This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
ssl [2010/10/31 03:20] k2patel |
ssl [2011/12/23 17:04] k2patel |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== SSL / Openssl great way to secure it ====== | ||
+ | |||
==== SSL Issue and Resolution ==== | ==== SSL Issue and Resolution ==== | ||
Line 11: | Line 13: | ||
**To check if certificate and key is matching "Match the MODULUS" in out of following command** | **To check if certificate and key is matching "Match the MODULUS" in out of following command** | ||
<code bash> | <code bash> | ||
- | openssl rsa -modulus -in <*.key> | + | openssl rsa -noout -modulus -in <*.key> |
- | openssl x509 -modulus -in <*.crt> | + | openssl x509 -noout -modulus -in <*.crt> |
</code> | </code> | ||
Line 42: | Line 44: | ||
SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | ||
</code> | </code> | ||
+ | |||
+ | **Print all available high ciphers.** | ||
+ | |||
+ | <code bash> | ||
+ | openssl ciphers HIGH | ||
+ | </code> | ||
+ | |||
[[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | [[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | ||
== Thawte CA Bundle == | == Thawte CA Bundle == | ||
- | [[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]] | + | <code txt> |
- | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881 | SSL123 CA Bundle (2048)]] | + | Root: thawte Primary Root CA |
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB | ||
+ | qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf | ||
+ | Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw | ||
+ | MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV | ||
+ | BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw | ||
+ | NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j | ||
+ | LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG | ||
+ | A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl | ||
+ | IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG | ||
+ | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs | ||
+ | W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta | ||
+ | 3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk | ||
+ | 6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 | ||
+ | Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J | ||
+ | NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA | ||
+ | MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP | ||
+ | r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU | ||
+ | DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz | ||
+ | YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX | ||
+ | xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 | ||
+ | /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ | ||
+ | LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 | ||
+ | jVaMaA== | ||
+ | -----END CERTIFICATE----- | ||
+ | |||
+ | |||
+ | |||
+ | Intermediate: Thawte DV SSL CA | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB | ||
+ | qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf | ||
+ | Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw | ||
+ | MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV | ||
+ | BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjE4MDAwMDAwWhcNMjAw | ||
+ | MjE3MjM1OTU5WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu | ||
+ | MR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3Rl | ||
+ | IERWIFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuYyTY/ | ||
+ | 0pzYFgfUSWP5g7DoAi3MXFp0l6YT7xMT3gV8p+bKACPaOfnvE89Sxa+a48q+84LZ | ||
+ | iz2q4cyuiFBmoy3sYRR1SasOJPGsRFsLKKIzIHYeBmBqZwVxi7pmYhZ6s20Nx9CU | ||
+ | QMaMPR6SDGI0DUSJ1feJ/intGI/2mysI92qr2EiXWvSf7Qx1UiL31V6EAJ/ASg0x | ||
+ | d0xk0BLmDzrwocDVXB3nXy3C99Y2GNmVbkROyVgUTbaOu83eYh76W7W9GCuYrKyT | ||
+ | P1Ba9RQLos+2855PWs1awzYj2hqvsE3WSiIDj0MCGb3qrN3EejUyFPFyLghVQAz0 | ||
+ | B0FBrzg3hClCslUCAwEAAaOB/DCB+TAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH | ||
+ | MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgwBgEB/wIBADA0 | ||
+ | BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUENB | ||
+ | LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVZl | ||
+ | cmlTaWduTVBLSS0yLTExMB0GA1UdDgQWBBSrRORd7IPH2cCFn/fhxpeQsIw/mDAf | ||
+ | BgNVHSMEGDAWgBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOC | ||
+ | AQEABLr7rLv8S1QRoy2Iszy9AG2KGraNxMGD+MdTKsEybjqBoVR92ho/OkVPNudC | ||
+ | sApChZegrPvlh6eDT+ixt5tYZW4mgAuSTUdVuWEWUWXpK/Fo2Vi4A4HRt2Yc07zF | ||
+ | pntfPsU4RnbndbSgDEvOosKpwcw2c3v7uSQkoF6n9vq7DChDnh3wTvA/2CSwIdxt | ||
+ | Le6/Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg | ||
+ | 2/lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+ | ||
+ | bxQe3FL+vN8MvSk/dvsRX2hoFQ== | ||
+ | -----END CERTIFICATE----- | ||
+ | </code> | ||
+ | |||
+ | == Thawte == | ||
+ | |||
+ | [[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ | ||
+ | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881 | SSL123 CA Bundle (2048)]]\\ | ||
+ | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO1498 | Instruction for other Certificates ]] | ||
+ | |||
+ | == GoDaddy == | ||
+ | [[ https://certs.godaddy.com/anonymous/repository.seam | Server Certificates ]] | ||
+ | |||
+ | == Verisign == | ||
+ | [[ https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1409&TID=retailssl | CA Bundle ]] | ||
+ | ==== Self Signed SSL ==== | ||
+ | |||
+ | == Generating Private Key == | ||
+ | <code bash> | ||
+ | openssl genrsa -des3 -out www.k2patel.com.key 2048 | ||
+ | </code> | ||
+ | |||
+ | == Generate CSR == | ||
+ | |||
+ | <code bash> | ||
+ | openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr | ||
+ | </code> | ||
+ | |||
+ | == Removing password == | ||
+ | This is optional only require if you provide password during CSR Generation. | ||
+ | |||
+ | <code bash> | ||
+ | mv www.k2patel.com.key www.k2patel.com.key.pass | ||
+ | openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr | ||
+ | </code> | ||
+ | |||
+ | == Signing Certificate == | ||
+ | |||
+ | <code bash> | ||
+ | openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.key -out www.k2patel.com.crt | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ==== Wilcard Certificate ==== | ||
+ | Wildcard Certificate is nothing diff. in mechanism except how much you pay.\\ | ||
+ | Please read following information before you dive in. | ||
+ | * While creating wildcard certificate you need to use "*" as Common Name: | ||
+ | * e.g. *.k2patel.in | ||
+ | * You can place wildcard certificate on any server simply you always need KEY / CRT combination moved / copied. | ||
+ | * so you can have multiple server with multiple sub-domain without issue. | ||
+ | * You do not need any special way to install / use it simply use as described above. |