This shows you the differences between two versions of the page.
ssl [2018/08/30 14:45] k2patel |
ssl [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== SSL / Openssl great way to secure it ====== | ||
- | ==== SSL Issue and Resolution ==== | ||
- | |||
- | **Generate 2048 Bit CSR for godaddy.** | ||
- | <code bash> | ||
- | openssl req -nodes -newkey rsa:4096 -sha512 -keyout www.xyz.com.key -out www.xyz.com.csr | ||
- | </code> | ||
- | |||
- | Above command will not ask you for password. Which is not advisable on apache startup as you need to be present to supply password.\\ | ||
- | If you need to have than simply remove "-nodes" from your command and you have password.\\ | ||
- | |||
- | **To check if certificate and key is matching "Match the MODULUS" in out of following command** | ||
- | <code bash> | ||
- | openssl rsa -noout -modulus -in <*.key> | ||
- | openssl x509 -noout -modulus -in <*.crt> | ||
- | </code> | ||
- | |||
- | **Read CSR using following command** | ||
- | <code bash> | ||
- | openssl req -text -in <*.csr> | ||
- | </code> | ||
- | |||
- | **Find Expiring and Issue date for Certificate** | ||
- | <code bash> | ||
- | openssl x509 -noout -in <*.crt> -dates | ||
- | </code> | ||
- | |||
- | **How to enable strong SSL in apache.** | ||
- | This also help to pass PCI Compliance. | ||
- | <code http | httpd.conf> | ||
- | SSLEngine On | ||
- | |||
- | SSLCertificateFile /srv/www/conf/<*.crt> | ||
- | SSLCertificateKeyFile /srv/www/conf/<*.key> | ||
- | SSLCertificateChainFile /srv/www/conf/gd_intermediate_bundle.crt | ||
- | SSLCACertificateFile /srv/www/conf/*.ca-bundle | ||
- | |||
- | SSLProtocol -all +SSLv3 +TLSv1 | ||
- | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH | ||
- | --OR-- | ||
- | SSLCipherSuite +HIGH:+MEDIUM:!SSLv2:RC4+RSA:!ADH:!LOW:!EXP:!aNULL:!cNULL:@STRENGTH | ||
- | --OR-- | ||
- | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | ||
- | </code> | ||
- | |||
- | **Print all available high ciphers.** | ||
- | |||
- | <code bash> | ||
- | openssl ciphers HIGH | ||
- | </code> | ||
- | |||
- | [[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | ||
- | |||
- | == Thawte CA Bundle == | ||
- | |||
- | <code txt> | ||
- | Root: thawte Primary Root CA | ||
- | -----BEGIN CERTIFICATE----- | ||
- | MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB | ||
- | qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf | ||
- | Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw | ||
- | MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV | ||
- | BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw | ||
- | NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j | ||
- | LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG | ||
- | A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl | ||
- | IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG | ||
- | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs | ||
- | W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta | ||
- | 3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk | ||
- | 6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 | ||
- | Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J | ||
- | NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA | ||
- | MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP | ||
- | r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU | ||
- | DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz | ||
- | YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX | ||
- | xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 | ||
- | /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ | ||
- | LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 | ||
- | jVaMaA== | ||
- | -----END CERTIFICATE----- | ||
- | |||
- | |||
- | |||
- | Intermediate: Thawte DV SSL CA | ||
- | -----BEGIN CERTIFICATE----- | ||
- | MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB | ||
- | qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf | ||
- | Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw | ||
- | MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV | ||
- | BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjE4MDAwMDAwWhcNMjAw | ||
- | MjE3MjM1OTU5WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu | ||
- | MR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3Rl | ||
- | IERWIFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuYyTY/ | ||
- | 0pzYFgfUSWP5g7DoAi3MXFp0l6YT7xMT3gV8p+bKACPaOfnvE89Sxa+a48q+84LZ | ||
- | iz2q4cyuiFBmoy3sYRR1SasOJPGsRFsLKKIzIHYeBmBqZwVxi7pmYhZ6s20Nx9CU | ||
- | QMaMPR6SDGI0DUSJ1feJ/intGI/2mysI92qr2EiXWvSf7Qx1UiL31V6EAJ/ASg0x | ||
- | d0xk0BLmDzrwocDVXB3nXy3C99Y2GNmVbkROyVgUTbaOu83eYh76W7W9GCuYrKyT | ||
- | P1Ba9RQLos+2855PWs1awzYj2hqvsE3WSiIDj0MCGb3qrN3EejUyFPFyLghVQAz0 | ||
- | B0FBrzg3hClCslUCAwEAAaOB/DCB+TAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH | ||
- | MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgwBgEB/wIBADA0 | ||
- | BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUENB | ||
- | LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVZl | ||
- | cmlTaWduTVBLSS0yLTExMB0GA1UdDgQWBBSrRORd7IPH2cCFn/fhxpeQsIw/mDAf | ||
- | BgNVHSMEGDAWgBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOC | ||
- | AQEABLr7rLv8S1QRoy2Iszy9AG2KGraNxMGD+MdTKsEybjqBoVR92ho/OkVPNudC | ||
- | sApChZegrPvlh6eDT+ixt5tYZW4mgAuSTUdVuWEWUWXpK/Fo2Vi4A4HRt2Yc07zF | ||
- | pntfPsU4RnbndbSgDEvOosKpwcw2c3v7uSQkoF6n9vq7DChDnh3wTvA/2CSwIdxt | ||
- | Le6/Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg | ||
- | 2/lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+ | ||
- | bxQe3FL+vN8MvSk/dvsRX2hoFQ== | ||
- | -----END CERTIFICATE----- | ||
- | </code> | ||
- | |||
- | == Thawte == | ||
- | |||
- | [[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ | ||
- | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881 | SSL123 CA Bundle (2048)]]\\ | ||
- | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO1498 | Instruction for other Certificates ]] | ||
- | |||
- | == GoDaddy == | ||
- | [[ https://certs.godaddy.com/anonymous/repository.seam | Server Certificates ]] | ||
- | |||
- | == Verisign == | ||
- | [[ https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1409&TID=retailssl | CA Bundle ]] | ||
- | ==== Self Signed SSL ==== | ||
- | |||
- | == Generating Private Key == | ||
- | <code bash> | ||
- | openssl genrsa -des3 -out www.k2patel.com.key 2048 | ||
- | </code> | ||
- | |||
- | == Generate CSR == | ||
- | |||
- | <code bash> | ||
- | openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr | ||
- | </code> | ||
- | |||
- | == Removing password == | ||
- | This is optional only require if you provide password during CSR Generation. | ||
- | |||
- | <code bash> | ||
- | mv www.k2patel.com.key www.k2patel.com.key.pass | ||
- | openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr | ||
- | </code> | ||
- | |||
- | == Signing Certificate == | ||
- | |||
- | <code bash> | ||
- | openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.key -out www.k2patel.com.crt | ||
- | </code> | ||
- | |||
- | |||
- | ==== Wilcard Certificate ==== | ||
- | |||
- | Wildcard Certificate is nothing diff. in mechanism except how much you pay.\\ | ||
- | Please read following information before you dive in. | ||
- | |||
- | * While creating wildcard certificate you need to use "*" as Common Name: | ||
- | * e.g. *.k2patel.in | ||
- | * You can place wildcard certificate on any number of server simply you always need KEY / CRT combination moved / copied. | ||
- | * so you can have multiple server with multiple sub-domain without issue. | ||
- | * You do not need any special way to install / use it simply use as described above. |