Tag: OpenSSL

快速自颁代码签名证书

保存以下内容为.bat批处理文件,快速生成自己的代码签名证书:

openssl req -new -keyout code/codeSign.key -out code/codeSign.req -config openssl_code.cnf
openssl ca -policy policy_anything -config openssl_code.cnf -out code/codeSign.pem -infiles code/codeSign.req
openssl pkcs12 -export -out code/codeSign.pfx -inkey code/codeSign.key -in code/codeSign.pem -codeSignfile ./demoCA/ca.crt

快速自颁ECC SSL证书

保存以下内容为.bat批处理文件,快速生成自己的证书请求文件csr、私匙key及SSL证书crt:

openssl ecparam -out ssl/server.key -name secp384r1 -genkey && openssl req -config openssl_server.cnf -new -key ssl/server.key -sha384 -nodes -out ssl/server.csr
openssl ca -config openssl_server.cnf -extensions server_cert -days 3650 -in ssl/server.csr -out ssl/server.crt

如果要使用中文:

openssl ecparam -out ssl/server.key -name secp384r1 -genkey && openssl req -utf8 -config openssl_server.cnf -new -key ssl/server.key -sha384 -nodes -out ssl/server.csr

快速自颁ECC CA根证书

保存以下内容为.bat批处理文件,快速生成自己的根证书CA crt及私匙key:

openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -out ca.key
openssl req -config openssl_root.cnf -new -x509 -sha384 -extensions v3_ca -key ca.key -out ca.crt -days 10800
openssl x509 -noout -text -in ca.crt

Apache Intermediate Profile+OpenSSL

apache 2.4.18 | intermediate profile | OpenSSL 1.0.1e
Oldest compatible clients : Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Apache Modern Profile+OpenSSL

apache 2.4.18 | modern profile | OpenSSL 1.0.1e
Oldest compatible clients : Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)