Self-signed Certificate with OpenSSL
Generate a self-signed SSL certificate (with 2048 bit RSA key file with a SHA-256 signature):
$ DOMAIN=www.example.com $ openssl genrsa -out "$DOMAIN".key 2048 && chmod 0600 "$DOMAIN".key $ openssl req -new -sha256 -key "$DOMAIN".key -out "$DOMAIN".csr $ openssl x509 -req -days 1825 -sha256 -in "$DOMAIN".csr -signkey "$DOMAIN".key \ -out "$DOMAIN".crt
Differences Between “BEGIN RSA PRIVATE KEY” and “BEGIN PRIVATE KEY”
BEGIN RSA PRIVATE KEY is PKCS#1 and is just an RSA key.
BEGIN PRIVATE KEY is PKCS#8 and indicates that the key type is included in the key data itself.
To convert a private key from traditional format to PKCS#8 format:
$ openssl pkcs8 -topk8 -inform pem -in "$DOMAIN".key \ -outform pem -nocrypt -out "$DOMAIN".pem
SSL/TLS and Ciphers
Check what ciphers are in use for standard HTTPS, SMTPS, IMAPS and POP3S:
$ nmap -Pn -p T:443,465,993,995 --script ssl-cert,ssl-enum-ciphers localhost
Check if SSLv3 is in use for standard HTTPS. This also checks what SSL certificate is in place.
$ openssl s_client -connect localhost:443 -ssl3
Connect to IMAPS mailbox with curl and force it to use TLSv1 when negotiating with a remote TLS server:
$ curl -v --tlsv1 -u 'username:password' imaps://localhost:993