' -out 'certfile' 

    • selfsigned: openssl x509 -req -days 730 -in 'csrfile' -signkey 'keyfile' -out 'certfile'

  • Output: openssl x509 -in 'certfile' -text

Certificate Authority
  • Create (FreeBSD specific):

    • vared PATH /usr/local/bin must be before /usr/bin, FreeBSD has two openssl binaries (vared is a zsh command)

    • mv /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf

    • /usr/local/openssl/misc/CA.sh -newca

    demoCA/cacert.pem is the CA's public key aka certificate, demoCA/private/cakey.pem ist the CA's private key, demoCA/serial is the serial number

  • To Netscape format (e.g. IIS): openssl rsa -in 'keyfile' -out 'keyfile.net' -outform NET

  • To PKCS12 (combining public and private key): openssl pkcs12 -export -inkey 'keyfile' -in 'certfile' -out 'pkcs12-file.p12'

Do a private key and a public key match?
  • openssl x509 -in 'certfile' -text

  • openssl rsa -in 'keyfile' -text

  • Compare the modules sections. They must match.

Glossary: key = private key, csr = certificate signing request, cert = signed certificate (public key)

Root Certs


Connect to an TLS protected server (e.g. a mail server):

  • With STARTTLS: openssl s_client -starttls smtp -connect mail.example.com

  • Without STARTTLS: openssl s_client -connect mail.example.com:465

  • Checking the validity: openssl s_client -CApath /path/to/root_certs/ ...

Send a mail to

Scan server: https://www.ssllabs.com/ssltest


SSL+TLS (last edited 2015-06-17 08:52:39 by dz)