Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
So I have a private key and an SSL Certificate. Is there a way to find out which CA signed it?
Thanks!
The name of the CA that issued your certificate is in the Issuer Distinguished Name (DN).
You can see all of this with OpenSSL using:
openssl x509 -text -noout -in the-certificate.pem
The name of the certificate's Issuer DN should match the name of the CA cert Subject DN.
You can check with most browsers. Make sure you've navigated to your site so that the certificate has made a handshake with your browser. With Firefox, go to Tools -> Options and on the dialogue that pops up, you'll see an icon for "Advanced." Click that, then you'll see another tab below for "Encryption." Click that tab as well.
Now you can see a button that says "View Certificates." Clicking that will bring up a dialogue window showing the certificates that your system recognizes. The "servers" tab is where you will find the certificate for your site, and it will show you which CA signed it.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
We have a p12 (PKCS#12) <my_ssl_key_file.p12> file for SSL Certificate Key file requiring a passphrase. However, referencing it in the apache directive like so does not work:
<VirtualHost *:443>
...
...
SSLCertificateKeyFile /path/to/my_ssl_key_file.p12
...
</VirtualHost>
I can get around by converting the p12 file using openssl pkcs12 with the passphrase like so:
$openssl pkcs12 -in my_ssl_key_file.p12 -out my_ssl_key_file.key
and changing the directive to reference the new my_ssl_key_file.key
but this seems counterintuitive to strip the P12 encryption. Is there a way to directly reference the P12 file instead? Perhaps my approach is the wrong approach?
PKCS12 is not supported by SSLCertificateKeyFile.
From the doc, PEM is the required format. And the private key should be protected by a passphrase.
Note that the PKCS12 is used to hold the certificate and the certificate chain and the private key as well.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
what is different between 2 command in open ssl tools?
openssl genrsa -des3 -out privkey.pem 2048 and openssl genrsa -out privkey.pem 2048?
thanks
The -des3 option specifies how the private key is encrypted with a password. Without a cipher option, the private key is not encrypted, and no password is required.
Password encryption can protect the private key even when file-system–based access control is circumvented.
According to the docs:
-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
These options encrypt the private key with specified cipher before
outputting it. If none of these options is specified no encryption is
used. If encryption is used a pass phrase is prompted for if it is not
supplied via the -passout argument.
DES is an encryption method and DES3 (also called triple DES) is the same method that is ran 3 times in a row to make the encryption stronger.
DES3 is a standard that is being heavily used (-des3), for example, when your browser is being redirected to port 443 (SSL), after the RSA key exchange, DES3 is being used (with the RSA key) for the rest of the session.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm having an issue I can't really identify the cause of.
I set-up for testing purposes a local CA and a Webserver in a VirtualBox under Ubuntu.
I'm willing to try Client Certificate-Authentification.
I got it so far, that I can't access the webserver without having a valid certificate in my browser.
The problem is, that after revoking the Certificate, I still access the server.
In my default-ssl.conf (which is loaded) I have set :
SSLCARevocationFile to /etc/ssl/CA/crl/crl.pem
"crl.pem" was created using "openssl ca -gencrl /etc/ssl/CA/crl/crl.pem"
openssl crl -in /etc/ssl/CA/crl/crl.pem -text generates the following :
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Last Update: May 29 13:10:55 2014 GMT
Next Update: Jun 28 13:10:55 2014 GMT
CRL extensions:
X509v3 CRL Number:
4106
Revoked Certificates:
Serial Number: 01
Revocation Date: May 29 10:35:53 2014 GMT
Serial Number: 02
Revocation Date: May 29 00:32:33 2014 GMT
Signature Algorithm: sha256WithRSAEncryption
4a:95:31:27:df:2b:d3:5f:91:86:32:18:7e:04:1f:88:99:22:
2b:d6:03:8d:c6:1d:81:ca:06:a0:c3:c2:cf:fe:cb:8a:ec:f9:
7f:bb:37:4c:69:70:1e:43:0c:8e:97:89:f7:32:f8:bf:9c:3b:
fc:b2:25:55:98:a1:fe:7f:fb:ab:79:13:67:d6:75:02:c6:74:
03:34:bc:f3:df:61:d5:0f:e6:1e:24:8b:e7:b0:17:1b:c4:2f:
16:56:44:8d:e4:92:1f:48:51:23:a5:1d:54:26:a4:58:6b:4d:
07:40:bb:48:7f:c1:61:00:55:20:d2:a1:56:f9:38:fa:f9:84:
de:2a:a5:2a:69:82:d7:8b:35:24:5b:4d:ee:c0:33:7c:b6:d6:
83:e2:f8:79:76:f9:04:55:80:45:8c:b1:9d:5b:8d:29:65:f9:
6d:de:d3:d2:53:6e:f0:d2:44:c9:3e:60:ca:67:0f:2b:f9:27:
0d:36:4b:90:d5:fe:7b:23:74:6b:94:e3:93:ea:4f:90:2b:db:
c8:96:29:4b:cc:42:f6:31:27:e6:a2:ce:a3:c8:fa:47:74:bd:
32:51:71:f3:66:fb:2d:76:0f:ca:64:23:55:eb:f8:5e:bc:0d:
eb:f9:e4:7a:7f:72:be:fd:1a:a7:76:32:5e:0f:21:b9:c7:2a:
89:ac:53:26
-----BEGIN X509 CRL-----
MIIByTCBsgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJBVTETMBEGA1UE
CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
Fw0xNDA1MjkxMzEwNTVaFw0xNDA2MjgxMzEwNTVaMCgwEgIBARcNMTQwNTI5MTAz
NTUzWjASAgECFw0xNDA1MjkwMDMyMzNaoA8wDTALBgNVHRQEBAICEAowDQYJKoZI
hvcNAQELBQADggEBAEqVMSffK9NfkYYyGH4EH4iZIivWA43GHYHKBqDDws/+y4rs
+X+7N0xpcB5DDI6Xifcy+L+cO/yyJVWYof5/+6t5E2fWdQLGdAM0vPPfYdUP5h4k
i+ewFxvELxZWRI3kkh9IUSOlHVQmpFhrTQdAu0h/wWEAVSDSoVb5OPr5hN4qpSpp
gteLNSRbTe7AM3y21oPi+Hl2+QRVgEWMsZ1bjSll+W3e09JTbvDSRMk+YMpnDyv5
Jw02S5DV/nsjdGuU45PqT5Ar28iWKUvMQvYxJ+aizqPI+kd0vTJRcfNm+y12D8pk
I1Xr+F68Dev55Hp/cr79Gqd2Ml4PIbnHKomsUyY=
-----END X509 CRL-----
I tried both certificates with the serial 01 and 02 and I'm able to login with both of them.
Does anybody has an idea what the problem may be ?
Thank you !
Try putting the following Directive in your conf files (i.e. default-ssl.conf)
SSLCARevocationCheck chain
then stop and start your apache2 service and see the result.
Supawat P.
I would try to gracefully reload server configuration after revoking the certificates and generating new CRL because it seems to be a necessary step.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I use OpenSSL on ubuntu to generate a CSR file that I will paste to the SSL certificate provider. when I paste the code, I see an unknown e-mail addreses to select but not the e-mail address I have entered during csr creation.
Where does OpenSSL get this email addresses, like postmaster#mydomain.com, admin#mydomain.com.
The command that I use is:
sudo openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key
The point is that most Certificate Authorities ("certificate provider") ignore the e-mail address from the CSR itself, since it is user provided input and thus not trustworthy.
The e-mail addresses presented to you during the application process are
from the Admin-C WHOIS record of the domain for which you are applying a certificate for
some standard addresses which are assumed to usually exist for most domains (postmaster#, admin#, ..)
This is done by the CA to prevent fraud and ensure that only someone with access to the domain is able to buy a certificate for it.
You can't change that. You can:
Either configure one of the presented e-mail addresses on your domain and fetch the confirmat e-mail from there
Or, if possible, change your Admin-C records e-mail address (which will take a while)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I am building a buy-system and i was told to set up an SSL certificate on my web-server to work with bank operations.
I am new to this and i don't exactly understand the difference between OpenSSL (which is free and opensourced) and SSL certificates, that are needed to be bought (thawte.com).
I guess OpenSSL is smth like tool to create a keys (ive alredy done this for firstdata.com), but if i buy ssl certificate on thawte.com and install it ill have my web-site running over https?
Can i use free openSSL to work with banks? Or i have to buy one?
The biggest difference between a self-issued (with OpenSSL) certificate and one you buy from thawte (or somewhere else) is that of trust. If you want your users to use access your ssl enabled website without being prompted for "do you trust the certificate from this issuer?" you need to buy a certificate from a trusted certification authority, such as thawte or one of the others.
Your website will run over https with any old x.509 certificate so if you only have a few people accessing your ssl site you may convince them to trust your self-issued certificate and save the money for the certificate.
OpenSSL is a tool and a library that can be used to generate certificate requests (CSR), self-signed certificates and issue certificates from a CA (if it's a CA you control of course).
There are a number of pre-trusted certification authorities embedded in most browsers. They issue certificates by signing the certificate they give you (coming from your certificate request). In turn, the certificates they issue can be verified by your users' browsers against their (issuing) CA certificate because it's shipped with them by default.
You can generate your own CA and issue certificates yourself, but the problem is that your CA certificate won't be trusted by default in most browsers, so it's worthless unless you make your users import it explicitly (which is fine for corporate CAs for example, but is impractical in general). A self-signed certificate is a special case of this: it's the root CA certificate you generate or a one-off certificate for a given machine; either way, you'd have to import it explicitly.
Some pre-trusted CAs will let you use OpenSSL to generate the certificate request as part of their procedure, but they may also offer other procedures relying on other tools. Which tool you or they use doesn't really matter. What you want is a certificate issued by a CA your remote party will trust.
You can sign up for free and generate free SSL certificate for your web site, at least for the first year, on StartSSL. Their site shows Weekend Maintenance now, but it will be available later. I was able to get free SSL certificate from them. This certificate is signed by Startcom certification authority which is trusted, according to their site.