Linux SSL

----- Verifying the validity of an SSL certificate already installed  -----
https://www.ssllabs.com/ssltest/analyze.html?d=mail.wyoming.com

----- Apache: Create CSR & Install SSL Certificate (OpenSSL)
https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm#ssl_certificate_install

----------------------------------------

GENERATE/INSTALL SSL

openssl genrsa -out mail.wyoming.com.key 2048

openssl req -new -key mail.wyoming.com.key -out mail.wyoming.com.csr

openssl pkcs8 -in mail.wyoming.com.key -topk8 -nocrypt mail.wyoming.com.pkcs8

-- DO NOT SET CHALLENGE PASSWORD.


As you go through the process you will be prompted for a secret. unless things change this can be left blank. However ensure that the information below is entered.

Domain(name): mail.wyoming.com
Organization: Wyoming.com
Organization Unit: NOC
Email: noc@wyoming.com
Country: US
State: Wyoming
Locality: Riverton
Common Name: mail.wyoming.com

Once you have completed the process it should create a mail.wyoming.com.key & mail.wyoming.com.csr
    - Compress: tar -czvf mail_wyoming_com_csr.tar.gz mail.wyoming.com.csr mail.wyoming.com.key

 

----------------------------------------

----- Verifying the validity of an SSL certificate with CLI openssl  -----

https://support.acquia.com/hc/en-us/articles/360004119234-Verifying-the-validity-of-an-SSL-certificate
https://support.comodo.com/index.php?/Knowledgebase/Article/View/684/17/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl

........................

Verify that the public keys contained in the private key file and the certificate are the same:

openssl x509 -in mail.wyoming.com.crt -noout -pubkey
openssl rsa -in mail.wyoming.com.key -pubout

........................

Verify that the private key and public key are a key pair that match:

openssl rsa -noout -modulus -in mail.wyoming.com.key | openssl md5
openssl x509 -noout -modulus -in mail.wyoming.com.crt | openssl md5

........................

Check the dates that the certificate is valid:

openssl x509 -noout -in mail.wyoming.com.crt -dates

........................

Check for differences in public keys for .crt and .key:

openssl x509 -in mail.wyoming.com.crt -pubkey -noout > from_crt.pub
openssl rsa -in mail.wyoming.com.key -pubout > from_key.pub
diff from_crt.pub from_key.pub

........................

To search for all private keys on your server:
find / -name *.key
find / -name DigiCert*.pem
find / -name GeoTrust*.pem

........................

----- Chain of Trust: Verifying TLS Certificate Chain With OpenSSL -----
https://avilpage.com/2019/11/verify-tls-certificate-chain-with-openssl.html

Gather the server and intermediate certificates sent by a server:
openssl s_client -showcerts -connect mail.wyoming.com:443

Decode and view info:
openssl x509 -noout -text -in mail.wyoming.com.crt

Subject and issuer only:
openssl x509 -noout -subject -noout -issuer -in mail.wyoming.com.crt
subject=CN = mail.wyoming.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

 ........................

 

........................