Home Books Training Newsletter Resources
Sign up Log in
book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.


OpenSSL Cookbook

Ivan Ristić

Third edition (build 781). Published in May 2022.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of the publisher.

The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

First edition published in May 2013.

Feisty Duck Limited
www.feistyduck.com
contact@feistyduck.com

Technical reviewer: Matt Caswell

Production editor: Jelena Girić-Ristić

Copyeditors: Melinda Rankin, Nancy Wolfe Kotary

Copyright © 2022 Feisty Duck Limited. All rights reserved.
Table of Contents
  • Preface
    • Feedback
    • Acknowledgments
    • About Bulletproof TLS and PKI
    • About the Author
  • Chapter 1. OpenSSL Command Line
    • 1.1 Getting Started
      • 1.1.1 Determine OpenSSL Version and Configuration
      • 1.1.2 Building OpenSSL
      • 1.1.3 Examine Available Commands
      • 1.1.4 Building a Trust Store
        • 1.1.4.1 Manual Conversion
    • 1.2 Key and Certificate Management
      • 1.2.1 Key Generation
      • 1.2.2 Creating Certificate Signing Requests
      • 1.2.3 Creating CSRs from Existing Certificates
      • 1.2.4 Unattended CSR Generation
      • 1.2.5 Signing Your Own Certificates
      • 1.2.6 Creating Certificates Valid for Multiple Hostnames
      • 1.2.7 Examining Certificates
      • 1.2.8 Examining Public Certificates
      • 1.2.9 Key and Certificate Conversion
        • 1.2.9.1 PEM and DER Conversion
        • 1.2.9.2 PKCS #12 (PFX) Conversion
        • 1.2.9.3 PKCS #7 Conversion
    • 1.3 Configuration
      • 1.3.1 Obtaining Supported Suites
      • 1.3.2 Understanding Security Levels
      • 1.3.3 Configuring TLS 1.3
      • 1.3.4 Configuring OpenSSL Defaults
      • 1.3.5 Recommended Suite Configuration
      • 1.3.6 Generating DH Parameters
      • 1.3.7 Legacy Suite Configuration
        • 1.3.7.1 Keywords
        • 1.3.7.2 Combining Keywords
        • 1.3.7.3 Building Cipher Suite Lists
        • 1.3.7.4 Keyword Modifiers
          • 1.3.7.4.1 Sorting
        • 1.3.7.5 Handling Errors
    • 1.4 Performance
    • 1.5 Creating a Private Certification Authority
      • 1.5.1 Features and Limitations
      • 1.5.2 Creating a Root CA
        • 1.5.2.1 Root CA Configuration
        • 1.5.2.2 Root CA Directory Structure
        • 1.5.2.3 Root CA Generation
        • 1.5.2.4 Structure of the Database File
        • 1.5.2.5 Root CA Operations
        • 1.5.2.6 Create a Certificate for OCSP Signing
      • 1.5.3 Creating a Subordinate CA
        • 1.5.3.1 Subordinate CA Configuration
        • 1.5.3.2 Subordinate CA Generation
        • 1.5.3.3 Subordinate CA Operations
  • Chapter 2. Testing TLS with OpenSSL
    • 2.1 Custom-Compile OpenSSL for Testing
    • 2.2 Connecting to TLS Services
    • 2.3 Certificate Verification
    • 2.4 Testing Protocols That Upgrade to TLS
    • 2.5 Extracting Remote Certificates
    • 2.6 Testing Protocol Support
    • 2.7 Testing Cipher Suite Configuration
    • 2.8 Testing Cipher Suite Preference
    • 2.9 Testing Named Groups
    • 2.10 Testing DANE
    • 2.11 Testing Session Resumption
    • 2.12 Keeping Session State across Connections
    • 2.13 Checking OCSP Revocation
    • 2.14 Testing OCSP Stapling
    • 2.15 Checking CRL Revocation
    • 2.16 Testing Renegotiation
    • 2.17 Testing for Heartbleed
    • 2.18 Determining the Strength of Diffie-Hellman Parameters
THE FINEST IN TLS
AND PKI EDUCATION
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Bulletproof TLS Newsletter
  • SSL/TLS and PKI History
  • Archived Books

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us