Latest revision as of 10:56, 17 June 2024

Links

Tools

openssl
sslscan
sclient
gnutls-cli

Documentation and HOWTOs

Check SSL Certificate Chain with OpenSSL Examples

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

HOWTO

Generate PSK

openssl rand -hex 32

Converting certificates

https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Remove password from private key

https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

Examining certificates

http://www.madboa.com/geek/openssl/#verify-standard

openssl verify cert.pem

openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text

openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt

to check CN

openssl x509 -in server.crt -noout -subject

openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx

Checking a service

Note -CApath should point to your local collection of public CA certs

openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com

Just check expiration date:

 openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates

Check your site

gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)

Check which ciphers and tls versions your openssl supports

openssl ciphers -v

Check if site supports TLS v1.2

openssl s_client -connect google.com:443 -servername google.com -tls1_2

FAQ

Error messages

OpenSSL: error:0A000102:SSL routines::unsupported protocol

This could becaure you're trying to an older version of TLS, check openssl.cnf for

CipherString = DEFAULT:@SECLEVEL=2

which means it enforces minimum of TLSv1.2

You might now get

OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

which means add below the CipherString line:

Options = UnsafeLegacyRenegotiation

Get issuer

openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer

Order of certificates in bundle

Root CA comes last

using s_client

no client certificate sent

try adding -cert

Secure Renegotiation IS NOT supported

Probably using wrong TLS version

Can't use SSL_get_servername

Try using hostname instead of IP address

write:errno=104

server reset the connection

no peer certificate available

Could be trying to talk tls to ssl?

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle

Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

check certificate chain

openssl s_client -connect www.example.com:443 -showcerts

Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )

OR

openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

or

openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

openssl x509 -enddate -noout -in file.pem

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

check if webserver supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose

??

ssllabs checks

Chain issues: Incorrect order, Contains anchor

Could be the topmost cert in the bundle provided, try removing it

Chain issues: Contains anchor

Seems to mean there's a root ca in the bundle

check smtp submission

echo -n "username" | base64
echo -n "password" | base64

openssl s_client -connect mail.host.com:587 -starttls smtp -crlf

EHLO foo.bar
AUTH LOGIN

base64username

base64password

OR

echo -ne '\0username\0password'| base64
AUTH LOGIN output_of_that_echo

Peer's Certificate issuer is not recognized.

p12 / pkcs12

https://fileinfo.com/extension/p12

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

server certificate does NOT include an ID which matches the server name

todo

@@ Line 1: / Line 1: @@
-==Links==
+=Links=
 *[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate]
 *[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator]
@@ Line 7: / Line 7: @@
-== Tools ==
+= Tools =
+*openssl
 *sslscan
 *sclient
+*[[gnutls-cli]]
+= Documentation and HOWTOs =
-== Documentation and HOWTOs ==
 *[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
@@ Line 26: / Line 26: @@
 *[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation]
 *[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html]
-*[https://kb.wisc.edu/middleware/page.php?id=4064 Verifying that a Private Key Matches a Certificate]
 *[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right]
 *[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain]
+*[https://whatsmychaincert.com What is my certificate chain?]
 *[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]
+*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples]
 === Dovecot and ssl ===
@@ Line 46: / Line 46: @@
   #ssl_ca_file = /usr/local/etc/intermediate.pem
-=== Courier-imap and ssl ===
+== Courier-imap and ssl ==
 *[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL]
@@ Line 61: / Line 61: @@
   TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
-=== Network Solutions certificates bundle ===
+== Network Solutions certificates bundle ==
 See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/]
   cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
-&nbsp;
 === Comodo bundle order ===
@@ Line 79: / Line 77: @@
 The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
-== Tips&Tricks ==
+= HOWTO =
+==Generate PSK ==
+ openssl rand -hex 32
+==Converting certificates==
+https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
 === Create private key (using config file) ===
@@ Line 85: / Line 89: @@
   openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
-=== Create CSR using config file ===
+== Create CSR using config file ==
   openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
-=== Convert der to pem ===
+== Convert der to pem ==
   openssl x509 -inform der -in certificate.cer -out certificate.pem
-=== Creating CSR for multiple hosts ===
+== Creating CSR for multiple hosts ==
 For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html]
@@ Line 101: / Line 105: @@
 [https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase]
-=== Examining certificates ===
+== Examining certificates ==
 *[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard]
@@ Line 128: / Line 132: @@
-=== Checking a service ===
+== Checking a service ==
 #Note -CApath should point to your local collection of public CA certs
@@ Line 144: / Line 148: @@
 &nbsp;
-=== Check your site ===
+== Check your site ==
 *[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest]
 *[https://www.sslcheck.nl/ https://www.sslcheck.nl/]
+*[https://internet.nl Internet.nl]
-===gnutls-cli ===
+==gnutls-cli ==
   echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
   echo quit | gnutls-cli --port 465 servac.skk | grep Status
@@ Line 168: / Line 172: @@
 A script to do these checks: [[https://www.tuxick.net/sslcheck sslcheck]]
-=Creating your own CA and signing with it=
+== Creating your own CA and signing with it==
 (based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
@@ Line 176: / Line 180: @@
+== Check which ciphers and tls versions your openssl supports==
+ openssl ciphers -v
+==Check if site supports TLS v1.2==
+openssl s_client -connect google.com:443 -servername google.com -tls1_2
+= FAQ =
+==Error messages==
+===OpenSSL: error:0A000102:SSL routines::unsupported protocol===
+This could becaure you're trying to an older version of TLS, check '''openssl.cnf''' for
+ CipherString = DEFAULT:@SECLEVEL=2
+which means it enforces minimum of TLSv1.2
+You might now get
+===OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled===
+which means add below the CipherString line:
+ Options = UnsafeLegacyRenegotiation
+==Get issuer==
+ openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
+== Order of certificates in bundle==
+Root CA comes last
-= FAQ =
 == using s_client ==
@@ Line 202: / Line 223: @@
 server reset the connection
+===no peer certificate available===
+Could be trying to talk tls to ssl?
 == unable to load client certificate private key file ==
@@ Line 246: / Line 270: @@
 i: issuer ( openssl x509 -noout -in foo.crt -issuer )
+OR
+ openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'
+or
+ openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'
 == check expiration date ==
@@ Line 251: / Line 281: @@
   echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
-&nbsp;
+ openssl x509 -enddate -noout -in file.pem
 == 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==
@@ Line 285: / Line 317: @@
 ??
+&nbsp;
 == ssllabs checks ==
+=== Chain issues: Incorrect order, Contains anchor ===
-===Chain issues: Incorrect order, Contains anchor
+Could be the topmost cert in the bundle provided, try removing it
-TODO
+&nbsp;
-&nbsp;
+=== Chain issues: Contains anchor ===
-&nbsp;
+Seems to mean there's a root ca in the bundle
-=== check smtp submission ===
+== check smtp submission ==
   echo -n "username" | base64
@@ Line 314: / Line 349: @@
   echo -ne '\0username\0password'| base64
-  AUTH LOGING output_of_that_echo
+  AUTH LOGIN output_of_that_echo
+===Peer's Certificate issuer is not recognized.===
+=p12 / pkcs12=
+https://fileinfo.com/extension/p12
+ openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
+ openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
+===server certificate does NOT include an ID which matches the server name===
+todo

Anonymous

Search

Openssl: Difference between revisions