RSS

OpenSSL CSR, Self Signed Certificate and How to Start Test TLS/SSL Server/Client

How to use openssl to create CSR, self signed TLS/SSL certificate. View certificate detail, start TLS/SSL test server and client.

Create TLS/SSL Certificate

Use openssl req command to create a self signed SSL certificate or Certificate Signing Request (CSR) can be sent to a Certificate Authority (CA) which will then return an signed SSL certificate.

$ openssl req -new -newkey rsa:2048 -keyout privkey.pem -nodes -out pubcert.csr
Generating a RSA private key
...................................................................+++++
........................................................................+++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Orlando
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Foo LLC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:email@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ file privkey.pem pubcert.csr
privkey.pem: ASCII text
pubcert.csr: PEM certificate request

Certificate subject can also passed by -subj parameter:

$ openssl req -new \
    -newkey rsa:2048 -nodes -keyout privkey.pem \
    -out pubcert.csr \
    -subj "/C=US/ST=FL/L=Orlando/O=Foo LLC/OU=IT/CN=www.example.com"

Verify CSR

Use openssl req -verify to view CSR, -verify verify signature on CSR is not modified.

openssl req -verify example:

$ openssl req -verify -in pubcert.csr -text -noout
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:96:1b:ec:3b:8c:8d:80:d9:f6:bc:e3:92:82:06:
                    6c:f6:97:15:56:5f:57:2e:de:7d:9c:7b:dd:a7:a4:
                    9f:dd:3b:b7:3d:fa:4b:20:5b:91:76:df:5c:d0:31:
                    fb:7c:47:c2:29:63:7b:f1:b6:92:49:72:ca:e6:4d:
                    d2:3e:e1:11:57:a6:a4:49:89:22:49:92:b9:76:a3:
                    17:a8:45:64:e7:1b:a0:f9:a8:0f:69:7e:b6:d3:ee:
                    42:f8:cd:b6:a2:79:fa:72:c3:5d:62:46:ed:db:29:
                    df:63:46:a1:c3:3b:17:7d:a7:be:f7:09:cb:6d:e6:
                    70:06:9f:cd:95:d8:b5:bf:d1:c0:26:88:66:57:af:
                    84:f2:00:49:89:c8:db:8c:7c:81:3d:0e:2e:f4:77:
                    d9:1c:9a:e2:78:43:98:4e:fa:b3:bf:2d:f2:2e:97:
                    11:17:6a:6d:ca:94:8e:2f:54:92:e7:16:25:ce:52:
                    46:bc:9d:98:89:d4:64:bd:ae:0a:97:72:a0:c5:73:
                    39:c9:87:d8:f5:97:e4:b8:3e:8d:73:d2:29:b3:4c:
                    fb:7e:20:5b:45:c6:83:6d:a6:53:1c:6e:5c:4a:ef:
                    20:08:84:59:09:f4:9c:16:79:37:27:70:b5:c1:21:
                    5e:5e:94:0e:59:54:ce:4f:3e:5d:34:fc:f0:e0:ce:
                    b4:a1
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         7f:47:70:5c:1c:72:e4:c5:a4:7b:07:7c:3f:f5:ef:62:a1:c9:
         8f:ae:52:35:ee:13:85:f7:ce:06:4a:b8:a1:ee:08:a2:39:f4:
         90:6a:c6:4f:04:78:c3:67:22:98:97:b8:9c:c1:e6:c6:af:94:
         1a:fd:f0:4c:67:34:3f:8d:05:3a:1a:8f:46:6f:0a:37:45:45:
         44:7a:f9:51:1d:28:bf:53:f1:47:2c:01:73:03:42:08:0a:c3:
         1f:5d:50:8a:b1:81:db:a0:df:4b:79:a1:86:2d:b1:3d:f7:2a:
         4b:e2:ff:bc:0f:fc:cd:08:a7:b8:07:5d:fe:d7:b7:39:6f:7a:
         f0:9c:cc:1b:e9:5d:8e:d5:0b:00:9c:81:a6:c3:f2:33:87:52:
         3c:b5:4a:14:3b:7d:2a:b8:53:86:da:b0:b3:3d:6a:2d:a7:c3:
         fa:1d:5f:fc:ea:37:6f:d2:44:ac:5d:a8:e5:73:43:69:a4:02:
         5d:a0:08:dd:0a:59:40:fa:c9:38:00:d9:60:41:40:56:32:c0:
         53:0d:97:8e:59:33:44:90:8b:48:a8:8c:c1:12:b2:60:bc:59:
         0a:e8:ca:29:87:95:7f:40:fd:86:bd:f8:aa:92:c9:f0:12:cb:
         82:cd:d8:5a:af:d2:3e:9a:dc:6b:f2:db:92:2d:a7:fc:6a:98:
         a8:04:5e:9e

verfiy OK indicate signature verify and there is no tamper on CSR. Subject is the most important of CSR.

Create Self Signed Certificate

pubcert.csr can be sent to public CA for signing or you can create self signed certificate.

$ openssl req -x509 -days 365 -in pubcert.csr -key privkey.pem -out pubcert.pem

$ file pubcert.pem
pubcert.pem: PEM certificate

Command line options explained:

-x509
output a self-signed certificate rather than a CSR.
-days 365
make the self-signed certificate valid for one year.
-in pubcert.csr
read in the CSR from the file pubcert.csr.
-key privkey.pem
read in the private key from the file privkey.pem.
-out pubcert.pem
write out the self-signed certificate to the file pubcert.pem.

You can also generated self signed certificate in a single command:

$ openssl req -x509 \
    -days 365 \
    -newkey rsa:2048 \
    -subj "/C=US/ST=FL/L=Orlando/O=Foo LLC/OU=IT/CN=www.example.com" \
    -keyout privkey2.pem \
    -nodes \
    -out pubcert.pem

Generating a RSA private key
..+++++
.+++++
writing new private key to 'privkey2.pem'
-----

View Certificate

View Certificate Detail

$ openssl x509 -text -noout -in pubcert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            53:20:19:3d:0f:f2:3b:b9:b0:9b:17:5e:b6:12:bd:ae:cf:31:e5:c0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
        Validity
            Not Before: Feb 25 01:13:20 2022 GMT
            Not After : Feb 25 01:13:20 2023 GMT
        Subject: C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com, emailAddress = email@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:96:1b:ec:3b:8c:8d:80:d9:f6:bc:e3:92:82:06:
                    6c:f6:97:15:56:5f:57:2e:de:7d:9c:7b:dd:a7:a4:
                    9f:dd:3b:b7:3d:fa:4b:20:5b:91:76:df:5c:d0:31:
                    fb:7c:47:c2:29:63:7b:f1:b6:92:49:72:ca:e6:4d:
                    d2:3e:e1:11:57:a6:a4:49:89:22:49:92:b9:76:a3:
                    17:a8:45:64:e7:1b:a0:f9:a8:0f:69:7e:b6:d3:ee:
                    42:f8:cd:b6:a2:79:fa:72:c3:5d:62:46:ed:db:29:
                    df:63:46:a1:c3:3b:17:7d:a7:be:f7:09:cb:6d:e6:
                    70:06:9f:cd:95:d8:b5:bf:d1:c0:26:88:66:57:af:
                    84:f2:00:49:89:c8:db:8c:7c:81:3d:0e:2e:f4:77:
                    d9:1c:9a:e2:78:43:98:4e:fa:b3:bf:2d:f2:2e:97:
                    11:17:6a:6d:ca:94:8e:2f:54:92:e7:16:25:ce:52:
                    46:bc:9d:98:89:d4:64:bd:ae:0a:97:72:a0:c5:73:
                    39:c9:87:d8:f5:97:e4:b8:3e:8d:73:d2:29:b3:4c:
                    fb:7e:20:5b:45:c6:83:6d:a6:53:1c:6e:5c:4a:ef:
                    20:08:84:59:09:f4:9c:16:79:37:27:70:b5:c1:21:
                    5e:5e:94:0e:59:54:ce:4f:3e:5d:34:fc:f0:e0:ce:
                    b4:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FA:AD:07:CD:B2:96:2A:D5:EF:92:EF:95:29:B7:3E:83:F7:CB:BC:AB
            X509v3 Authority Key Identifier:
                keyid:FA:AD:07:CD:B2:96:2A:D5:EF:92:EF:95:29:B7:3E:83:F7:CB:BC:AB

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         8d:75:b7:a1:fb:e2:76:62:24:82:83:f7:f3:dc:fc:25:de:63:
         90:56:38:f3:89:c8:f0:c2:fa:e8:fc:57:7e:61:a3:ca:9e:e5:
         7f:9b:f0:a9:82:44:b6:e1:09:7e:f1:b5:48:28:cf:07:fd:18:
         d1:a2:b3:ad:96:2b:ac:f1:89:c2:20:ee:b6:16:54:1f:6e:32:
         ca:07:9c:3b:21:01:61:48:dc:13:03:fd:d4:68:d2:da:1f:92:
         d9:6d:f5:ae:08:ff:94:24:ba:e1:20:8d:fe:21:70:bd:f5:f8:
         06:5a:08:69:5f:14:71:8a:84:38:e3:09:80:ec:dc:fe:78:56:
         bd:e6:d3:00:7c:88:14:eb:2b:49:ae:ea:42:c5:61:4d:19:2f:
         65:37:c6:33:c1:c5:0e:90:eb:43:cf:16:97:58:a7:d1:1e:37:
         cb:6d:3a:34:4a:2f:93:a9:2f:fe:c2:11:d1:41:f4:d4:f8:e6:
         b8:c7:bd:4f:c3:8d:fb:3d:df:5e:4c:c8:d3:69:e0:b5:71:ca:
         2c:23:d3:b4:79:c7:28:8b:9e:d9:76:4c:ac:db:6d:87:02:bf:
         16:a0:35:7c:74:f3:b3:ca:0a:cf:5b:cf:5c:c2:f3:1c:77:84:
         a9:8f:dd:3c:76:83:6a:79:15:a4:66:9b:7f:bd:2e:94:68:96:
         3c:ad:23:f0

Verify A Certificate Matches A Private Key

To verify a certificate match a private key, you can compare the modulus of the certificate with the modulus of the key.

$ openssl x509 -in pubcert2.pem -noout -modulus
Modulus=C4A33C0DD76C10B2B49DFD48727D6B55B1FB4730CD9398D2ED9BA54209403AF61815119A08EB60CD134B43487F5D3E994DBB0E47688113893F2D892EEB27F23E3A9B45F206466FC47CCC753D30A35546E372D297FB947C99C67C315CF7E89F818900FA1F4532747DA7B2FE01FE59E13BC07FF0A0E6A9C7B132271F52FDE0E11C41AB7B9E07E92CBA2A8962AC0A4CCF1D0A58091FA819311752A5281A514F7AD0BD47F4710B712193311AC3A94839A3B917E71A633D26B1870C1D7EA74220AD33E2876D7B6394961B00CB307CB2C37416DC9E017C28BBAF8D9B795C47565FC2FFD8E9C2FC9B377C67F5BB8660E833E5148DE5D0E5EBF131D1CC56CBD32BC9EFE7

$ openssl rsa -in privkey2.pem -noout -modulus
Modulus=C4A33C0DD76C10B2B49DFD48727D6B55B1FB4730CD9398D2ED9BA54209403AF61815119A08EB60CD134B43487F5D3E994DBB0E47688113893F2D892EEB27F23E3A9B45F206466FC47CCC753D30A35546E372D297FB947C99C67C315CF7E89F818900FA1F4532747DA7B2FE01FE59E13BC07FF0A0E6A9C7B132271F52FDE0E11C41AB7B9E07E92CBA2A8962AC0A4CCF1D0A58091FA819311752A5281A514F7AD0BD47F4710B712193311AC3A94839A3B917E71A633D26B1870C1D7EA74220AD33E2876D7B6394961B00CB307CB2C37416DC9E017C28BBAF8D9B795C47565FC2FFD8E9C2FC9B377C67F5BB8660E833E5148DE5D0E5EBF131D1CC56CBD32BC9EFE7

View The Signer/Issuer of a Certificate

$ openssl x509 -in pubcert.pem -noout -issuer -issuer_hash
issuer=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
a20a408a

Find The Hash Value Of A Certificate

$ openssl x509 -hash -in pubcert.pem -noout
a20a408a

Run TLS/SSL Server / Client with OpenSSL

First use openssl s_server to start a TLS/SSL test server on port 8443:

$ openssl s_server -accept 8443 -cert pubcert.pem -key privkey.pem
Using default temp DH parameters
ACCEPT

Then use openssl s_client to connect to test server on port 8443:

$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
   i:C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIURWVosx4N45OHsogu3XH+XzIW7WowDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMRAwDgYDVQQHDAdPcmxhbmRv
MRAwDgYDVQQKDAdGb28gTExDMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUuY29tMB4XDTIyMDIyNTAxMjI1OFoXDTIzMDIyNTAxMjI1OFowZTELMAkG
A1UEBhMCVVMxCzAJBgNVBAgMAkZMMRAwDgYDVQQHDAdPcmxhbmRvMRAwDgYDVQQK
DAdGb28gTExDMQswCQYDVQQLDAJJVDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxKM8DddsELK0nf1Icn1r
VbH7RzDNk5jS7ZulQglAOvYYFRGaCOtgzRNLQ0h/XT6ZTbsOR2iBE4k/LYku6yfy
PjqbRfIGRm/EfMx1PTCjVUbjctKX+5R8mcZ8MVz36J+BiQD6H0UydH2nsv4B/lnh
O8B/8KDmqcexMicfUv3g4RxBq3ueB+ksuiqJYqwKTM8dClgJH6gZMRdSpSgaUU96
0L1H9HELcSGTMRrDqUg5o7kX5xpjPSaxhwwdfqdCIK0z4odte2OUlhsAyzB8ssN0
FtyeAXwou6+Nm3lcR1Zfwv/Y6cL8mzd8Z/W7hmDoM+UUjeXQ5evxMdHMVsvTK8nv
5wIDAQABo1MwUTAdBgNVHQ4EFgQUd6ojiNbdBFbkXAgwNiHuSck7XEgwHwYDVR0j
BBgwFoAUd6ojiNbdBFbkXAgwNiHuSck7XEgwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZNvoERnZkIOPe7AUM27KrUnRXiv0Prr3/SGHI3dMkuqV
oGf5sZji+wkXlN+rWkP76+bwxjhv3jA569DdFdgysbQlmhDSXR8JuLY+J6nDTWfr
F22uzSyrnLX3OXOC97Wzgqm3mw6ANF4Ae2EQnSF7NveKPSU6HY7g+qUxypRbdM4Y
aUzttmn7SyYeOz3Oa018zjl8LrEjBTi4C426dTBAbGBpc9eFOHN4cadxrNxTRIIz
PqJEBKXGmjgvmtYxpK4sn1M9zuXJATIZWJMSDA1Vqkrs+QLsj/AO4efvmg/XzaaM
kNpbmiKHwWSDuljjMoCmb64iyeZhuhw2sqUjP08u0A==
-----END CERTIFICATE-----
subject=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com

issuer=C = US, ST = FL, L = Orlando, O = Foo LLC, OU = IT, CN = www.example.com

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1499 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 00B02A982394BB49CBB59489D250360FEB4CB7698FA063E79FFFE2D149E71B86
    Session-ID-ctx:
    Resumption PSK: 729D19E3DFA1C40143098ABE55DB1FEB2DA023C4344385D0871D5A52F61AD960A9DB482D5DCA1248B4607C81EF4E5415
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f5 fe f2 bf 29 29 3b ec-1b c3 7b 2c f5 33 85 ee   ....));...{,.3..
    0010 - 4b 10 30 ae c3 2f df a1-79 d0 55 32 95 fc cb 1d   K.0../..y.U2....
    0020 - d6 5d 89 74 c8 9b 59 dc-95 5c e8 3e cf 04 7d b4   .].t..Y..\.>..}.
    0030 - 39 63 be 3c 15 67 81 a9-b8 77 6a dd 1c 35 13 6d   9c.<.g...wj..5.m
    0040 - b7 d6 36 e3 d6 c6 2b 47-e5 3e 8b 22 10 06 49 f0   ..6...+G.>."..I.
    0050 - b8 f3 2f b1 60 25 e5 31-94 f1 bf dd ed 67 85 ce   ../.`%.1.....g..
    0060 - d9 34 6e 7c d9 6a 40 a1-67 b7 d6 73 f6 cf a3 2d   .4n|.j@.g..s...-
    0070 - 3e 86 9b d6 a4 ff 5d 6a-a1 f9 3d 1b 74 97 14 b5   >.....]j..=.t...
    0080 - c4 82 fe 75 0f 29 28 7d-d1 23 72 90 3b 87 2e 97   ...u.)(}.#r.;...
    0090 - cb 97 bf 79 99 20 fc d9-e4 7f 2e 82 0a d6 34 b3   ...y. ........4.
    00a0 - 4e 81 92 9d 72 be 20 87-d2 dd 98 25 f2 6e fb b7   N...r. ....%.n..
    00b0 - 7f 37 fd 8b e1 5a e1 f6-d1 62 39 70 70 ed ba 79   .7...Z...b9pp..y

    Start Time: 1645755764
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DAB883D6FFE06E83CCB3730949EFEC34EF2F30B84168FA7233B7B9B002DE6BDD
    Session-ID-ctx:
    Resumption PSK: A73F9311186AB1C0EA89C810775ACCD18B46B9CA3E93B3D3C4C077A646B5C95CE703ED39E4CC40725C0A8BEB1973BC86
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f5 fe f2 bf 29 29 3b ec-1b c3 7b 2c f5 33 85 ee   ....));...{,.3..
    0010 - e8 18 b7 f7 b5 65 05 d4-05 9c 88 99 97 75 23 91   .....e.......u#.
    0020 - 38 3e 83 65 0d 86 43 08-3d 8f fb b4 69 0f a4 e4   8>.e..C.=...i...
    0030 - d8 0d 56 70 c4 ed 71 3b-25 0e 71 f7 db bd f3 14   ..Vp..q;%.q.....
    0040 - 7b 26 07 c5 9e ef be 76-2c 40 2a a4 d5 19 a6 a7   {&.....v,@*.....
    0050 - 23 bf 3f 88 d2 41 4d 70-c6 7a c8 ad 28 7c 4b 55   #.?..AMp.z..(|KU
    0060 - 74 a9 30 f8 9e b1 a4 36-38 a1 69 a8 11 44 ce a8   t.0....68.i..D..
    0070 - 06 7f ad 06 e6 32 1b 1e-d5 a8 8a f4 9a b2 be 3d   .....2.........=
    0080 - 06 71 56 c6 fa 31 cd c6-9e 74 a4 de 74 ae 02 c6   .qV..1...t..t...
    0090 - 9e b8 c6 85 80 7c ae 28-ad d0 26 22 95 92 61 79   .....|.(..&"..ay
    00a0 - 96 e4 e7 e7 39 4e 55 3b-31 f9 cd 36 ac ed 5c 8a   ....9NU;1..6..\.
    00b0 - c0 b6 2c 7b 0d 67 0d ba-01 2c a4 50 a0 62 84 f5   ..,{.g...,.P.b..
    00c0 - 27 a6 73 74 e1 5b 31 02-f9 81 d9 cf 04 09 de e4   '.st.[1.........

    Start Time: 1645755764
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
Hello

After TLS/SSL connection established, send Hello to server.

In server side, it also output TLS/SSL handshake process, and then see Hello from client.

$ openssl s_server -accept 8443 -cert pubcert.pem -key privkey.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH4CAQECAgMEBAITAgQgRNcxBBZoIQo4mQbsQRv7DwAadeE3rHqXOftKcd2u8mME
MKc/kxEYarHA6onIEHdazNGLRrnKPpOz08TAd6ZGtclc5wPtOeTMQHJcCovrGXO8
hqEGAgRiGD10ogQCAhwgpAYEBAEAAACuBwIFANB6X1w=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
Hello

openssl req help

$ openssl req -help
Usage: req [options]
Valid options are:
 -help               Display this summary
 -inform PEM|DER     Input format - DER or PEM
 -outform PEM|DER    Output format - DER or PEM
 -in infile          Input file
 -out outfile        Output file
 -key val            Private key to use
 -keyform format     Key file format
 -pubkey             Output public key
 -new                New request
 -config infile      Request template file
 -keyout outfile     File to send the key to
 -passin val         Private key password source
 -passout val        Output file pass phrase source
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -newkey val         Specify as type:bits
 -pkeyopt val        Public key options as opt:value
 -sigopt val         Signature parameter in n:v form
 -batch              Do not ask anything during request generation
 -newhdr             Output "NEW" in the header lines
 -modulus            RSA modulus
 -verify             Verify signature on REQ
 -nodes              Don't encrypt the output key
 -noout              Do not output REQ
 -verbose            Verbose output
 -utf8               Input characters are UTF8 (default ASCII)
 -nameopt val        Various certificate name options
 -reqopt val         Various request text options
 -text               Text form of request
 -x509               Output a x509 structure instead of a cert request
                     (Required by some CA's)
 -subj val           Set or modify request subject
 -subject            Output the request's subject
 -multivalue-rdn     Enable support for multivalued RDNs
 -days +int          Number of days cert is valid for
 -set_serial val     Serial number to use
 -addext val         Additional cert extension key=value pair (may be given more than once)
 -extensions val     Cert extension section (override value in config file)
 -reqexts val        Request extension section (override value in config file)
 -precert            Add a poison extension (implies -new)
 -*                  Any supported digest
 -engine val         Use engine, possibly a hardware device
 -keygen_engine val  Specify engine to be used for key generation operations

Read More

References

DNS Firewall for iOS

Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps

Ad