Verifying the validity of an SSL certificate

By OK -


Issue

I would like to confirm my SSL certificate includes the correct information and validate it is in the right order.

Resolution

SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.
Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format than .key or .crt:
  1. Open a command prompt window and cd to the location of your existing certificate, and then verify the certificate chain by using the following command:
    openssl verify -CAfile certificate-chain.crt certificate.crt
    If the response is OK, the check is valid.
  2. Verify that the public keys contained in the private key file and the certificate are the same:
    openssl x509 -in certificate.crt -noout -pubkey
openssl rsa -in certificate.key -pubout
    The output of these two commands should be exactly the same.
  3. Verify that the private key and public key are a key pair that match:
    openssl rsa -noout -modulus -in certificate.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
    The output of these two commands must be exactly the same.
  4. Check the dates that the certificate is valid:
    openssl x509 -noout -in certificate.crt -dates
    Ensure that the current date is between the certificate's start and end dates.
  5. Check the order of your certificates.
    The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
    Your output should look similar to this:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    These need to conclude with the root certificate or cert most proximate to the root.

Other checks and format conversions

You may have a key or a certificate in a different format than the standard. You can read What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? for more information on different key formats. Here are some checks you can use:
  • Check to see if your Test Key is in PEM format:
    openssl rsa -inform PEM -in /tmp/certificate.key
  • Check to see if your Test Certificate is in PEM format:
    openssl x509 -inform PEM -in /tmp/certificate.crt
  • View the entire contents of the certificate:
    openssl x509 -in certificate.crt -noout -text
  • Check to see if your Test Certificate is in DER format:
    openssl x509 -in certificate.crt -inform DER -text -noout
  • Convert a certificate in crt format to PEM:
    openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  • Convert a DER format to PEM:
    openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log ...
Read more

15 managing disk - understanding /etc/fstab xfs_admin mount -o rw,remount /

By OK -
the classical way to mount filelsystems automatically is to use fstab there is another method which is based on systemd [root@svn ~]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Wed Apr 26 17:25:59 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/cl-root     /                       xfs     defaults        0 0 UUID=6e3708b2-09ea-43f3-b0f0-9b43a157b3b1 /boot                   xfs     defaults        0 0 /dev/mapper/cl-swap     swap                    swap    defaults        0 0 [root@svn ~]#  #description /boot - where you want to mount filesystem xfs - filesystem defaults ...
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent....
Read more