OpenSSL Archives

Here’s a very quick guide on creating ECC 256Bit Self-Signed Certificates with OpenSSL and Ubuntu 12 and 14.

1. Firstly lets create a folder to hold the files..

# mkdir /etc/ssl/ecc

2. Move to that directory…

# cd /etc/ssl/ecc

3. Now lets create the key

# openssl ecparam -genkey -name prime256v1 -out ecc.key

4. Create the request

# openssl req -new -key ecc.key -out ecc.csr

5. Create the certificate

# openssl x509 -req -days 365 -sha256 -in ecc.csr -signkey ecc.key -out ecc.crt

6. While we are here, lets combine the private key and certificate into a .pem file.

# cat ecc.key ecc.crt > ecc.pem

You now have a Self-Signed ECC 256Bit SHA256 certificate for your domain, and a .csr file for use at your favourite CA.

Should you wish to have ECC 384 Bit, simply replace “prime256v1” in step three, with secp384r1,
and “-sha256” in step five with -sha384.

Enjoy!

By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards.
You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.

1. Create a folder to hold the dhparams…

# mkdir /etc/ssl/dh

2. Move to that directory

# cd /etc/ssl/dh

3. Create the new DH Parameters, at 2048Bit

# openssl dhparam -out RSA2048.pem -5 2048

And 4096Bit (this will take some time)

# openssl dhparam -out RSA4096.pem -5 4096

5. You can also create DSA versions, at 2048Bit…

# openssl dhparam -dsaparam -out DSA2048.pem 2048

And 4096Bit

# openssl dhparam -dsaparam -out DSA4096.pem 4096

The Directives

Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.

Courier-Imap

TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem

Dovecot (creates it’s own)

ssl_dh_parameters_length = 2048

Nginx

ssl_dhparam /etc/ssl/dh/RSA2048.pem;

Postfix

smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem

Enjoy!

My Blog

Tag Archives: OpenSSL

Creating ECC Certificates

Creating DH Parameters

The Directives

Servers and Security