admin:ssl

SSL certificates

use easy-rsa if you want to self-sign certificates with your own CA1 infrastructure. This is then called a PKI2.

  1. generate key:
    openssl genrsa -out private.key 4096
  2. generate CSR:
    openssl req -new -sha256 -key private.key -out request.csr
  3. upload CSR to CA
  4. configure server to use certificate

a Subject Alternate Name tells you for which domain names or IPs this certificate should be valid.

openssl req -new -nodes -subj "/C=DE/ST=Testcity/L=Exampleland/O=Contoso Ltd/OU=IT/CN=main.address.example.com" -addext "subjectAltName = DNS:main.address.example.com" -newkey rsa:4096 -keyout key.pem -out req.pem

see also:

Certificates - Prosody IM

Folder for certificates: /var/lib/metronome/ (probably manually created: /etc/metronome/certs/)

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout
echo | openssl s_client -servername mail.example.com -connect mail.example.com:993 2>/dev/null | openssl x509 -noout -issuer -subject -dates

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5

DER encoded files look like garbage when opened in a text editor. They also usually have the file extension .cer while base64 encoded certificates often have the extension .crt. You can convert .cer to .crt and vice versa.

Windows certificate authorities often like DER certificate files more, while Linux usually uses base64 encoded .crt files.

openssl x509 -inform der -in infile.cer -out outfile.crt

or with certutil:

certutil -encode filename.cer newfilename.cer
openssl x509 -outform der -in infile.crt -out outfile.cer
  • TestSSL.sh – command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols and cryptographic flaws.

online tools

Debian 10 and other distributions begin phasing out TLS 1.0 and TLS 1.1 because of security concerns. That means that servers using older ciphers can't be verified.

The solution is to temporarily add support for TLS 1.1 (or 1.0) in the OpenSSL config file and to notify the server administrator to fix the issue by supporting TLS 1.2 and 1.3.

/etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.1

[1] Certificate Authority
[2] Private Key Infrastructure
  • Last modified: 2023-12-11 13:00