Latest revision as of 08:00, 8 June 2026

Links

Tools

openssl
sslscan
sclient
gnutls-cli

Documentation and HOWTOs

Check SSL Certificate Chain with OpenSSL Examples

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request (CSR)

N=my.domain
openssl req -nodes -newkey rsa:2048 -keyout $N.key -out $N.csr

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

HOWTO

Add custom Root CA to your system

On Ubuntu

Copy to /usr/local/share/ca-certificates

update-ca-certificates --fresh

Generate PSK

openssl rand -hex 32

Converting certificates

https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -noenc -keyout example.com.key -out www.example.com.csr

Create .p12

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Remove password from private key

https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

Examining certificates

http://www.madboa.com/geek/openssl/#verify-standard

openssl verify cert.pem

openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text

openssl rsa -noout -text -in server.key

Read contents of crt

openssl x509 -noout -text -in ca.crt

Read contents of csr

openssl req -noout -text -in server.csr

openssl rsa -noout -text -in ca.key

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt

to check CN

openssl x509 -in server.crt -noout -subject

openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx

Checking a service

Note -CApath should point to your local collection of public CA certs

openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com

Just check expiration date:

 openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates

Check your site

gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)

Check which ciphers and tls versions your openssl supports

openssl ciphers -v

Check if site supports TLS v1.2

openssl s_client -connect google.com:443 -servername google.com -tls1_2

Create client key for authentication

https://docs.devolutions.net/workspace/kb/general-knowledge/secure-self-signed-certificates/

Create key

openssl -genkey -noout -out my.key

Create cert

openssl  req -new -x509 -sha256 -days 180 -key my.key -out my.crt

Convert to p12

Get issuer

openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer

or better:

openssl s_client -showcerts -connect YOURHOST:443 -servername YOURHOST -showcerts </dev/null | openssl x509 -nouout -issuer

and even

openssl s_client -servername $H -host $H -port 443 -showcerts </dev/null 2>/dev/null| openssl x509 -noout -issuer | sed 's/.* O = \(.*\), CN.*/\1/'

FAQ

Should i include the Root CA?

Only if server software demands it.

Error messages

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

self-signed certificate in certificate chain

OpenSSL: error:0A000102:SSL routines::unsupported protocol

This could becaure you're trying to an older version of TLS, check openssl.cnf for

CipherString = DEFAULT:@SECLEVEL=2

which means it enforces minimum of TLSv1.2

You might now get

OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

which means add below the CipherString line:

Options = UnsafeLegacyRenegotiation

SSL: error:13800076:OCSP routines::signer certificate not found

?

Order of certificates in bundle

Root CA comes last

using s_client

no client certificate sent

try adding -cert

Secure Renegotiation IS NOT supported

Probably using wrong TLS version

Can't use SSL_get_servername

Try using hostname instead of IP address

write:errno=104

server reset the connection

no peer certificate available

Could be trying to talk tls to ssl, also check tls version used/enforced.

socket: Bad file descriptor

Most likely you just can't connect

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle including the first cert'

Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

How to check certificate chain?

openssl s_client -connect www.example.com:443 -showcerts

Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )

OR

openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

or

openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

openssl x509 -enddate -noout -in file.pem

check if webserver supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose

??

ssllabs checks

Chain issues: Incorrect order, Contains anchor

Could be the topmost cert in the bundle provided, try removing it

Chain issues: Contains anchor

Seems to mean there's a root ca in the bundle

check smtp submission

echo -n "username" | base64
echo -n "password" | base64

openssl s_client -connect mail.host.com:587 -starttls smtp -crlf

EHLO foo.bar
AUTH LOGIN

base64username

base64password

OR

echo -ne '\0username\0password'| base64
AUTH LOGIN output_of_that_echo

Peer's Certificate issuer is not recognized.

p12 / pkcs12

Show info about p12 file

openssl pkcs12 -info -in INFILE.p12 -nodes

Extract keys from p12

Extract private key

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem

Extract client certificate

openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

server certificate does NOT include an ID which matches the server name

todo

@@ Line 4: / Line 4: @@
 *[http://www.openssl.org/ openssl homepage]
 *[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml]
+*[https://whatsmychaincert.com/ What's My Chain Cert?]
 = Tools =
@@ Line 14: / Line 13: @@
 = Documentation and HOWTOs =
+*[https://docs.openssl.org/1.1.1/man1/pkcs12/ pkcs12]
 *[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
 *[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL]
@@ Line 71: / Line 70: @@
 COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
-=== Generate a signing request ===
+=== Generate a signing request (CSR)===
+ N=my.domain
-  openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
+  openssl req -nodes -newkey rsa:2048 -keyout $N.key -out $N.csr
+ openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr
 The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
@@ Line 95: / Line 95: @@
 == Create CSR using config file ==
-  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
+  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -noenc -keyout example.com.key -out www.example.com.csr
 ==Create .p12==
   openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer
@@ Line 119: / Line 120: @@
   openssl x509 -in cacert.pem -noout -text
   openssl x509 -in foo.pem  -inform pem -noout -text
   openssl rsa -noout -text -in server.key
+===Read contents of crt===
+ openssl x509 -noout -text -in ca.crt
+===Read contents of csr===
   openssl req -noout -text -in server.csr
   openssl rsa -noout -text -in ca.key
- openssl x509 -noout -text -in ca.crt
 with expiration date:
@@ Line 135: / Line 141: @@
   openssl pkcs12 -info -in keyStore.p12
   openssl pkcs12 -info -in keyStore.pfx
 == Checking a service ==
@@ Line 203: / Line 207: @@
 Convert to p12
+==Get issuer==
+ openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
+or better:
+ openssl s_client -showcerts -connect YOURHOST:443 -servername YOURHOST -showcerts </dev/null | openssl x509 -nouout -issuer
+and even
+ openssl s_client -servername $H -host $H -port 443 -showcerts </dev/null 2>/dev/null| openssl x509 -noout -issuer | sed 's/.* O = \(.*\), CN.*/\1/'
 = FAQ =
+==Should i include the Root CA?==
+Only if server software demands it.
 ==Error messages==
+=== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line ===
+??
+=== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ===
+i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
+or a file is in DER format
+=== error 20 at 0 depth lookup: unable to get local issuer certificate ===
+you probably need to provide the right -CAfile maybe self signed?
 ===self-signed certificate in certificate chain===
@@ Line 223: / Line 250: @@
 ?
-==Get issuer==
- openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
 == Order of certificates in bundle==
 Root CA comes last
@@ Line 262: / Line 287: @@
 problem missing CA cert
-== error 20 at 0 depth lookup: unable to get local issuer certificate ==
-you probably need to provide the right -CAfile maybe self signed?
 &nbsp;
@@ Line 276: / Line 298: @@
 Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
-&nbsp;
+== How to check certificate chain? ==
-== check certificate chain ==
   openssl s_client -connect www.example.com:443 -showcerts
-&nbsp;
 === Some of the output ===
@@ Line 312: / Line 330: @@
   openssl x509 -enddate -noout -in file.pem
-== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==
-i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
-or a file is in DER format
-== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line ==
-??
-&nbsp;
-&nbsp;
 == check if webserver supports old tls ==

Anonymous

Search

Openssl: Difference between revisions