Openssl: Difference between revisions
m (→HOWTO) |
|||
(108 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Links= | |||
*[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate] | |||
*[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator] | |||
*[http://www.openssl.org/ openssl homepage] | *[http://www.openssl.org/ openssl homepage] | ||
*[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml] | *[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml] | ||
== | = Tools = | ||
*openssl | |||
*sslscan | |||
*sclient | |||
*[[gnutls-cli]] | |||
= Documentation and HOWTOs = | |||
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] | |||
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL] | |||
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work] | |||
*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority] | |||
*[http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html] | |||
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO] | |||
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] | |||
*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only] | |||
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] | |||
*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation] | |||
*[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html] | |||
*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right] | |||
*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain] | |||
*[https://whatsmychaincert.com What is my certificate chain?] | |||
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] | |||
*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples] | |||
=== Dovecot and ssl === | |||
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!) | |||
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem | |||
In dovecot.conf: | |||
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt | |||
ssl_key_file = /usr/local/etc/myserver.key | |||
#optional, only if you want to require client to provide cert | |||
#ssl_ca_file = /usr/local/etc/intermediate.pem | |||
== Courier-imap and ssl == | |||
*[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL] | |||
*[http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/ http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/] | |||
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!) | |||
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem | |||
cat myserver.key >> IMAP.EXAMPLE.COM.crt | |||
In imapd-ssl: | |||
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt | |||
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem | |||
== Network Solutions certificates bundle == | |||
See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/] | |||
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt | |||
=== Comodo bundle order === | |||
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot ) | |||
=== Generate a signing request === | |||
openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr | openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr | ||
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root! | The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root! | ||
== | = HOWTO = | ||
===Examining certificates== | |||
*http://www.madboa.com/geek/openssl/#verify-standard | ==Generate PSK == | ||
openssl rand -hex 32 | |||
==Converting certificates== | |||
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key | |||
=== Create private key (using config file) === | |||
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key | |||
== Create CSR using config file == | |||
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr | |||
== Convert der to pem == | |||
openssl x509 -inform der -in certificate.cer -out certificate.pem | |||
== Creating CSR for multiple hosts == | |||
For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html] | |||
=== Remove password from private key === | |||
[https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase] | |||
== Examining certificates == | |||
*[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard] | |||
openssl verify cert.pem | openssl verify cert.pem | ||
openssl x509 -in cacert.pem -noout -text | openssl x509 -in cacert.pem -noout -text | ||
openssl x509 -in foo.pem -inform pem -noout -text | |||
openssl rsa -noout -text -in server.key | |||
openssl req -noout -text -in server.csr | |||
openssl rsa -noout -text -in ca.key | |||
openssl x509 -noout -text -in ca.crt | |||
with expiration date: | |||
openssl x509 -noout -text -enddate -in ca.crt | |||
=Creating your own CA and signing with it= | #to check CN | ||
openssl x509 -in server.crt -noout -subject | |||
openssl pkcs12 -info -in keyStore.p12 | |||
openssl pkcs12 -info -in keyStore.pfx | |||
== Checking a service == | |||
#Note -CApath should point to your local collection of public CA certs | |||
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 | |||
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit | |||
openssl s_client -connect imap.example.com:143 -starttls imap | |||
openssl s_client -connect web.server:443 -showcerts | |||
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com | |||
Just check expiration date: | |||
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates | |||
| |||
== Check your site == | |||
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest] | |||
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/] | |||
*[https://internet.nl Internet.nl] | |||
==gnutls-cli == | |||
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status | |||
echo quit | gnutls-cli --port 465 servac.skk | grep Status | |||
== check if certs match == | |||
TODO: -clr_check too | |||
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum | |||
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum | |||
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum | |||
These values show match Also: | |||
openssl verify -CAfile ca-bundle foo_bar.crt | |||
A script to do these checks: [[https://www.tuxick.net/sslcheck sslcheck]] | |||
== Creating your own CA and signing with it== | |||
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc) | (based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc) | ||
Line 39: | Line 178: | ||
mkdir newcerts | mkdir newcerts | ||
(perform secret rituals) | (perform secret rituals) | ||
== Check which ciphers and tls versions your openssl supports== | |||
openssl ciphers -v | |||
==Check if site supports TLS v1.2== | |||
openssl s_client -connect google.com:443 -servername google.com -tls1_2 | |||
= FAQ = | |||
==Error messages== | |||
===OpenSSL: error:0A000102:SSL routines::unsupported protocol=== | |||
This could becaure you're trying to an older version of TLS, check '''openssl.cnf''' for | |||
CipherString = DEFAULT:@SECLEVEL=2 | |||
which means it enforces minimum of TLSv1.2 | |||
You might now get | |||
===OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled=== | |||
which means add below the CipherString line: | |||
Options = UnsafeLegacyRenegotiation | |||
==Get issuer== | |||
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer | |||
== Order of certificates in bundle== | |||
Root CA comes last | |||
== using s_client == | |||
=== no client certificate sent === | |||
try adding -cert | |||
| |||
=== Secure Renegotiation IS NOT supported === | |||
Probably using wrong TLS version | |||
=== Can't use SSL_get_servername === | |||
Try using hostname instead of IP address | |||
=== write:errno=104 === | |||
server reset the connection | |||
===no peer certificate available=== | |||
Could be trying to talk tls to ssl? | |||
== unable to load client certificate private key file == | |||
== Verification error: unable to verify the first certificate == | |||
problem missing CA cert | |||
== error 20 at 0 depth lookup: unable to get local issuer certificate == | |||
you probably need to provide the right -CAfile maybe self signed? | |||
| |||
== Verify return code: 21 (unable to verify the first certificate) == | |||
Probably requires bundle | |||
| |||
== Bad certificate (code 42) == | |||
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure. | |||
| |||
== check certificate chain == | |||
openssl s_client -connect www.example.com:443 -showcerts | |||
| |||
=== Some of the output === | |||
Certificate chain | |||
0 s:CN = foo.local | |||
i:CN = foo.local-CA | |||
0: first in chain | |||
s: subject ( openssl x509 -noout -in foo.crt -subject ) | |||
i: issuer ( openssl x509 -noout -in foo.crt -issuer ) | |||
OR | |||
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}' | |||
or | |||
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}' | |||
== check expiration date == | |||
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates | |||
openssl x509 -enddate -noout -in file.pem | |||
== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE == | |||
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines | |||
or a file is in DER format | |||
== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line == | |||
?? | |||
| |||
| |||
== check if webserver supports old tls == | |||
openssl s_client -connect www.example.com:443 -tls1 | |||
openssl s_client -connect www.example.com:443 -tls1_1 | |||
or when vhost: | |||
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1 | |||
| |||
== ERROR: Certificate verification: Not trusted == | |||
seems to be an lftp issue | |||
== unsupported certificate purpose == | |||
?? | |||
| |||
== ssllabs checks == | |||
=== Chain issues: Incorrect order, Contains anchor === | |||
Could be the topmost cert in the bundle provided, try removing it | |||
| |||
=== Chain issues: Contains anchor === | |||
Seems to mean there's a root ca in the bundle | |||
== check smtp submission == | |||
echo -n "username" | base64 | |||
echo -n "password" | base64 | |||
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf | |||
EHLO foo.bar | |||
AUTH LOGIN | |||
base64username | |||
base64password | |||
OR | |||
echo -ne '\0username\0password'| base64 | |||
AUTH LOGIN output_of_that_echo | |||
===Peer's Certificate issuer is not recognized.=== | |||
=p12 / pkcs12= | |||
https://fileinfo.com/extension/p12 | |||
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem | |||
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem | |||
===server certificate does NOT include an ID which matches the server name=== | |||
todo |
Latest revision as of 10:56, 17 June 2024
Links
- Why you don't want EV certificate
- SSL confg generator
- openssl homepage
- http://gagravarr.org/writing/openssl-certs/index.shtml
Tools
- openssl
- sslscan
- sclient
- gnutls-cli
Documentation and HOWTOs
- OpenSSL Certificate Authority Setup
- Validating a Certificate Path with OpenSSL
- How SSL and TLS work
- OpenSSL Certificate Authority
- http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
- ssl cert HOWTO
- OpenSSL Command-Line HOWTO
- 1. Way: SubjectAltName Only
- OpenSSL Command-Line HOWTO
- How to Create a .PEM file for SSL Certificate Installation
- http://www.tc.umn.edu/~brams006/selfsign.html
- Getting your certificate chain right
- Verify certificate chain
- What is my certificate chain?
- Checking A Remote Certificate Chain With OpenSSL
Dovecot and ssl
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
In dovecot.conf:
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt ssl_key_file = /usr/local/etc/myserver.key #optional, only if you want to require client to provide cert #ssl_ca_file = /usr/local/etc/intermediate.pem
Courier-imap and ssl
- http://linsec.ca/Using_Courier-IMAP_and_SSL
- http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem cat myserver.key >> IMAP.EXAMPLE.COM.crt
In imapd-ssl:
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
Network Solutions certificates bundle
See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
Comodo bundle order
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
Generate a signing request
openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
HOWTO
Generate PSK
openssl rand -hex 32
Converting certificates
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
Create private key (using config file)
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
Create CSR using config file
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
Convert der to pem
openssl x509 -inform der -in certificate.cer -out certificate.pem
Creating CSR for multiple hosts
For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
Remove password from private key
https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase
Examining certificates
openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text openssl x509 -in foo.pem -inform pem -noout -text
openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt
with expiration date:
openssl x509 -noout -text -enddate -in ca.crt
- to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12 openssl pkcs12 -info -in keyStore.pfx
Checking a service
- Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit openssl s_client -connect imap.example.com:143 -starttls imap openssl s_client -connect web.server:443 -showcerts openssl s_client -connect webmail.example.com:443 -servername vhost.example.com
Just check expiration date:
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates
Check your site
gnutls-cli
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status echo quit | gnutls-cli --port 465 servac.skk | grep Status
check if certs match
TODO: -clr_check too
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
These values show match Also:
openssl verify -CAfile ca-bundle foo_bar.crt
A script to do these checks: [sslcheck]
Creating your own CA and signing with it
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
cd /etc/ssl mkdir newcerts (perform secret rituals)
Check which ciphers and tls versions your openssl supports
openssl ciphers -v
Check if site supports TLS v1.2
openssl s_client -connect google.com:443 -servername google.com -tls1_2
FAQ
Error messages
OpenSSL: error:0A000102:SSL routines::unsupported protocol
This could becaure you're trying to an older version of TLS, check openssl.cnf for
CipherString = DEFAULT:@SECLEVEL=2
which means it enforces minimum of TLSv1.2
You might now get
OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
which means add below the CipherString line:
Options = UnsafeLegacyRenegotiation
Get issuer
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
Order of certificates in bundle
Root CA comes last
using s_client
no client certificate sent
try adding -cert
Secure Renegotiation IS NOT supported
Probably using wrong TLS version
Can't use SSL_get_servername
Try using hostname instead of IP address
write:errno=104
server reset the connection
no peer certificate available
Could be trying to talk tls to ssl?
unable to load client certificate private key file
Verification error: unable to verify the first certificate
problem missing CA cert
error 20 at 0 depth lookup: unable to get local issuer certificate
you probably need to provide the right -CAfile maybe self signed?
Verify return code: 21 (unable to verify the first certificate)
Probably requires bundle
Bad certificate (code 42)
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
check certificate chain
openssl s_client -connect www.example.com:443 -showcerts
Some of the output
Certificate chain
0 s:CN = foo.local i:CN = foo.local-CA
0: first in chain
s: subject ( openssl x509 -noout -in foo.crt -subject )
i: issuer ( openssl x509 -noout -in foo.crt -issuer )
OR
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
or
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
check expiration date
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
openssl x509 -enddate -noout -in file.pem
139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
or a file is in DER format
SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line
??
check if webserver supports old tls
openssl s_client -connect www.example.com:443 -tls1 openssl s_client -connect www.example.com:443 -tls1_1
or when vhost:
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1
ERROR: Certificate verification: Not trusted
seems to be an lftp issue
unsupported certificate purpose
??
ssllabs checks
Chain issues: Incorrect order, Contains anchor
Could be the topmost cert in the bundle provided, try removing it
Chain issues: Contains anchor
Seems to mean there's a root ca in the bundle
check smtp submission
echo -n "username" | base64 echo -n "password" | base64
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
EHLO foo.bar AUTH LOGIN
base64username
base64password
OR
echo -ne '\0username\0password'| base64 AUTH LOGIN output_of_that_echo
Peer's Certificate issuer is not recognized.
p12 / pkcs12
https://fileinfo.com/extension/p12
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
server certificate does NOT include an ID which matches the server name
todo