This shows you the differences between two versions of the page.
ssl [2010/12/14 15:58] k2patel |
ssl [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== SSL Issue and Resolution ==== | ||
- | |||
- | **Generate 2048 Bit CSR for godaddy.** | ||
- | <code bash> | ||
- | openssl req -nodes -newkey rsa:2048 -keyout www.xyz.com.key -out www.xyz.com.csr | ||
- | </code> | ||
- | |||
- | Above command will not ask you for password. Which is not advisable on apache startup as you need to be present to supply password.\\ | ||
- | If you need to have than simply remove "-nodes" from your command and you have password.\\ | ||
- | |||
- | **To check if certificate and key is matching "Match the MODULUS" in out of following command** | ||
- | <code bash> | ||
- | openssl rsa -modulus -in <*.key> | ||
- | openssl x509 -modulus -in <*.crt> | ||
- | </code> | ||
- | |||
- | **Read CSR using following command** | ||
- | <code bash> | ||
- | openssl req -text -in <*.csr> | ||
- | </code> | ||
- | |||
- | **Find Expiring and Issue date for Certificate** | ||
- | <code bash> | ||
- | openssl x509 -noout -in <*.crt> -dates | ||
- | </code> | ||
- | |||
- | **How to enable strong SSL in apache.** | ||
- | This also help to pass PCI Compliance. | ||
- | <code http | httpd.conf> | ||
- | SSLEngine On | ||
- | |||
- | SSLCertificateFile /srv/www/conf/<*.crt> | ||
- | SSLCertificateKeyFile /srv/www/conf/<*.key> | ||
- | SSLCertificateChainFile /srv/www/conf/gd_intermediate_bundle.crt | ||
- | SSLCACertificateFile /srv/www/conf/*.ca-bundle | ||
- | |||
- | SSLProtocol -all +SSLv3 +TLSv1 | ||
- | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH | ||
- | --OR-- | ||
- | SSLCipherSuite +HIGH:+MEDIUM:!SSLv2:RC4+RSA:!ADH:!LOW:!EXP:!aNULL:!cNULL:@STRENGTH | ||
- | --OR-- | ||
- | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | ||
- | </code> | ||
- | [[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | ||
- | |||
- | == Thawte CA Bundle == | ||
- | |||
- | [[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ | ||
- | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881 | SSL123 CA Bundle (2048)]]\\ | ||
- | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO1498 | Instruction for other Certificates ]] | ||
- | |||
- | ==== Self Signed SSL ==== | ||
- | |||
- | == Generating Private Key == | ||
- | <code bash> | ||
- | openssl genrsa -des3 -out www.k2patel.com.key 2048 | ||
- | </code> | ||
- | |||
- | == Generate CSR == | ||
- | |||
- | <code bash> | ||
- | openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr | ||
- | </code> | ||
- | |||
- | == Removing password == | ||
- | This is optional only require if you provide password during CSR Generation. | ||
- | |||
- | <code bash> | ||
- | mv www.k2patel.com.key www.k2patel.com.key.pass | ||
- | openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr | ||
- | </code> | ||
- | |||
- | == Signing Certificate == | ||
- | |||
- | <code bash> | ||
- | openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.csr -out www.k2patel.com.crt | ||
- | </code> | ||
- | |||
- | |||
- | |||
- | |||
- | |||