Openssl
Links
- Why you don't want EV certificate
- SSL confg generator
- openssl homepage
- http://gagravarr.org/writing/openssl-certs/index.shtml
Tools
- sslscan
- sclient
Documentation and HOWTOs
- OpenSSL Certificate Authority Setup
- Validating a Certificate Path with OpenSSL
- How SSL and TLS work
- OpenSSL Certificate Authority
- http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
- ssl cert HOWTO
- OpenSSL Command-Line HOWTO
- 1. Way: SubjectAltName Only
- OpenSSL Command-Line HOWTO
- How to Create a .PEM file for SSL Certificate Installation
- http://www.tc.umn.edu/~brams006/selfsign.html
- Verifying that a Private Key Matches a Certificate
- Getting your certificate chain right
- Verify certificate chain
Dovecot and ssl
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
In dovecot.conf:
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt ssl_key_file = /usr/local/etc/myserver.key #optional, only if you want to require client to provide cert #ssl_ca_file = /usr/local/etc/intermediate.pem
Courier-imap and ssl
- http://linsec.ca/Using_Courier-IMAP_and_SSL
- http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/
Networksolutions certs:
After creating myserver.key and myserver.csr and obtaining certs:
(don't forget to insert newlines between the blocks!)
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem cat myserver.key >> IMAP.EXAMPLE.COM.crt
In imapd-ssl:
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
Network Solutions certificates bundle
See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
Comodo bundle order
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
Generate a signing request
openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
Tips&Tricks
Create private key (using config file)
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
Create CSR using config file
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
Convert der to pem
openssl x509 -inform der -in certificate.cer -out certificate.pem
Creating CSR for multiple hosts
For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
Remove password from private key
https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase
Examining certificates
openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text openssl x509 -in foo.pem -inform pem -noout -text
openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt
with expiration date:
openssl x509 -noout -text -enddate -in ca.crt
- to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12 openssl pkcs12 -info -in keyStore.pfx
Checking a service
- Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit openssl s_client -connect imap.example.com:143 -starttls imap openssl s_client -connect web.server:443 -showcerts openssl s_client -connect webmail.example.com:443 -servername vhost.example.com
Just check expiration date:
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates
Check your site
gnutls-cli
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status echo quit | gnutls-cli --port 465 servac.skk | grep Status
check if certs match
TODO: -clr_check too
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
These values show match Also:
openssl verify -CAfile ca-bundle foo_bar.crt
A script to do these checks: [sslcheck]
Creating your own CA and signing with it
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
cd /etc/ssl mkdir newcerts (perform secret rituals)
FAQ
using s_client
no client certificate sent
try adding -cert
Can't use SSL_get_servername
Try using hostname instead of IP address
write:errno=104
server reset the connection
unable to load client certificate private key file
Verification error: unable to verify the first certificate
problem missing CA cert
error 20 at 0 depth lookup: unable to get local issuer certificate
you probably need to provide the right -CAfile maybe self signed?
Verify return code: 21 (unable to verify the first certificate)
Probably requires bundle
Bad certificate (code 42)
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
check certificate chain
openssl s_client -connect www.example.com:443 -showcerts
check expiration date
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
or a file is in DER format
SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line
??
check if webserver supports old tls
openssl s_client -connect www.example.com:443 -tls1 openssl s_client -connect www.example.com:443 -tls1_1
or when vhost:
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1
ERROR: Certificate verification: Not trusted
seems to be an lftp issue
unsupported certificate purpose
??
ssllabs checks
Chain issues Contains anchor
TODO
check smtp submission
openssl s_client -connect mail.host.com:587 -starttls smtp -tls1_