Verifying the validity of an SSL certificate

By OK -


Issue

I would like to confirm my SSL certificate includes the correct information and validate it is in the right order.

Resolution

SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.
Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format than .key or .crt:
  1. Open a command prompt window and cd to the location of your existing certificate, and then verify the certificate chain by using the following command:
    openssl verify -CAfile certificate-chain.crt certificate.crt
    If the response is OK, the check is valid.
  2. Verify that the public keys contained in the private key file and the certificate are the same:
    openssl x509 -in certificate.crt -noout -pubkey
openssl rsa -in certificate.key -pubout
    The output of these two commands should be exactly the same.
  3. Verify that the private key and public key are a key pair that match:
    openssl rsa -noout -modulus -in certificate.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
    The output of these two commands must be exactly the same.
  4. Check the dates that the certificate is valid:
    openssl x509 -noout -in certificate.crt -dates
    Ensure that the current date is between the certificate's start and end dates.
  5. Check the order of your certificates.
    The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
    Your output should look similar to this:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    These need to conclude with the root certificate or cert most proximate to the root.

Other checks and format conversions

You may have a key or a certificate in a different format than the standard. You can read What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? for more information on different key formats. Here are some checks you can use:
  • Check to see if your Test Key is in PEM format:
    openssl rsa -inform PEM -in /tmp/certificate.key
  • Check to see if your Test Certificate is in PEM format:
    openssl x509 -inform PEM -in /tmp/certificate.crt
  • View the entire contents of the certificate:
    openssl x509 -in certificate.crt -noout -text
  • Check to see if your Test Certificate is in DER format:
    openssl x509 -in certificate.crt -inform DER -text -noout
  • Convert a certificate in crt format to PEM:
    openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  • Convert a DER format to PEM:
    openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more