This Post contains short ntoes on SSL realted infromation.will keep it updated as time allows.
WHAT IS SSL > Secure Sockets Layer
SSL is standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between server/device/client). It prevents hackers from seeing or stealing any information transferred, including personal or financial data.
OPENSSL tool in Linux
OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, converet certificiate files to other comaptbile formats, install your SSL/TLS certificate, and identify certificate information.
Generation of CSR for Multi Domain Wild Card SSL
A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate (either localy or paid). You can geenrate CSR any server (Windows/Linux.or Online). The CSR contains information (E.g. common name, organization, country). the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key. Private key is saved on the same server where you geenrated CSR.
If you have plan to purchase commercial certificate like (Positive Multi-Domain Wildcard SSL Certificate – 2 SAN included) , you have to first generate CSR & then share this CSR file with the comodo / ssl provider & then they will issue SSL cretificate files against this CSR. ensure you keep the private key file else you will not be able to perform any conversion.
OPENSSL Command line to generate new CSR for Comodo Positive Multi Domain Wild Card SSL. (2048 bit / sha256 support with command name xyz.com and *.xyz.com + *.sap.xyz.com as SAN)
Note: Followoing is single CMD, means copy all lines and paste at once ….
openssl req -new -newkey rsa:2048 -nodes -sha256 -subj "/C=PK/ST=Sindh/L=Karachi/O=XYZ Limited/OU=IT/CN=xyz.com/emailAddress=webmaster@xyz.com" -config <( cat <<-EOF [req] default_bits = 2048 default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = *.xyz.com, *.sap.xyz.com EOF )
Change the information liek DNS , email in above command. This command is used to create multi domain/wildcard support for following comodo SSL product.
- Positive Multi-Domain Wildcard SSL Certificate – 2 SAN included
The above command will instantly generate CSR along with Private Key. Ensure to save both in separate file. & most important Keep the Private key safe, donot expose it over internet else Sectigo or your SSL provide may revoke your SSL certificate & you have to generate new CSR & start the process again. Hectic !
You can open the CSR file using a simple text editor and it will look like the sample below. You must include the header and footer (—–BEGIN NEW CERTIFICATE REQUEST—–) when pasting the CSR.
Convert SSL Certificate from .CRT to PFX
A Personal Information Exchange (.pfx) Files, is password protected file certificate commonly used for code signing your application. It derives from the PKCS 12 archive file format certificate, and it stores multiple cryptographic objects within a single file.
PFX certificate file is commonly accepted in windows IIS servers + Foritgate (with forticlient ssl vpn) + Cpanel websites to make them securely accessible . But the SSL provider senf files in .crt / .cer which is not accepted directly therefore you have to use either online sites or IIS/Linux for the conversion.
TIP: Avoid using any online tool for any CSR generation or crt to other formats conversion. Its highly unsafe & chances are that at some point it will exposed & REVOKED ! I use Linux based openssl to generate CSR/Private KEY & also use the same openssl tool to convert from .crt to .pfx
Command Line to generate CSR…
openssl pkcs12 -export -out Your_SSL_Cert_Name.pfx -inkey YOUR_PRIVATE_KEY_FILE.key -in YOUR_SSL_CERTIFICATE_FILE.crt
Once you enter above CMD & assuming all syntax / filenames are correct, then it will ask you to enter password twice to protect the PFX file so that it may not be used by un-authroized person.
Details of above CMD:
- Your_SSL_Cert_Name.pfx = Output name of your PFX file whatever name you like
- YOUR_PRIVATE_KEY_FILE.key = Your private key file, which was generated by you earlier. When you initiated CSR generation request. In Linux it will instantly show you the CSR + Key file both. I usually save them in two files, one with csr name second with KEY name. If this file is missed, you have to generate new CSR & then keep the newly gemerated KEY file safe.
- YOUR_SSL_CERTIFICATE_FILE.crt = This is the SSL Certificate file sent by SECTIGO (or your SSL provider. Generaly you recieved it on your techical contact email address or via your local vendor/partner)
.zaib
Other CMD’s
Check CSR contents via CMD — LINUX OPENSSL CMD
openssl req -text -in YOUR_GENERATED_CSR.csr
Check md5 HASH for all SSL certificate
openssl rsa -noout -modulus -in YOUR_PRIVATE_KEY.key | openssl md5
RESULT: (stdin)= XXXXXXXXXXXXXXX123
openssl req -noout -modulus -in YOUR_GENERATED_CSR.txt | openssl md5
RESULT: (stdin)= XXXXXXXXXXXXXXX123
openssl x509 -noout -modulus -in YOUR_SSL_PROVIDED_CERTIFICATE_FILE_.crt | openssl md5
RESULT: (stdin)= XXXXXXXXXXXXXXX123
Howto match certificate HASH (csr + crt + key)
openssl req -noout -modulus -in YOUR_GENERATED_CSR.txt > csr-mod.txt openssl x509 -noout -modulus -in YOUR_SSL_PROVIDED_CERTIFICATE_FILE_.crt > cert-mod.txt openssl rsa -noout -modulus -in YOUR_PRIVATE_KEY.key > privkey-mod.txt diff3 csr-mod.txt cert-mod.txt privkey-mod.txt
What to check in above cmd’s results …
If there is not difference in MD5 Hash for all 3 files, it will produce NO result which means all OK all matches. Else it will show difference , means somethign is wrong.
Regard’s
Syed Jahanzaib
