Security Features

Aus wiki.terrax.net
Wechseln zu: Navigation, Suche

(Our) Standards overview.

DNS

CAA

example.com. 60 IN CAA 128 iodef "mailto:hostmaster@example.com"
example.com. 60 IN CAA 128 issue "letsencrypt.org"

TLSA

Generate TLSA record

tlsa512="$(openssl ec -in example.com.key -outform der -pubout 2>/dev/null | openssl dgst -sha512)"; echo _443._tcp.example.com. 60 IN TLSA 3 1 2 ${tlsa512#*= }

Remote TLSA record verification

dig tlsa _443._tcp.www.debian.org +short

x x 0 is directly the public key or full certificate
x x 1 is sha256
x x 2 is sha512

tlsa=$(echo | openssl s_client -servername www.debian.org -connect www.debian.org:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256); echo ${tlsa#*= }

TLS

RSA Key + CSR

openssl req -nodes -newkey rsa:4096 -sha384 -keyout example.com.key -out example.com.csr -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:example.org"))

or with acme.sh:

./acme.sh -cdk -d example.com -d example.org --keylength 4096 && ./acme.sh --createCSR -d example.com -d example.org && cat ~/.acme.sh/example.com/example.com.csr

Create ECDSA Certificate

Generate ECDSA key pair

openssl ecparam -name secp384r1 -genkey -out example.com.key

Self signed ECDSA certificate

with SAN (Subject Alternative Names): Use it even with one domain!

openssl req -new -x509 -sha384 -key example.com.key -out example.com.crt -days 3650 -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))

# It's possible to extend SAN with IPs: IP:138.201.56.176,IP:2a01:4f8:172:11af::10

# Optional, see your certificate:
openssl x509 -in example.com.crt -text -noout

ECDSA Certificate Signing Request

with

openssl req -new -sha384 -key example.com.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -out example.com.csr

# without OCSP Must Staple:
openssl req -new -sha384 -key example.com.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out example.com.csr

# It's possible to extend SAN with IPs: IP:138.201.56.176,IP:2a01:4f8:172:11af::10

# Optional, see your certificate signing request:
openssl req -in example.com.csr -text -noout

Let's Encrypt ECDSA Certificate

/home/acme/.acme.sh/acme.sh --issue --keylength ec-384 -d example.com -d www.example.com

OCSP Stapling

/etc/nginx/nginx.conf

resolver [2a01:4f8:0:a0a1::add:1010] [2a01:4f8:0:a111::add:9898] valid=30s ipv6=on; # hetzner.de datacenter's dns resolver
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
ssl_verify_depth 5;

Find OCSP Server URL

echo | openssl s_client -servername www.debian.org -connect www.debian.org:443 2>/dev/null | openssl x509 -text | grep "OCSP - URI:" | cut -d: -f2,3

Uncategorized

Get certificate validity date

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates