how-to_ >
SSL_
Verify wether a server is sending a verifyable CA chain
Sometimes some weird hangs or trust problems are being reported on systems using an incomplete certificate repository or non-updated ones. incomplete chain results in following error:The only way is to provide the full certification chain server-side. To verify servers are correctly sending all necessary cryptographic code you may issue the following command: $ openssl s_client
e.g. (complete chain: verify error "self signed certificate in certificate chain" may be ignored since it is referring to the root CA AddTrust External CA Root): $ openssl s_client -CAfile /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem -connect gino.units.it:443 | head -15 depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/OU=Domain Control Validated/CN=gino.units.it i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFOTCCBCGgAwIBAgIQL5gV6MAGC9mwMq39qSluSDANBgkqhkiG9w0BAQsFADBk depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/OU=Domain Control Validated/CN=mail.dimpo.units.it i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority --- Result of complete chain verification should be
Verify return code: 0 (ok) |
Redirect all http to https in Apache
Inside virtualhost section for your port 80 webserver, put these lines: RewriteEngine on RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] a2enmod rewrite service apache2 restart all done. |
How to view and download and verify server SSL/TLS certificate and connection
$ openssl s_client -connect host:port Famous "over SSL" protocols table
To verify connection parameters you need at least to specify a CA certificate, at most a client secret key and public certificate. $ openssl s_client -CAfile /etc/ssl/certs/AddTrust_External_Root.pem -connect host:443 $
openssl s_client -CAfile /etc/ssl/certs/AddTrust_External_Root.pem -cert /my/cert.pub -key /my/key.priv -connect host:443 Successful connection ends with: Verify return code: 0 (ok) |
Compute the fingerprint of an ssh public key
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 d4:55:b1:gf:f4:94:22:e4:2c:5d:dd:90:43:cd:32:11 /etc/ssh/ssh_host_rsa_key.pub |
Verificare che la chiave pubblica, la certificate sign request e quella privata corrispondano
Bisogna verificare in effetti che le chiavi abbiano lo stesso modulo. Per praticità di comparazione, ne calcoleremo il valore MD5: $ openssl x509 -noout -modulus -in server.pem | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5 $ openssl req -noout -modulus -in server.csr | openssl md5 |
1-7 of 7