====== SSL certificates ======
===== Get free SSL certs =====
* [[https://letsencrypt.org|Let'sEncrypt]]
* [[https://www.cacert.org/|CACert.org]]
* Root certificates: https://www.cacert.org/index.php?id=3
===== Process =====
use [[.:linux:cli:easy-rsa|easy-rsa]] if you want to self-sign certificates with your own CA[(Certificate Authority)] infrastructure. This is then called a PKI[(Private Key Infrastructure)].
- generate key:\\ ''openssl genrsa -out private.key 4096''
- generate CSR:\\ ''openssl req -new -sha256 -key private.key -out request.csr''
- upload CSR to CA
- configure server to use certificate
===== generate CSR with SAN =====
a Subject Alternate Name tells you for which domain names or IPs this certificate should be valid.
openssl req -new -nodes -subj "/C=DE/ST=Testcity/L=Exampleland/O=Contoso Ltd/OU=IT/CN=main.address.example.com" -addext "subjectAltName = DNS:main.address.example.com" -newkey rsa:4096 -keyout key.pem -out req.pem
see also:
* [[http://wiki.cacert.org/FAQ/subjectAltName|CACert FAQ: subjectAltName]]
* [[https://security.stackexchange.com/questions/160787/ip-address-in-subjectaltname|IP Address in SAN (Security StackExchange)]]
===== Software =====
==== Metronome ====
[[http://prosody.im/doc/certificates|Certificates - Prosody IM]]
Folder for certificates: ''/var/lib/metronome/'' (probably manually created: ''/etc/metronome/certs/'')
===== Tests =====
==== Check a certificate ====
Check a certificate and return information about it (signing authority, expiration date, etc.):
openssl x509 -in server.crt -text -noout
==== Check certificate of remote server ====
echo | openssl s_client -servername mail.example.com -connect mail.example.com:993 2>/dev/null | openssl x509 -noout -issuer -subject -dates
==== Check a key ====
Check the SSL key and verify the consistency:
openssl rsa -in server.key -check
==== Check a CSR ====
Verify the CSR and print CSR data filled in when generating the CSR:
openssl req -text -noout -verify -in server.csr
==== Verify a certificate and key matches ====
These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.
openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5
===== Conversion =====
DER encoded files look like garbage when opened in a text editor. They also usually have the file extension ''.cer'' while base64 encoded certificates often have the extension ''.crt''. You can convert ''.cer'' to ''.crt'' and vice versa.
Windows certificate authorities often like DER certificate files more, while Linux usually uses base64 encoded ''.crt'' files.
==== DER to base64 ====
openssl x509 -inform der -in infile.cer -out outfile.crt
or with ''certutil'':
certutil -encode filename.cer newfilename.cer
==== base64 to DER ====
openssl x509 -outform der -in infile.crt -out outfile.cer
==== tools ====
* [[https://testssl.sh/|TestSSL.sh]] – command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols and cryptographic flaws.
=== online tools ===
* [[https://ssl-config.mozilla.org|Mozilla SSL Config generator]] – builds configuration files to help you follow the [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla Server Side TLS]] configuration guidelines.
==== SSL/TLS checkers ====
* [[https://www.ssllabs.com/ssltest/|SSLLabs]]
* [[https://testssl.sh/|TestSSL.sh]]
* [[https://cryptcheck.fr|CryptCheck.fr]]
* [[https://www.sslchecker.com/sslchecker|SSLChecker.com]]
===== Troubleshooting =====
==== TLS 1.0 or 1.1 can't be verified ====
Debian 10 and other distributions begin phasing out TLS 1.0 and TLS 1.1 because of security concerns. That means that servers using older ciphers can't be verified.
The solution is to temporarily add support for TLS 1.1 (or 1.0) in the OpenSSL config file and to notify the server administrator to fix the issue by supporting TLS 1.2 and 1.3.
[system_default_sect]
MinProtocol = TLSv1.1