Tag Archives: ssl

Ubuntu Server: How to Generate a Certificate Signing Request (CSR) Tips, Tricks and Tutorials 07 JUL 2014

Every now and then I need a new SSL certificate for a server, and of course therefore need to produce the relevant certificate signing request (CSR) for processing. So this little note sums up the Ubuntu Server (12.04 LTS) process in a nutshell, i.e. so that I don’t keep having to head out to Google to look it up! (Most of this is taken pretty much directly from the Ubuntu Server Guide just by the way)

Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. You have two options when it comes to keys in terms of either running them with a passphrase or without. With a passphrase is obviously more secure because it becomes harder to compromise the key, but without is a heck of a lot more convenient because you don’t need to enter a passphrase every time you start up a secure service – in other words exactly what your Apache, Postfix, Dovecot service daemons require!

To generate the keys for the Certificate Signing Request (CSR) run the following command:

openssl genrsa -des3 -out my.server.co.za.key 2048

During this process you will be asked to enter a passphrase containing at least 8 characters. Also, you’ll notice that I like to name my SSL-related files using the domain that I am securing, so in this example the end result would a SSL certificate issued for my.server.co.za. (Of course, this is completely personal preference when it comes to a file naming scheme).

Now that we have a secure key, the idea is to generate an insecure version of it, essentially a key without a passphrase. To do this, run:

openssl rsa -in my.server.co.za.key -out my.server.co.za.key.insecure
mv my.server.co.za.key my.server.co.za.key.secure
mv my.server.co.za.key.insecure my.server.co.za.key

As you can see, we shuffled the file names so that the insecure CSR is now the .key file, whilst we’ve save the secure version for safekeeping as .key.secure.

Finally, to generate the actual Certficiate Signing Request (CSR), we run the following command:

openssl req -new -key my.server.co.za.key -out my.server.co.za.csr

You’ll be asked to fill in a whole lot of information (after being challenged to provide the passphrase that you entered when creating the original key), and once the .csr file has been generated, you can now safely submit it either to a CA for processing, or for use to create your own self-signed certificate from it.

Useful hint, one of the questions asked during CSR generation will be “Common Name”. The input here MUST be the fully-qualified domain name (FQDN) for the website you will be using the certificate for (e.g., “www.myserver.co.za”). Do not include the “http://” or “https://” prefixes in your common name. Do NOT enter your personal name in this field. If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the common name (e.g., “*.domainnamegoeshere.com”). This will secure all subdomains of the common name. Finally, if you enter www.myserver.co.za as the common name, then the certificate will secure both “www.myserver.co.za” and “myserver.co.za”.

Useful to know.

ubuntu-logo-banner

Related Link: Ubuntu Certificates and Security

SSL Shopper’s Useful Online SSL Certificate Debugging Tools Software & Sites 23 JAN 2014

certificate_good_serverI’ve mentioned SSL Shopper’s useful SSL Checker online utility before, but I don’t think I’ve every made a full note of the great set of SSL certificate debugging utilities that they currently host on their site.

So more for my reference than anything else, I’m going to go ahead and doing exactly that now:

SSL Checker: The SSL Checker makes it easy to verify your SSL certificates by connecting to your server and displaying the results of the SSL connection including what SSL certificate is installed and whether it gives out the correct intermediate certificates. The SSL Checker even lets you set up a reminder of a certificate’s expiration so you don’t forget to renew your certificate on time and avoid embarrassing error messages.

In other words, it will help you diagnose problems with your SSL certificate installation. You can verify the SSL certificate on your web server to make sure it is correctly installed, valid, trusted and doesn’t give any errors to any of your users.

CSR Decoder: Use this CSR Decoder to decode your Certificate Signing Request and and verify that it contains the correct information. A Certificate Signing Request is a block of encoded text that contains information about the company that an SSL certificate will be issued to and the SSL public key. Once a CSR is created it is difficult to verify what information is contained in it because it is encoded. Since certificate authorities use the information in CSRs to create the certificate, you need to decode CSRs to make sure the information is accurate.

Certificate Decoder: Use this Certificate Decoder to decode your PEM encoded SSL certificate and verify that it contains the correct information. A PEM encoded certificate is a block of encoded text that contains all of the certificate information and public key.

Certificate Key Matcher: You can use this Certificate Key Matcher to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR). When you are dealing with lots of different certificates it can be easy to lose track of which certificate goes with which private key or which CSR was used to generate which certificate. The Certificate Key Matcher tool makes it easy to determine whether a private key matches or a CSR matches a certificate.

The Certificate Key Matcher simply compares an md5 hash of the private key modulus, the certificate modulus, or the CSR modulus and tells you whether they match or not.

SSL Converter: Use this SSL Converter to convert SSL certificates to and from different formats such as pem, der, p7b, and pfx. Different platforms and devices require SSL certificates to be converted to different formats. For example, a Windows server exports and imports .pfx files while an Apache server uses individual PEM (.crt, .cer) files.

Related Link: http://www.sslshopper.com/ssl-certificate-tools.html

Ubuntu Server: Apache: Turn off SSL Tips, Tricks and Tutorials 21 JAN 2014

ubuntu-torso-in-a-white-topIn the event that you’ve traditionally had your Apache webserver serving up SSL-encrypted web traffic on your Ubuntu server and you’ve now gone and changed your mind (or simply don’t want to pay for the privilege of someone else saying you’re perfectly safe and okay, here, have this certificate, now where’s the money any more), turning off SSL is pretty simple.

To do this we make use of the special scripts available to us by default when using Apache on an Ubuntu install, first disabling the SSL module, then disabling the default-ssl site, and finally restarting the Apache service itself.

The commands are as follows:

sudo a2dismod ssl
sudo a2dissite default-ssl
sudo service apache2 restart

Obviously if you have any other SSL-enabled site configurations in your /etc/apache2/sites-enabled folder, you’ll want to run the a2dissite against them as well!

Also, if you don’t want to risk restarting your webserver,’service apache reload’ might also be sufficient for reloading the webserver configuration.

Useful Tools: SSL Checker Software & Sites 29 MAR 2013

certificate_good_serverWorried that your SSL certificate installation process seemed to run a little too smoothly?

Enter SSLShopper’s nifty SSL Checker, an online utility which will help you diagnose problems with your SSL certificate installation. You can verify the SSL certificate on your web server to make sure it is correctly installed, valid, trusted and doesn’t give any errors to any of your users.

To use the SSL Checker, simply enter your server’s hostname (must be public) in the text box and click the Check SSL button!

Basically the SSL Checker makes it easy to verify your SSL certificates by connecting to your server and displaying the results of the SSL connection including what SSL certificate is installed and whether it gives out the correct intermediate certificates. The SSL Checker even lets you set up a reminder of a certificate’s expiration so you don’t forget to renew your certificate on time!

Oh, and it has a code snippet which allows it to be added to your own site, though I’m not entirely sure why one would do that.

Useful little utility then.

Related Link: http://www.sslshopper.com/ssl-checker.html

PHP: Warning: stream_socket_enable_crypto(): this stream does not support SSL/crypto CodeUnit 30 AUG 2012

“Warning: stream_socket_enable_crypto(): this stream does not support SSL/crypto” is a message you will often come across when doing mail send work in PHP, particularly when your SMTP settings require you to connect using either a SSL or TLS mode.

The reason for the PHP warning message is actually not insidious at all – 99% of the time it refers to the fact that the OpenSSL extension hasn’t been enabled in your PHP configuration file – and under XAMPP this is almost always the case.

So a simple fix is to navigate to your php.ini file (for XAMPP it usually sits under xampp\apache\bin\php.ini), open it up and run a search for “extension=php_openssl.dll”.

Uncomment this line by removing the semi-colon at the front of it, save the file and then restart Apache via the Services panel.

Nifty.

Ubuntu: How to Renew Apache’s default SSL Certificate CodeUnit 16 DEC 2010

A lot of the time, in order to quickly enable SSL for Apache in Ubuntu, servers make use of a self-signed certificates. These are pretty useful, though they do have a tendency to expire on you when you least expect it.

To renew this ‘snake oil’ certificate as Apache dubs it is actually quite simple.

First, make some backups of the existing certificate and key just in case something goes wrong:

sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key-backup

sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem-backup

Next, generate the new key (I’m making it valid for 5 years here – a bit excessive, I know):

openssl genrsa -out server.key 1024

openssl req -new -x509 -key server.key -out server.pem -days 1826

Fill out responses for all the questions asked and once done and generated, move these files back into their expected locations:

sudo mv server.key /etc/ssl/private/ssl-cert-snakeoil.key
sudo mv server.pem /etc/ssl/certs/ssl-cert-snakeoil.pem

At this point you might want to restart the Apache service as well, which can be done like so:

sudo /etc/init.d/apache2 restart

And you’re done! Nifty.