Daily *Nix

User Tools

Site Tools

Trace:
ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
ssl [2009/12/16 23:25]
k2patel 		ssl [2020/08/10 02:35] (current)
Line 1: Line 1:
 +====== SSL / Openssl great way to secure it ======
 +
 ==== SSL Issue and Resolution ==== ==== SSL Issue and Resolution ====
  
-Generate 2048 Bit CSR for godaddy.+**Generate 2048 Bit CSR for godaddy.**
 <code bash> <code bash>
-openssl req -nodes -newkey rsa:2048 -keyout www.xyz.com.key -out www.xyz.com.csr+openssl req -nodes -newkey rsa:4096 -sha512 ​-keyout www.xyz.com.key -out www.xyz.com.csr
 </​code>​ </​code>​
  
Line 9: Line 11:
 If you need to have than simply remove "​-nodes"​ from your command and you have password.\\ If you need to have than simply remove "​-nodes"​ from your command and you have password.\\
  
-To check if certificate and key is matching "Match the MODULUS"​ in out of following command+**To check if certificate and key is matching "Match the MODULUS"​ in out of following command**
 <code bash> <code bash>
-openssl rsa -modulus -in <​*.key>​ +openssl rsa -noout ​-modulus -in <​*.key>​ 
-openssl x509 -modulus -in <​*.crt>​+openssl x509 -noout ​-modulus -in <​*.crt>​
 </​code>​ </​code>​
  
-Read CSR using following command+**Read CSR using following command**
 <code bash> <code bash>
 openssl req -text -in <​*.csr>​ openssl req -text -in <​*.csr>​
 </​code>​ </​code>​
  
-Find Expiring and Issue date for Certificate+**Find Expiring and Issue date for Certificate**
 <code bash> <code bash>
 openssl x509 -noout -in <​*.crt>​ -dates openssl x509 -noout -in <​*.crt>​ -dates
 </​code>​ </​code>​
  
-How to enable strong SSL in apache. +**How to enable strong SSL in apache.** 
 +This also help to pass PCI Compliance.
 <code http | httpd.conf>​ <code http | httpd.conf>​
 SSLEngine On SSLEngine On
Line 42: Line 44:
 SSLCipherSuite SSLv3:​+HIGH:​+MEDIUM:​!SSLv2:​!ADH:​!LOW:​!EXP:​!aNULL:​!eNULL:​@STRENGTH SSLCipherSuite SSLv3:​+HIGH:​+MEDIUM:​!SSLv2:​!ADH:​!LOW:​!EXP:​!aNULL:​!eNULL:​@STRENGTH
 </​code>​ </​code>​
 +
 +**Print all available high ciphers.**
 +
 +<code bash>
 +openssl ciphers HIGH
 +</​code>​
 +
 +[[https://​www.ssllabs.com/​ssldb/​index.html | Test SSL Server]]
 +
 +== Thawte CA Bundle ==
 +
 +<code txt>
 +Root: thawte Primary Root CA
 +-----BEGIN CERTIFICATE-----
 +MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/​ON9srbTANBgkqhkiG9w0BAQUFADCB
 +qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
 +Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
 +MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
 +BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
 +NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
 +LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
 +A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
 +IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
 +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
 +W0hoSVk3/​AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
 +3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/​u6f1OCyn1PoSgAfGcq/​gcfomk
 +6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
 +Sk/​KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/​U30rCfSMnZEfl2pSy94J
 +NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
 +MA8GA1UdEwEB/​wQFMAMBAf8wDgYDVR0PAQH/​BAQDAgEGMB0GA1UdDgQWBBR7W0XP
 +r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
 +DW5FvlXok9LOAz/​t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
 +YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/​Ac9IiAX
 +xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/​2
 +/​qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/​
 +LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/​P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
 +jVaMaA==
 +-----END CERTIFICATE-----
 +
 + 
 +
 +Intermediate:​ Thawte DV SSL CA
 +-----BEGIN CERTIFICATE-----
 +MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB
 +qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
 +Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
 +MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
 +BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjE4MDAwMDAwWhcNMjAw
 +MjE3MjM1OTU5WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
 +MR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3Rl
 +IERWIFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuYyTY/​
 +0pzYFgfUSWP5g7DoAi3MXFp0l6YT7xMT3gV8p+bKACPaOfnvE89Sxa+a48q+84LZ
 +iz2q4cyuiFBmoy3sYRR1SasOJPGsRFsLKKIzIHYeBmBqZwVxi7pmYhZ6s20Nx9CU
 +QMaMPR6SDGI0DUSJ1feJ/​intGI/​2mysI92qr2EiXWvSf7Qx1UiL31V6EAJ/​ASg0x
 +d0xk0BLmDzrwocDVXB3nXy3C99Y2GNmVbkROyVgUTbaOu83eYh76W7W9GCuYrKyT
 +P1Ba9RQLos+2855PWs1awzYj2hqvsE3WSiIDj0MCGb3qrN3EejUyFPFyLghVQAz0
 +B0FBrzg3hClCslUCAwEAAaOB/​DCB+TAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH
 +MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/​BAgwBgEB/​wIBADA0
 +BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUENB
 +LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVZl
 +cmlTaWduTVBLSS0yLTExMB0GA1UdDgQWBBSrRORd7IPH2cCFn/​fhxpeQsIw/​mDAf
 +BgNVHSMEGDAWgBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOC
 +AQEABLr7rLv8S1QRoy2Iszy9AG2KGraNxMGD+MdTKsEybjqBoVR92ho/​OkVPNudC
 +sApChZegrPvlh6eDT+ixt5tYZW4mgAuSTUdVuWEWUWXpK/​Fo2Vi4A4HRt2Yc07zF
 +pntfPsU4RnbndbSgDEvOosKpwcw2c3v7uSQkoF6n9vq7DChDnh3wTvA/​2CSwIdxt
 +Le6/​Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg
 +2/​lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+
 +bxQe3FL+vN8MvSk/​dvsRX2hoFQ==
 +-----END CERTIFICATE-----
 +</​code>​
 +
 +== Thawte ==
 +
 +[[https://​search.thawte.com/​library/​VERISIGN/​ALL_OTHER/​thawte%20ca/​SSL123_CA_Bundle.pem | SSL123 CA Bundle (1024)]]\\
 +[[https://​search.thawte.com/​support/​ssl-digital-certificates/​index?​page=content&​actp=CROSSLINK&​id=SO13881 | SSL123 CA Bundle (2048)]]\\
 +[[https://​search.thawte.com/​support/​ssl-digital-certificates/​index?​page=content&​id=SO1498 | Instruction for other Certificates ]]
 +
 +== GoDaddy ==
 +[[ https://​certs.godaddy.com/​anonymous/​repository.seam | Server Certificates ]]
 +
 +== Verisign ==
 +[[ https://​knowledge.verisign.com/​support/​ssl-certificates-support/​index?​page=content&​actp=CROSSLINK&​id=AR1409&​TID=retailssl | CA Bundle ]]
 +==== Self Signed SSL ====
 +
 +== Generating Private Key ==
 +<code bash>
 +openssl genrsa -des3 -out www.k2patel.com.key 4096
 +</​code>​
 +
 +== Generate CSR ==
 +
 +<code bash>
 +openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr
 +</​code>​
 +
 +== Removing password ==
 +This is optional only require if you provide password during CSR Generation.
 +
 +<code bash>
 +mv www.k2patel.com.key www.k2patel.com.key.pass
 +openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr
 +</​code>​
 +
 +== Signing Certificate ==
 +
 +<code bash>
 +openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.key -out www.k2patel.com.crt
 +</​code>​
 +
 +
 +==== Wilcard Certificate ====
 +
 +Wildcard Certificate is nothing diff. in mechanism except how much you pay.\\
 +Please read following information before you dive in.
 +
 +  * While creating wildcard certificate you need to use "​*"​ as Common Name:
 +     * e.g. *.k2patel.in
 +  * You can place wildcard certificate on any number of server simply you always need KEY / CRT combination moved / copied.
 +    * so you can have multiple server with multiple sub-domain without issue.
 +  * You do not need any special way to install / use it simply use as described above.
ssl.1261005947.txt.gz · Last modified: 2020/08/10 02:29 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki