This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
ssl [2010/12/15 04:16] k2patel |
ssl [2020/08/10 02:35] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== SSL / Openssl great way to secure it ====== | ||
+ | |||
==== SSL Issue and Resolution ==== | ==== SSL Issue and Resolution ==== | ||
**Generate 2048 Bit CSR for godaddy.** | **Generate 2048 Bit CSR for godaddy.** | ||
<code bash> | <code bash> | ||
- | openssl req -nodes -newkey rsa:2048 -keyout www.xyz.com.key -out www.xyz.com.csr | + | openssl req -nodes -newkey rsa:4096 -sha512 -keyout www.xyz.com.key -out www.xyz.com.csr |
</code> | </code> | ||
Line 11: | Line 13: | ||
**To check if certificate and key is matching "Match the MODULUS" in out of following command** | **To check if certificate and key is matching "Match the MODULUS" in out of following command** | ||
<code bash> | <code bash> | ||
- | openssl rsa -modulus -in <*.key> | + | openssl rsa -noout -modulus -in <*.key> |
- | openssl x509 -modulus -in <*.crt> | + | openssl x509 -noout -modulus -in <*.crt> |
</code> | </code> | ||
Line 42: | Line 44: | ||
SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH | ||
</code> | </code> | ||
+ | |||
+ | **Print all available high ciphers.** | ||
+ | |||
+ | <code bash> | ||
+ | openssl ciphers HIGH | ||
+ | </code> | ||
+ | |||
[[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | [[https://www.ssllabs.com/ssldb/index.html | Test SSL Server]] | ||
Line 105: | Line 114: | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
</code> | </code> | ||
+ | |||
+ | == Thawte == | ||
[[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ | [[https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\ | ||
Line 110: | Line 121: | ||
[[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO1498 | Instruction for other Certificates ]] | [[https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO1498 | Instruction for other Certificates ]] | ||
+ | == GoDaddy == | ||
+ | [[ https://certs.godaddy.com/anonymous/repository.seam | Server Certificates ]] | ||
+ | |||
+ | == Verisign == | ||
+ | [[ https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1409&TID=retailssl | CA Bundle ]] | ||
==== Self Signed SSL ==== | ==== Self Signed SSL ==== | ||
== Generating Private Key == | == Generating Private Key == | ||
<code bash> | <code bash> | ||
- | openssl genrsa -des3 -out www.k2patel.com.key 2048 | + | openssl genrsa -des3 -out www.k2patel.com.key 4096 |
</code> | </code> | ||
Line 134: | Line 150: | ||
<code bash> | <code bash> | ||
- | openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.csr -out www.k2patel.com.crt | + | openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.key -out www.k2patel.com.crt |
</code> | </code> | ||
+ | ==== Wilcard Certificate ==== | ||
+ | Wildcard Certificate is nothing diff. in mechanism except how much you pay.\\ | ||
+ | Please read following information before you dive in. | ||
- | + | * While creating wildcard certificate you need to use "*" as Common Name: | |
+ | * e.g. *.k2patel.in | ||
+ | * You can place wildcard certificate on any number of server simply you always need KEY / CRT combination moved / copied. | ||
+ | * so you can have multiple server with multiple sub-domain without issue. | ||
+ | * You do not need any special way to install / use it simply use as described above. |