Daily *Nix

User Tools

Site Tools

Trace:
ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ssl [2018/08/30 14:45]
k2patel 		ssl [2020/08/10 02:35]
Line 1: Line 1:
-====== SSL / Openssl great way to secure it ====== 
  
-==== SSL Issue and Resolution ==== 
- 
-**Generate 2048 Bit CSR for godaddy.** 
-<code bash> 
-openssl req -nodes -newkey rsa:4096 -sha512 -keyout www.xyz.com.key -out www.xyz.com.csr 
-</​code>​ 
- 
-Above command will not ask you for password. Which is not advisable on apache startup as you need to be present to supply password.\\ 
-If you need to have than simply remove "​-nodes"​ from your command and you have password.\\ 
- 
-**To check if certificate and key is matching "Match the MODULUS"​ in out of following command** 
-<code bash> 
-openssl rsa -noout -modulus -in <​*.key>​ 
-openssl x509 -noout -modulus -in <​*.crt>​ 
-</​code>​ 
- 
-**Read CSR using following command** 
-<code bash> 
-openssl req -text -in <​*.csr>​ 
-</​code>​ 
- 
-**Find Expiring and Issue date for Certificate** 
-<code bash> 
-openssl x509 -noout -in <​*.crt>​ -dates 
-</​code>​ 
- 
-**How to enable strong SSL in apache.** 
-This also help to pass PCI Compliance. 
-<code http | httpd.conf>​ 
-SSLEngine On 
- 
-SSLCertificateFile /​srv/​www/​conf/<​*.crt>​ 
-SSLCertificateKeyFile /​srv/​www/​conf/<​*.key>​ 
-SSLCertificateChainFile /​srv/​www/​conf/​gd_intermediate_bundle.crt 
-SSLCACertificateFile /​srv/​www/​conf/​*.ca-bundle 
- 
-SSLProtocol -all +SSLv3 +TLSv1 
-SSLCipherSuite SSLv3:​+HIGH:​+MEDIUM:​!SSLv2:​!LOW:​!EXP:​!aNULL:​@STRENGTH 
---OR-- 
-SSLCipherSuite +HIGH:​+MEDIUM:​!SSLv2:​RC4+RSA:​!ADH:​!LOW:​!EXP:​!aNULL:​!cNULL:​@STRENGTH 
---OR-- 
-SSLCipherSuite SSLv3:​+HIGH:​+MEDIUM:​!SSLv2:​!ADH:​!LOW:​!EXP:​!aNULL:​!eNULL:​@STRENGTH 
-</​code>​ 
- 
-**Print all available high ciphers.** 
- 
-<code bash> 
-openssl ciphers HIGH 
-</​code>​ 
- 
-[[https://​www.ssllabs.com/​ssldb/​index.html | Test SSL Server]] 
- 
-== Thawte CA Bundle == 
- 
-<code txt> 
-Root: thawte Primary Root CA 
------BEGIN CERTIFICATE----- 
-MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/​ON9srbTANBgkqhkiG9w0BAQUFADCB 
-qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf 
-Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw 
-MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV 
-BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw 
-NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j 
-LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG 
-A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl 
-IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG 
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs 
-W0hoSVk3/​AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta 
-3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/​u6f1OCyn1PoSgAfGcq/​gcfomk 
-6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 
-Sk/​KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/​U30rCfSMnZEfl2pSy94J 
-NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA 
-MA8GA1UdEwEB/​wQFMAMBAf8wDgYDVR0PAQH/​BAQDAgEGMB0GA1UdDgQWBBR7W0XP 
-r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU 
-DW5FvlXok9LOAz/​t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz 
-YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/​Ac9IiAX 
-xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/​2 
-/​qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/​ 
-LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/​P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 
-jVaMaA== 
------END CERTIFICATE----- 
- 
-  
- 
-Intermediate:​ Thawte DV SSL CA 
------BEGIN CERTIFICATE----- 
-MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB 
-qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf 
-Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw 
-MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV 
-BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjE4MDAwMDAwWhcNMjAw 
-MjE3MjM1OTU5WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu 
-MR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3Rl 
-IERWIFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuYyTY/​ 
-0pzYFgfUSWP5g7DoAi3MXFp0l6YT7xMT3gV8p+bKACPaOfnvE89Sxa+a48q+84LZ 
-iz2q4cyuiFBmoy3sYRR1SasOJPGsRFsLKKIzIHYeBmBqZwVxi7pmYhZ6s20Nx9CU 
-QMaMPR6SDGI0DUSJ1feJ/​intGI/​2mysI92qr2EiXWvSf7Qx1UiL31V6EAJ/​ASg0x 
-d0xk0BLmDzrwocDVXB3nXy3C99Y2GNmVbkROyVgUTbaOu83eYh76W7W9GCuYrKyT 
-P1Ba9RQLos+2855PWs1awzYj2hqvsE3WSiIDj0MCGb3qrN3EejUyFPFyLghVQAz0 
-B0FBrzg3hClCslUCAwEAAaOB/​DCB+TAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH 
-MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/​BAgwBgEB/​wIBADA0 
-BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUENB 
-LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVZl 
-cmlTaWduTVBLSS0yLTExMB0GA1UdDgQWBBSrRORd7IPH2cCFn/​fhxpeQsIw/​mDAf 
-BgNVHSMEGDAWgBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOC 
-AQEABLr7rLv8S1QRoy2Iszy9AG2KGraNxMGD+MdTKsEybjqBoVR92ho/​OkVPNudC 
-sApChZegrPvlh6eDT+ixt5tYZW4mgAuSTUdVuWEWUWXpK/​Fo2Vi4A4HRt2Yc07zF 
-pntfPsU4RnbndbSgDEvOosKpwcw2c3v7uSQkoF6n9vq7DChDnh3wTvA/​2CSwIdxt 
-Le6/​Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg 
-2/​lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+ 
-bxQe3FL+vN8MvSk/​dvsRX2hoFQ== 
------END CERTIFICATE----- 
-</​code>​ 
- 
-== Thawte == 
- 
-[[https://​search.thawte.com/​library/​VERISIGN/​ALL_OTHER/​thawte%20ca/​SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ 
-[[https://​search.thawte.com/​support/​ssl-digital-certificates/​index?​page=content&​actp=CROSSLINK&​id=SO13881 | SSL123 CA Bundle (2048)]]\\ 
-[[https://​search.thawte.com/​support/​ssl-digital-certificates/​index?​page=content&​id=SO1498 | Instruction for other Certificates ]] 
- 
-== GoDaddy == 
-[[ https://​certs.godaddy.com/​anonymous/​repository.seam | Server Certificates ]] 
- 
-== Verisign == 
-[[ https://​knowledge.verisign.com/​support/​ssl-certificates-support/​index?​page=content&​actp=CROSSLINK&​id=AR1409&​TID=retailssl | CA Bundle ]] 
-==== Self Signed SSL ==== 
- 
-== Generating Private Key == 
-<code bash> 
-openssl genrsa -des3 -out www.k2patel.com.key 2048 
-</​code>​ 
- 
-== Generate CSR == 
- 
-<code bash> 
-openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr 
-</​code>​ 
- 
-== Removing password == 
-This is optional only require if you provide password during CSR Generation. 
- 
-<code bash> 
-mv www.k2patel.com.key www.k2patel.com.key.pass 
-openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr 
-</​code>​ 
- 
-== Signing Certificate == 
- 
-<code bash> 
-openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.key -out www.k2patel.com.crt 
-</​code>​ 
- 
- 
-==== Wilcard Certificate ==== 
- 
-Wildcard Certificate is nothing diff. in mechanism except how much you pay.\\ 
-Please read following information before you dive in. 
- 
-  * While creating wildcard certificate you need to use "​*"​ as Common Name: 
-     * e.g. *.k2patel.in 
-  * You can place wildcard certificate on any number of server simply you always need KEY / CRT combination moved / copied. 
-    * so you can have multiple server with multiple sub-domain without issue. 
-  * You do not need any special way to install / use it simply use as described above. 
ssl.txt ยท Last modified: 2020/08/10 02:35 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki