User Tools

Site Tools


ssl

This is an old revision of the document!


SSL Issue and Resolution

Generate 2048 Bit CSR for godaddy.

openssl req -nodes -newkey rsa:2048 -keyout www.xyz.com.key -out www.xyz.com.csr

Above command will not ask you for password. Which is not advisable on apache startup as you need to be present to supply password.
If you need to have than simply remove “-nodes” from your command and you have password.

To check if certificate and key is matching “Match the MODULUS” in out of following command

openssl rsa -modulus -in <*.key>
openssl x509 -modulus -in <*.crt>

Read CSR using following command

openssl req -text -in <*.csr>

Find Expiring and Issue date for Certificate

openssl x509 -noout -in <*.crt> -dates

How to enable strong SSL in apache. This also help to pass PCI Compliance.

| httpd.conf
SSLEngine On
 
SSLCertificateFile /srv/www/conf/<*.crt>
SSLCertificateKeyFile /srv/www/conf/<*.key>
SSLCertificateChainFile /srv/www/conf/gd_intermediate_bundle.crt
SSLCACertificateFile /srv/www/conf/*.ca-bundle
 
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH
--OR--
SSLCipherSuite +HIGH:+MEDIUM:!SSLv2:RC4+RSA:!ADH:!LOW:!EXP:!aNULL:!cNULL:@STRENGTH
--OR--
SSLCipherSuite SSLv3:+HIGH:+MEDIUM:!SSLv2:!ADH:!LOW:!EXP:!aNULL:!eNULL:@STRENGTH

Test SSL Server

Thawte CA Bundle

Self Signed SSL

Generating Private Key
openssl genrsa -des3 -out www.k2patel.com.key 2048
Generate CSR
openssl req -new -key www.k2patel.com.key -out www.k2patel.com.csr
Removing password

This is optional only require if you provide password during CSR Generation.

mv www.k2patel.com.key www.k2patel.com.key.pass
openssl rsa -in www.k2patel.com.key.pass -out www.k2patel.com.csr
Signing Certificate
openssl x509 -req -days 365 -in www.k2patel.com.csr -signkey www.k2patel.com.csr -out www.k2patel.com.crt
ssl.1292342307.txt.gz · Last modified: 2010/12/14 10:58 by k2patel