Openssl: Difference between revisions
From DWIKI
| (146 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Links= | |||
*[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate] | |||
*[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator] | |||
*[http://www.openssl.org/ openssl homepage] | *[http://www.openssl.org/ openssl homepage] | ||
*[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml] | *[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml] | ||
*[https://whatsmychaincert.com/ What's My Chain Cert?] | |||
==Documentation and HOWTOs= | = Tools = | ||
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] | *openssl | ||
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO] | *sslscan | ||
*sclient | |||
*[[gnutls-cli]] | |||
= Documentation and HOWTOs = | |||
*[https://docs.openssl.org/1.1.1/man1/pkcs12/ pkcs12] | |||
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] | |||
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL] | |||
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work] | |||
*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority] | |||
*[http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html] | |||
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO] | |||
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] | |||
*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only] | |||
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] | |||
*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation] | |||
*[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html] | |||
*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right] | |||
*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain] | |||
*[https://whatsmychaincert.com What is my certificate chain?] | |||
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] | |||
*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples] | |||
=== Dovecot and ssl === | |||
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!) | |||
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem | |||
In dovecot.conf: | |||
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt | |||
ssl_key_file = /usr/local/etc/myserver.key | |||
#optional, only if you want to require client to provide cert | |||
#ssl_ca_file = /usr/local/etc/intermediate.pem | |||
== Courier-imap and ssl == | |||
*[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL] | |||
*[http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/ http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/] | |||
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!) | |||
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem | |||
cat myserver.key >> IMAP.EXAMPLE.COM.crt | |||
In imapd-ssl: | |||
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt | |||
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem | |||
== Network Solutions certificates bundle == | |||
See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/] | |||
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt | |||
=== Comodo bundle order === | |||
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot ) | |||
=== Generate a signing request (CSR)=== | |||
N=my.domain | |||
openssl req -nodes -newkey rsa:2048 -keyout $N.key -out $N.csr | |||
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr | |||
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root! | |||
= HOWTO = | |||
==Add custom Root CA to your system== | |||
===On Ubuntu=== | |||
Copy to /usr/local/share/ca-certificates | |||
update-ca-certificates --fresh | |||
==Generate PSK == | |||
openssl rand -hex 32 | |||
==Converting certificates== | |||
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key | |||
=== Create private key (using config file) === | |||
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key | |||
== Create CSR using config file == | |||
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -noenc -keyout example.com.key -out www.example.com.csr | |||
==Create .p12== | |||
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer | |||
== Convert der to pem == | |||
openssl x509 -inform der -in certificate.cer -out certificate.pem | |||
== Creating CSR for multiple hosts == | |||
For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html] | |||
=== Remove password from private key === | |||
[https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase] | |||
== Examining certificates == | |||
*[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard] | |||
openssl verify cert.pem | |||
openssl x509 -in cacert.pem -noout -text | |||
openssl x509 -in foo.pem -inform pem -noout -text | |||
openssl rsa -noout -text -in server.key | |||
===Read contents of crt=== | |||
openssl x509 -noout -text -in ca.crt | |||
===Read contents of csr=== | |||
openssl req -noout -text -in server.csr | |||
openssl rsa -noout -text -in ca.key | |||
with expiration date: | |||
openssl x509 -noout -text -enddate -in ca.crt | |||
#to check CN | |||
openssl x509 -in server.crt -noout -subject | |||
openssl pkcs12 -info -in keyStore.p12 | |||
openssl pkcs12 -info -in keyStore.pfx | |||
== Checking a service == | |||
#Note -CApath should point to your local collection of public CA certs | |||
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 | |||
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit | |||
openssl s_client -connect imap.example.com:143 -starttls imap | |||
openssl s_client -connect web.server:443 -showcerts | |||
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com | |||
Just check expiration date: | |||
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates | |||
| |||
== Check your site == | |||
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest] | |||
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/] | |||
*[https://internet.nl Internet.nl] | |||
==gnutls-cli == | |||
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status | |||
echo quit | gnutls-cli --port 465 servac.skk | grep Status | |||
== check if certs match == | |||
TODO: -clr_check too | |||
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum | |||
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum | |||
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum | |||
These values show match Also: | |||
openssl verify -CAfile ca-bundle foo_bar.crt | |||
A script to do these checks: [[https://www.tuxick.net/sslcheck sslcheck]] | |||
== Creating your own CA and signing with it== | |||
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc) | |||
cd /etc/ssl | |||
mkdir newcerts | |||
(perform secret rituals) | |||
== Check which ciphers and tls versions your openssl supports== | |||
openssl ciphers -v | |||
==Check if site supports TLS v1.2== | |||
openssl s_client -connect google.com:443 -servername google.com -tls1_2 | |||
==Create client key for authentication== | |||
* https://docs.devolutions.net/workspace/kb/general-knowledge/secure-self-signed-certificates/ | |||
Create key | |||
openssl -genkey -noout -out my.key | |||
Create cert | |||
openssl req -new -x509 -sha256 -days 180 -key my.key -out my.crt | |||
Convert to p12 | |||
==Get issuer== | |||
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer | |||
or better: | |||
openssl s_client -showcerts -connect YOURHOST:443 -servername YOURHOST -showcerts </dev/null | openssl x509 -nouout -issuer | |||
and even | |||
openssl s_client -servername $H -host $H -port 443 -showcerts </dev/null 2>/dev/null| openssl x509 -noout -issuer | sed 's/.* O = \(.*\), CN.*/\1/' | |||
= FAQ = | |||
==Should i include the Root CA?== | |||
Only if server software demands it. | |||
==Error messages== | |||
=== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line === | |||
?? | |||
=== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE === | |||
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines | |||
or a file is in DER format | |||
=== error 20 at 0 depth lookup: unable to get local issuer certificate === | |||
you probably need to provide the right -CAfile maybe self signed? | |||
===self-signed certificate in certificate chain=== | |||
===OpenSSL: error:0A000102:SSL routines::unsupported protocol=== | |||
This could becaure you're trying to an older version of TLS, check '''openssl.cnf''' for | |||
CipherString = DEFAULT:@SECLEVEL=2 | |||
which means it enforces minimum of TLSv1.2 | |||
You might now get | |||
===OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled=== | |||
which means add below the CipherString line: | |||
Options = UnsafeLegacyRenegotiation | |||
===SSL: error:13800076:OCSP routines::signer certificate not found=== | |||
? | |||
== Order of certificates in bundle== | |||
Root CA comes last | |||
== using s_client == | |||
=== no client certificate sent === | |||
try adding -cert | |||
| |||
=== Secure Renegotiation IS NOT supported === | |||
Probably using wrong TLS version | |||
=== Can't use SSL_get_servername === | |||
Try using hostname instead of IP address | |||
=== write:errno=104 === | |||
server reset the connection | |||
===no peer certificate available=== | |||
Could be trying to talk tls to ssl, also check tls version used/enforced. | |||
===socket: Bad file descriptor=== | |||
Most likely you just can't connect | |||
== unable to load client certificate private key file == | |||
== Verification error: unable to verify the first certificate == | |||
problem missing CA cert | |||
| |||
== Verify return code: 21 (unable to verify the first certificate) == | |||
Probably requires bundle ''including the first cert''' | |||
== Bad certificate (code 42) == | |||
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure. | |||
== How to check certificate chain? == | |||
openssl s_client -connect www.example.com:443 -showcerts | |||
=== Some of the output === | |||
Certificate chain | |||
0 s:CN = foo.local | |||
i:CN = foo.local-CA | |||
0: first in chain | |||
s: subject ( openssl x509 -noout -in foo.crt -subject ) | |||
i: issuer ( openssl x509 -noout -in foo.crt -issuer ) | |||
OR | |||
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}' | |||
or | |||
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}' | |||
== check expiration date == | |||
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates | |||
openssl x509 -enddate -noout -in file.pem | |||
== check if webserver supports old tls == | |||
openssl s_client -connect www.example.com:443 -tls1 | |||
openssl s_client -connect www.example.com:443 -tls1_1 | |||
or when vhost: | |||
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1 | |||
| |||
== ERROR: Certificate verification: Not trusted == | |||
seems to be an lftp issue | |||
== unsupported certificate purpose == | |||
?? | |||
| |||
== ssllabs checks == | |||
=== Chain issues: Incorrect order, Contains anchor === | |||
Could be the topmost cert in the bundle provided, try removing it | |||
| |||
=== Chain issues: Contains anchor === | |||
Seems to mean there's a root ca in the bundle | |||
== check smtp submission == | |||
echo -n "username" | base64 | |||
echo -n "password" | base64 | |||
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf | |||
EHLO foo.bar | |||
AUTH LOGIN | |||
base64username | |||
base64password | |||
OR | |||
echo -ne '\0username\0password'| base64 | |||
AUTH LOGIN output_of_that_echo | |||
===Peer's Certificate issuer is not recognized.=== | |||
=p12 / pkcs12= | |||
* https://fileinfo.com/extension/p12 | |||
* [https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/ Export Certificates and Private Key from a PKCS#12 File with OpenSSL] | |||
== Show info about p12 file== | |||
openssl pkcs12 -info -in INFILE.p12 -nodes | |||
== Extract keys from p12 == | |||
=== Extract private key === | |||
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem | |||
=== Extract client certificate === | |||
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem | |||
===server certificate does NOT include an ID which matches the server name=== | |||
todo | |||
Latest revision as of 08:00, 8 June 2026
Links
- Why you don't want EV certificate
- SSL confg generator
- openssl homepage
- http://gagravarr.org/writing/openssl-certs/index.shtml
- What's My Chain Cert?
Tools
- openssl
- sslscan
- sclient
- gnutls-cli
Documentation and HOWTOs
- pkcs12
- OpenSSL Certificate Authority Setup
- Validating a Certificate Path with OpenSSL
- How SSL and TLS work
- OpenSSL Certificate Authority
- http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
- ssl cert HOWTO
- OpenSSL Command-Line HOWTO
- 1. Way: SubjectAltName Only
- OpenSSL Command-Line HOWTO
- How to Create a .PEM file for SSL Certificate Installation
- http://www.tc.umn.edu/~brams006/selfsign.html
- Getting your certificate chain right
- Verify certificate chain
- What is my certificate chain?
- Checking A Remote Certificate Chain With OpenSSL
Dovecot and ssl
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
In dovecot.conf:
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt ssl_key_file = /usr/local/etc/myserver.key #optional, only if you want to require client to provide cert #ssl_ca_file = /usr/local/etc/intermediate.pem
Courier-imap and ssl
- http://linsec.ca/Using_Courier-IMAP_and_SSL
- http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem cat myserver.key >> IMAP.EXAMPLE.COM.crt
In imapd-ssl:
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
Network Solutions certificates bundle
See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
Comodo bundle order
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
Generate a signing request (CSR)
N=my.domain openssl req -nodes -newkey rsa:2048 -keyout $N.key -out $N.csr
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
HOWTO
Add custom Root CA to your system
On Ubuntu
Copy to /usr/local/share/ca-certificates
update-ca-certificates --fresh
Generate PSK
openssl rand -hex 32
Converting certificates
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
Create private key (using config file)
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
Create CSR using config file
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -noenc -keyout example.com.key -out www.example.com.csr
Create .p12
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer
Convert der to pem
openssl x509 -inform der -in certificate.cer -out certificate.pem
Creating CSR for multiple hosts
For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
Remove password from private key
https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase
Examining certificates
openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text openssl x509 -in foo.pem -inform pem -noout -text
openssl rsa -noout -text -in server.key
Read contents of crt
openssl x509 -noout -text -in ca.crt
Read contents of csr
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
with expiration date:
openssl x509 -noout -text -enddate -in ca.crt
- to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12 openssl pkcs12 -info -in keyStore.pfx
Checking a service
- Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit openssl s_client -connect imap.example.com:143 -starttls imap openssl s_client -connect web.server:443 -showcerts openssl s_client -connect webmail.example.com:443 -servername vhost.example.com
Just check expiration date:
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates
Check your site
gnutls-cli
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status echo quit | gnutls-cli --port 465 servac.skk | grep Status
check if certs match
TODO: -clr_check too
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
These values show match Also:
openssl verify -CAfile ca-bundle foo_bar.crt
A script to do these checks: [sslcheck]
Creating your own CA and signing with it
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
cd /etc/ssl mkdir newcerts (perform secret rituals)
Check which ciphers and tls versions your openssl supports
openssl ciphers -v
Check if site supports TLS v1.2
openssl s_client -connect google.com:443 -servername google.com -tls1_2
Create client key for authentication
Create key
openssl -genkey -noout -out my.key
Create cert
openssl req -new -x509 -sha256 -days 180 -key my.key -out my.crt
Convert to p12
Get issuer
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
or better:
openssl s_client -showcerts -connect YOURHOST:443 -servername YOURHOST -showcerts </dev/null | openssl x509 -nouout -issuer
and even
openssl s_client -servername $H -host $H -port 443 -showcerts </dev/null 2>/dev/null| openssl x509 -noout -issuer | sed 's/.* O = \(.*\), CN.*/\1/'
FAQ
Should i include the Root CA?
Only if server software demands it.
Error messages
SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line
??
139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
or a file is in DER format
error 20 at 0 depth lookup: unable to get local issuer certificate
you probably need to provide the right -CAfile maybe self signed?
self-signed certificate in certificate chain
OpenSSL: error:0A000102:SSL routines::unsupported protocol
This could becaure you're trying to an older version of TLS, check openssl.cnf for
CipherString = DEFAULT:@SECLEVEL=2
which means it enforces minimum of TLSv1.2
You might now get
OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
which means add below the CipherString line:
Options = UnsafeLegacyRenegotiation
SSL: error:13800076:OCSP routines::signer certificate not found
?
Order of certificates in bundle
Root CA comes last
using s_client
no client certificate sent
try adding -cert
Secure Renegotiation IS NOT supported
Probably using wrong TLS version
Can't use SSL_get_servername
Try using hostname instead of IP address
write:errno=104
server reset the connection
no peer certificate available
Could be trying to talk tls to ssl, also check tls version used/enforced.
socket: Bad file descriptor
Most likely you just can't connect
unable to load client certificate private key file
Verification error: unable to verify the first certificate
problem missing CA cert
Verify return code: 21 (unable to verify the first certificate)
Probably requires bundle including the first cert'
Bad certificate (code 42)
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
How to check certificate chain?
openssl s_client -connect www.example.com:443 -showcerts
Some of the output
Certificate chain
0 s:CN = foo.local i:CN = foo.local-CA
0: first in chain
s: subject ( openssl x509 -noout -in foo.crt -subject )
i: issuer ( openssl x509 -noout -in foo.crt -issuer )
OR
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
or
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
check expiration date
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
openssl x509 -enddate -noout -in file.pem
check if webserver supports old tls
openssl s_client -connect www.example.com:443 -tls1 openssl s_client -connect www.example.com:443 -tls1_1
or when vhost:
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1
ERROR: Certificate verification: Not trusted
seems to be an lftp issue
unsupported certificate purpose
??
ssllabs checks
Chain issues: Incorrect order, Contains anchor
Could be the topmost cert in the bundle provided, try removing it
Chain issues: Contains anchor
Seems to mean there's a root ca in the bundle
check smtp submission
echo -n "username" | base64 echo -n "password" | base64
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
EHLO foo.bar AUTH LOGIN
base64username
base64password
OR
echo -ne '\0username\0password'| base64 AUTH LOGIN output_of_that_echo
Peer's Certificate issuer is not recognized.
p12 / pkcs12
- https://fileinfo.com/extension/p12
- Export Certificates and Private Key from a PKCS#12 File with OpenSSL
Show info about p12 file
openssl pkcs12 -info -in INFILE.p12 -nodes
Extract keys from p12
Extract private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Extract client certificate
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
server certificate does NOT include an ID which matches the server name
todo
