SSL certificates
Get free SSL certs
-
- Root certificates: https://www.cacert.org/index.php?id=3
Process
use easy-rsa if you want to self-sign certificates with your own CA1 infrastructure. This is then called a PKI2.
- generate key:
openssl genrsa -out private.key 4096 - generate CSR:
openssl req -new -sha256 -key private.key -out request.csr - upload CSR to CA
- configure server to use certificate
generate CSR with SAN
a Subject Alternate Name tells you for which domain names or IPs this certificate should be valid.
openssl req -new -nodes -subj "/C=DE/ST=Testcity/L=Exampleland/O=Contoso Ltd/OU=IT/CN=main.address.example.com" -addext "subjectAltName = DNS:main.address.example.com" -newkey rsa:4096 -keyout key.pem -out req.pem
see also:
Software
Metronome
Folder for certificates: /var/lib/metronome/ (probably manually created: /etc/metronome/certs/)
Tests
Check a certificate
Check a certificate and return information about it (signing authority, expiration date, etc.):
openssl x509 -in server.crt -text -noout
Check certificate of remote server
echo | openssl s_client -servername mail.example.com -connect mail.example.com:993 2>/dev/null | openssl x509 -noout -issuer -subject -dates
Check a key
Check the SSL key and verify the consistency:
openssl rsa -in server.key -check
Check a CSR
Verify the CSR and print CSR data filled in when generating the CSR:
openssl req -text -noout -verify -in server.csr
Verify a certificate and key matches
These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.
openssl x509 -noout -modulus -in server.crt| openssl md5 openssl rsa -noout -modulus -in server.key| openssl md5
Conversion
DER encoded files look like garbage when opened in a text editor. They also usually have the file extension .cer while base64 encoded certificates often have the extension .crt. You can convert .cer to .crt and vice versa.
Windows certificate authorities often like DER certificate files more, while Linux usually uses base64 encoded .crt files.
DER to base64
openssl x509 -inform der -in infile.cer -out outfile.crt
or with certutil:
certutil -encode filename.cer newfilename.cer
base64 to DER
openssl x509 -outform der -in infile.crt -out outfile.cer
tools
- TestSSL.sh – command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols and cryptographic flaws.
online tools
- Mozilla SSL Config generator – builds configuration files to help you follow the Mozilla Server Side TLS configuration guidelines.
SSL/TLS checkers
Troubleshooting
TLS 1.0 or 1.1 can't be verified
Debian 10 and other distributions begin phasing out TLS 1.0 and TLS 1.1 because of security concerns. That means that servers using older ciphers can't be verified.
The solution is to temporarily add support for TLS 1.1 (or 1.0) in the OpenSSL config file and to notify the server administrator to fix the issue by supporting TLS 1.2 and 1.3.
- /etc/ssl/openssl.cnf
[system_default_sect] MinProtocol = TLSv1.1