Show pagesourceBack to top Share via Share via... Twitter LinkedIn Telegram Yammer RedditRecent ChangesSend via e-MailPrintPermalink × Table of Contents Get free SSL certs Process generate CSR with SAN Software Metronome Tests Check a certificate Check certificate of remote server Check a key Check a CSR Verify a certificate and key matches Conversion DER to base64 base64 to DER tools online tools SSL/TLS checkers Troubleshooting TLS 1.0 or 1.1 can't be verified SSL certificates Get free SSL certs Let'sEncrypt CACert.org Root certificates: https://www.cacert.org/index.php?id=3 Process use easy-rsa if you want to self-sign certificates with your own CA1 infrastructure. This is then called a PKI2. generate key: openssl genrsa -out private.key 4096 generate CSR: openssl req -new -sha256 -key private.key -out request.csr upload CSR to CA configure server to use certificate generate CSR with SAN a Subject Alternate Name tells you for which domain names or IPs this certificate should be valid. openssl req -new -nodes -subj "/C=DE/ST=Testcity/L=Exampleland/O=Contoso Ltd/OU=IT/CN=main.address.example.com" -addext "subjectAltName = DNS:main.address.example.com" -newkey rsa:4096 -keyout key.pem -out req.pem see also: CACert FAQ: subjectAltName IP Address in SAN (Security StackExchange) Software Metronome Certificates - Prosody IM Folder for certificates: /var/lib/metronome/ (probably manually created: /etc/metronome/certs/) Tests Check a certificate Check a certificate and return information about it (signing authority, expiration date, etc.): openssl x509 -in server.crt -text -noout Check certificate of remote server echo | openssl s_client -servername mail.example.com -connect mail.example.com:993 2>/dev/null | openssl x509 -noout -issuer -subject -dates Check a key Check the SSL key and verify the consistency: openssl rsa -in server.key -check Check a CSR Verify the CSR and print CSR data filled in when generating the CSR: openssl req -text -noout -verify -in server.csr Verify a certificate and key matches These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match. openssl x509 -noout -modulus -in server.crt| openssl md5 openssl rsa -noout -modulus -in server.key| openssl md5 Conversion DER encoded files look like garbage when opened in a text editor. They also usually have the file extension .cer while base64 encoded certificates often have the extension .crt. You can convert .cer to .crt and vice versa. Windows certificate authorities often like DER certificate files more, while Linux usually uses base64 encoded .crt files. DER to base64 openssl x509 -inform der -in infile.cer -out outfile.crt or with certutil: certutil -encode filename.cer newfilename.cer base64 to DER openssl x509 -outform der -in infile.crt -out outfile.cer tools TestSSL.sh – command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols and cryptographic flaws. online tools Mozilla SSL Config generator – builds configuration files to help you follow the Mozilla Server Side TLS configuration guidelines. SSL/TLS checkers SSLLabs TestSSL.sh CryptCheck.fr SSLChecker.com Troubleshooting TLS 1.0 or 1.1 can't be verified Debian 10 and other distributions begin phasing out TLS 1.0 and TLS 1.1 because of security concerns. That means that servers using older ciphers can't be verified. The solution is to temporarily add support for TLS 1.1 (or 1.0) in the OpenSSL config file and to notify the server administrator to fix the issue by supporting TLS 1.2 and 1.3. /etc/ssl/openssl.cnf [system_default_sect] MinProtocol = TLSv1.1 [1] Certificate Authority [2] Private Key Infrastructure Last modified: 2023-12-11 13:00