How to check truststore validity/expiry date?
Is there any command through which it can be checked?
One of the method I got is use this command: openssl x509 -text -in /tmp/truststore
Example output might have the validity details as below:
Validity
Not Before: May 4 15:06:14 2012 GMT
Not After : May 4 15:16:14 2019 GMT
Related
I'am using Vagrant and Ansible roles to generate an SSL/TLS certificate but no matter what I try, the generated certificates is missing the Subject Alternative Name:
- name: Create an SSL security key & CSR (Certificate Signing Request)
shell: openssl req -new -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/{{ item.host }}.key -subj "/subjectAltName=DNS.1={{ item.host }}, DNS.2=www.{{ item.host }}, IP.1=192.168.33.11/C={{params['ssl'].country_name}}/ST={{params['ssl'].state}}/L={{params['ssl'].locality}}/O={{params['ssl'].organization}}/CN={{ item.host }}" -out /etc/apache2/ssl/{{ item.host }}.csr
args:
executable: "/bin/bash"
with_items: "{{params['vhosts']}}"
when: item.ssl is defined and item.ssl
The certificate files gets generated but they Google Chrome always says
Subject Alternative Name Missing
This is the debug of my environment:
$ openssl version
OpenSSL 1.0.2l 25 May 2017
$ openssl x509 -noout -text -in /etc/apache2/ssl/myhost.dev.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a2:77:35:c7:6a:72:35:22
Signature Algorithm: sha256WithRSAEncryption
Issuer: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev
Validity
Not Before: Jun 12 15:36:58 2017 GMT
Not After : Jun 10 15:36:58 2027 GMT
Subject: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev
Your key isn't using X509 extensions. In order to add them to your CSR, you'll need a config file that specifies what extensions to add. The command line interface isn't friendly enough to let you easily specify X509 extensions on the command line.
What you could do is use Bash's process substitution with a command that generates a modified config file on the fly when you invoke openssl to generate your CSR:
openssl req \
-new -newkey rsa:2048 \
-subj "{your existing subject}" \
... \
-x509 \
-reqexts SAN \
-config <(
cat /etc/ssl/openssl.cnf
printf '\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com'
)
Again, process substitution only works in GNU bash, and will not work if your CI runner's default shell is Bourne Shell, as it sometimes is on Ubuntu-based distros.
This answer was adapted from here.
After some research on the openssl library and understanding how it works, I was doing the mistake of using -X509*: adding -X509 will create a certificate and not a request!
I solved my issue by following this main steps:
Set up a certificate authority: entity that issues digital
certificates.
Create server or user certificate request.
Sign the server certificate request.
Add this keys and certificates to your host.
Add the certificates to the browser.
I wrote a step by step long tutorial on how to achieve this on my blog post.
I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .
If I run this command:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
I get the correct date for the certificate.
(notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)
However, if I intruduce the -servername parameter into the commmand
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
I then get the expired date that my browser is showing -
(notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)
Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.
Thanks
O
The servername argument to s_client is documented (briefly) on this page:
https://www.openssl.org/docs/man1.0.2/apps/s_client.html
Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.
If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.
You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:
https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
I am having trouble understanding a problem that I have. I am seeking help to understand what is happening. Hopefully someone can help me.
First let me give you some context:
One of our providers at work gave us 2 urls in order to access his service. These 2 urls are URLs for their primary and secondary site. In our system, we are always sending requests to the primary site. If the primary site is not available, we try to use the secondary site.
A few weeks ago, the certificate of our provider changed. We proceeded to the change. The certificate is a wild card certificate (it applies for both urls). Everything seemed to work perfectly on our qualification environnement. But we noticed a strange behavior on production.
We performed on our machines the following openssl request:
echo | openssl s_client -connect <PROVIDER_URL_1:443> 2>/dev/null | openssl x509 -noout -dates
For the primary URL, everything is working fine, openssl request shows the certificate is valid:
notBefore=Jun 20 00:00:00 2016 GMT
notAfter=Aug 19 23:59:59 2018 GMT
But when I perform the exact same openssl request with the secondary URL, I find the previous certificated
echo | openssl s_client -connect 2>/dev/null | openssl x509 -noout -dates
notBefore=May 15 00:00:00 2014 GMT
notAfter=Jul 13 23:59:59 2016 GMT
I don't understand why our production environnement sees 2 different certificates for PROVIDER_URL_1 and PROVIDER_URL_2 when on our qualification environnement both URLs provide the same wildcard certificate.
Do you guys have any idea what seems to be the problem here ?
If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.
You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Then, you can extract the expiration date from the certificate in the .pem file using the following command:
cat certificate.pem | openssl x509 -noout -enddate
You can make the first answer a one-liner without using the intermediate file:
openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Extract the client certificate from the pkcs12 file and print its end date:
openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate
If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.
Here's how you do it on Windows:
certutil -dump "file.pfx"
P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).
When creating CSR, since the conf can take country and state info, I assume it will be embedded in the certificate. If so, how to display it after the certificate is signed? I tried "$ openssl x509 -in foo.crt -noout -text" but seems the information is not there. I also checked "-help". Any other way to print? Thanks a lot.
More found: it seems country and state information is removed when CSR is signed, correct?
For example, this is what I observe.
$ openssl req -text -noout -in server.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: Subject: DC=..., DC=..., C=..., ST=..., L=..., O=..., OU=..., CN=...
...
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=..., DC=..., O=..., OU=..., CN=...
Validity
Not Before: Dec 5 22:05:21 2013 GMT
Not After : Dec 5 22:05:21 2015 GMT
Subject: DC=..., DC=..., O=..., OU=..., CN=...
As seen, the fields of "C", "ST" and "L" in the Subject are missing in certificate.
You would use the same command you are already using (if you only care about subject information, you could use openssl x509 -subject -noout -in server.crt, replacing -text with -subject). The problem in your case is that, as you noted, the city and state information was removed by the signer. What information to place into the certificate is ultimately the prerogative of the issuer.
Country and state information is under Subject and in C and ST field respectively.
As per my knowledge, issuer does not remove any information present in CSR.
Display the contents of a SSL certificate:
openssl x509 -in certificate.crt -text -noout