Revision as of 14:52, 21 October 2021

Links

Tools

sslscan
sclient

Documentation and HOWTOs

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

Tips&Tricks

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

openssl verify cert.pem

openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text

openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt

to check CN

openssl x509 -in server.crt -noout -subject

openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx

Checking a service

Note -CApath should point to your local collection of public CA certs

openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com

Just check expiration date:

 openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates

Check your site

gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)

FAQ

using s_client

no client certificate sent

try adding -cert

Can't use SSL_get_servername

Try using hostname instead of IP address

write:errno=104

server reset the connection

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle

Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

check certificate chain

openssl s_client -connect www.example.com:443 -showcerts

Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

check if webserver supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose

??

ssllabs checks

Chain issues Contains anchor

TODO

check smtp submission

openssl s_client -connect mail.host.com:587 -starttls smtp -tls1_

@@ Line 12: / Line 12: @@
 *sclient
-==Documentation and HOWTOs==
-*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
-*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL]
-*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work]
-*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority]
-*http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
-*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
-*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
-*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only]
-*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
-*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation]
-*http://www.tc.umn.edu/~brams006/selfsign.html
-*[https://kb.wisc.edu/middleware/page.php?id=4064 Verifying that a Private Key Matches a Certificate]
-*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right]
-*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain]
-===Dovecot and ssl===
+== Documentation and HOWTOs ==
+*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
+*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL]
+*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work]
+*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority]
+*[http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html]
+*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
+*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
+*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only]
+*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
+*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation]
+*[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html]
+*[https://kb.wisc.edu/middleware/page.php?id=4064 Verifying that a Private Key Matches a Certificate]
+*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right]
+*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain]
+*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]
+=== Dovecot and ssl ===
+Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
-Networksolutions certs:
-After creating myserver.key and myserver.csr and obtaining certs:
-(don't forget to insert newlines between the blocks!)
   cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
 In dovecot.conf:
   ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
   ssl_key_file = /usr/local/etc/myserver.key
@@ Line 41: / Line 46: @@
   #ssl_ca_file = /usr/local/etc/intermediate.pem
-===Courier-imap and ssl===
+=== Courier-imap and ssl ===
-*http://linsec.ca/Using_Courier-IMAP_and_SSL
-*http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/
+*[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL]
+*[http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/ http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/]
+Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
-Networksolutions certs:
-After creating myserver.key and myserver.csr and obtaining certs:
-(don't forget to insert newlines between the blocks!)
   cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
   cat myserver.key >> IMAP.EXAMPLE.COM.crt
 In imapd-ssl:
   TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
   TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
-===Network Solutions certificates bundle===
+=== Network Solutions certificates bundle ===
-See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/
+See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/]
   cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
+&nbsp;
+=== Comodo bundle order ===
-===Comodo bundle order===
 COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
-===Generate a signing request===
+=== Generate a signing request ===
   openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
 The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
 == Tips&Tricks ==

Anonymous

Search

Openssl: Difference between revisions