Get free SSL certs
Process
generate CSR with SAN
Software
- Metronome
Tests
Conversion
Troubleshooting
- TLS 1.0 or 1.1 can't be verified

SSL certificates

Get free SSL certs

Let'sEncrypt
CACert.org
- Root certificates: https://www.cacert.org/index.php?id=3

Process

use easy-rsa if you want to self-sign certificates with your own CA¹ infrastructure. This is then called a PKI².

generate key:
openssl genrsa -out private.key 4096
generate CSR:
openssl req -new -sha256 -key private.key -out request.csr
upload CSR to CA
configure server to use certificate

generate CSR with SAN

a Subject Alternate Name tells you for which domain names or IPs this certificate should be valid.

openssl req -new -nodes -subj "/C=DE/ST=Testcity/L=Exampleland/O=Contoso Ltd/OU=IT/CN=main.address.example.com" -addext "subjectAltName = DNS:main.address.example.com" -newkey rsa:4096 -keyout key.pem -out req.pem

Software

Metronome

Certificates - Prosody IM

Folder for certificates: /var/lib/metronome/ (probably manually created: /etc/metronome/certs/)

Tests

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout

Check certificate of remote server

echo | openssl s_client -servername mail.example.com -connect mail.example.com:993 2>/dev/null | openssl x509 -noout -issuer -subject -dates

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5

Conversion

DER encoded files look like garbage when opened in a text editor. They also usually have the file extension .cer while base64 encoded certificates often have the extension .crt. You can convert .cer to .crt and vice versa.

Windows certificate authorities often like DER certificate files more, while Linux usually uses base64 encoded .crt files.

DER to base64

openssl x509 -inform der -in infile.cer -out outfile.crt

or with certutil:

certutil -encode filename.cer newfilename.cer

base64 to DER

openssl x509 -outform der -in infile.crt -out outfile.cer

tools

TestSSL.sh – command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols and cryptographic flaws.

online tools

Mozilla SSL Config generator – builds configuration files to help you follow the Mozilla Server Side TLS configuration guidelines.

SSL/TLS checkers

Troubleshooting

TLS 1.0 or 1.1 can't be verified

Debian 10 and other distributions begin phasing out TLS 1.0 and TLS 1.1 because of security concerns. That means that servers using older ciphers can't be verified.

The solution is to temporarily add support for TLS 1.1 (or 1.0) in the OpenSSL config file and to notify the server administrator to fix the issue by supporting TLS 1.2 and 1.3.

/etc/ssl/openssl.cnf

[system_default_sect]
MinProtocol = TLSv1.1

^[1] Certificate Authority

^[2] Private Key Infrastructure

Table of Contents