¶ OpenSSL - Commandes de Base
# Clé RSA 4096 bits
openssl genrsa -out private.key 4096
# Clé RSA avec chiffrement
openssl genrsa -aes256 -out private.key 4096
# Clé ECC (Elliptic Curve)
openssl ecparam -genkey -name secp384r1 -out ecc.key
# Génération CSR
openssl req -new -key private.key -out request.csr
# Génération avec informations prédéfinies
openssl req -new -key private.key -out request.csr \
-subj "/C=FR/ST=IDF/L=Paris/O=Company/CN=example.com"
# Vérification CSR
openssl req -text -noout -verify -in request.csr
# Certificat auto-signé en une commande
openssl req -x509 -newkey rsa:4096 \
-keyout private.key \
-out certificate.crt \
-days 365 \
-nodes \
-subj "/CN=example.com"
# Avec SANs (Subject Alternative Names)
openssl req -x509 -newkey rsa:4096 \
-keyout private.key \
-out certificate.crt \
-days 365 \
-nodes \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"
# Génération clé CA
openssl genrsa -aes256 -out ca.key 4096
# Création certificat CA
openssl req -x509 -new -nodes \
-key ca.key \
-days 3650 \
-out ca.crt \
-subj "/CN=Root CA"
# Signature d'un CSR par la CA
openssl x509 -req \
-in request.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out certificate.crt \
-days 365
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/chain.crt
# Configuration moderne
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLHonorCipherOrder on
SSLCompression off
# HSTS (HTTP Strict Transport Security)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_trusted_certificate /etc/ssl/certs/chain.crt;
# Configuration moderne
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security headers
add_header Strict-Transport-Security "max-age=63072000" always;
}
frontend https-in
bind *:443 ssl crt /etc/ssl/example.com.pem
mode http
option forwardfor
# Modern SSL configuration
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
# HSTS
http-response set-header Strict-Transport-Security max-age=63072000
default_backend web-backend
# Vérifier certificat
openssl x509 -text -noout -in certificate.crt
# Vérifier chaîne de certification
openssl verify -CAfile ca.crt certificate.crt
# Vérifier dates validité
openssl x509 -noout -dates -in certificate.crt
# Vérifier correspondance clé/certificat
diff <(openssl x509 -noout -modulus -in certificate.crt) \
<(openssl rsa -noout -modulus -in private.key)
# Test connexion
openssl s_client -connect example.com:443
# Vérifier protocoles
openssl s_client -connect example.com:443 -tls1_2
# Vérifier certificat
openssl s_client -connect example.com:443 \
-servername example.com \
-showcerts
# Commandes pour tests externes
curl -vI https://example.com
wget --debug https://example.com
# Outils en ligne recommandés
- SSL Labs Server Test
- SSL Labs Client Test
- HTTP Security Headers
#!/bin/bash
# renew_cert.sh
CERT_PATH="/etc/ssl/certs/certificate.crt"
DAYS_THRESHOLD=30
# Vérifier expiration
expiry_date=$(openssl x509 -enddate -noout -in "$CERT_PATH" \
| cut -d= -f2)
expiry_epoch=$(date -d "$expiry_date" +%s)
current_epoch=$(date +%s)
days_left=$(( ($expiry_epoch - $current_epoch) / 86400 ))
if [ $days_left -le $DAYS_THRESHOLD ]; then
echo "Certificate expires in $days_left days. Renewing..."
# Commandes de renouvellement
fi
#!/bin/bash
# monitor_certs.sh
check_cert() {
local domain=$1
local port=${2:-443}
echo "Checking $domain:$port"
timeout 5 openssl s_client -connect $domain:$port \
-servername $domain 2>/dev/null | \
openssl x509 -noout -dates | \
grep "notAfter" | \
cut -d= -f2
}
for domain in example.com www.example.com; do
expiry=$(check_cert $domain)
echo "$domain expires: $expiry"
done
- Utiliser uniquement TLS 1.2/1.3
- Désactiver les anciennes versions SSL/TLS
- Utiliser des chiffrements forts
- Activer HSTS
- Implémenter OCSP Stapling
¶ Maintenance
- Surveiller dates d'expiration
- Automatiser renouvellements
- Sauvegarder clés privées
- Documenter procédures
- Tester configuration
- Valider chaîne de certification
- Vérifier révocation
- Optimiser performances
- Procédures de renouvellement
- Contacts d'urgence
- Emplacements clés/certificats
- Procédures de récupération