Openssl: Difference between revisions

From DWIKI
mNo edit summary
mNo edit summary
Line 68: Line 68:
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!


==Tips&Tricks==
 
===Create private key (using config file)===
== Tips&Tricks ==
 
=== Create private key (using config file) ===
 
  openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
  openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key


===Create CSR using config file===
=== Create CSR using config file ===
 
  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr


===Convert der to pem===
=== Convert der to pem ===
 
  openssl x509 -inform der -in certificate.cer -out certificate.pem
  openssl x509 -inform der -in certificate.cer -out certificate.pem


===Creating CSR for multiple hosts===
=== Creating CSR for multiple hosts ===
For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
 
===Remove password from private key===
For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html]
https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase
 
=== Remove password from private key ===
 
[https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase]
 
=== Examining certificates ===
 
*[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard]


===Examining certificates===
*http://www.madboa.com/geek/openssl/#verify-standard
  openssl verify cert.pem
  openssl verify cert.pem


Line 94: Line 104:
  openssl rsa -noout -text -in ca.key
  openssl rsa -noout -text -in ca.key
  openssl x509 -noout -text -in ca.crt
  openssl x509 -noout -text -in ca.crt
with expiration date:
with expiration date:
  openssl x509 -noout -text -enddate -in ca.crt
  openssl x509 -noout -text -enddate -in ca.crt


#to check CN
#to check CN  
 
  openssl x509 -in server.crt -noout -subject
  openssl x509 -in server.crt -noout -subject


Line 103: Line 116:
  openssl pkcs12 -info -in keyStore.pfx
  openssl pkcs12 -info -in keyStore.pfx


===Checking a service===
=== Checking a service ===
#Note -CApath should point to your local collection of public CA certs
 
#Note -CApath should point to your local collection of public CA certs  
 
  openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
  openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
  openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
  openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
Line 110: Line 125:
  openssl s_client -connect web.server:443 -showcerts
  openssl s_client -connect web.server:443 -showcerts


 


=== Check your site ===
=== Check your site ===
Line 115: Line 131:
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest]  
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest]  
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/]  
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/]  
*gnutls-cli
 
 
===gnutls-cli ===
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status


== check if certs match ==
== check if certs match ==

Revision as of 20:07, 31 March 2021

Links


Tools

  • sslscan


Documentation and HOWTOs

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl


Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt


Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!


Tips&Tricks

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Remove password from private key

https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

Examining certificates

openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text 
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt
  1. to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx

Checking a service

  1. Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts

 

Check your site


gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)


FAQ

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

 

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle


Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

check certificate chain

openssl s_client -connect www.example.com:443 -showcerts

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

 

check if server supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

 

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

ssllabs checks

Chain issues Contains anchor

TODO

 

check smtp submission

openssl s_client -connect mail.host.com:587 -starttls smtp -tls1_