Check certificate
https://www.ssllabs.com/ssltest/analyze.html
http://www.panticz.de/Check-SSL-TLS-server-encryption-support
Determine SSL certificate expiration date
openssl x509 -enddate -noout -in www.example.com.pem
List certificate domains
cat *.{crt,pem} | openssl x509 -text | grep DNS openssl s_client -showcerts -connect www.example.com:443 | openssl x509 -text | grep DNS
Remove password from private key
openssl rsa -in www.example.key.pass -out www.example.key
Cat / deploy certificate to remote host
ssh host1.example.com cat /root/certificates/example.com/{fullchain1.pem,privkey1.pem} | ssh ${HOST} "cat > /etc/haproxy/ssl/example.com.pem"
Get certificate information
for CERT in *.pem; do openssl x509 -subject -enddate -noout -in ${CERT} | paste - - done # show all data openssl x509 -in cert.pem -text -noout # show expiration date openssl x509 -enddate -noout -in cert.pem # show expiration date from p12 file openssl pkcs12 -in cert1.p12 -legacy -passout pass: -passin pass: | openssl x509 -noout -enddate # show start date openssl x509 -startdate -noout -in cert.pem # show containing DNS names openssl x509 -text -noout -in fullchain.pem | grep DNS # show Issuer openssl x509 -text -noout -in cert.pem | grep Issuer
Show expiration date for multiple certificates
for DIR in $(find * -maxdepth 0 -type d); do echo -n "${DIR}: " eval openssl x509 -enddate -noout -in "${DIR}/cert*.pem" done
Marge certificate
openssl dhparam -out dh_parameters.out 2048 for FILE in __example_com.crt QuoVadis_Global_SSL_ICA_G2.crt QuoVadis_Root_CA_2.crt *.key dh_parameters.out; do cat "${FILE}" echo done | sed -e "s/\r//g" | sed '/^$/d' > _.example.com.pem # deploy certificate rsync --chmod=400 _.example.com.pem root@www1.example.com:/etc/haproxy/ssl/
Letsencrypt
http://www.panticz.de/letsencrypt
Test mailserver SSL
https://ssl-tools.net/mailservers/
Online certificate test
https://www.ssllabs.com/ssltest/analyze.html
# check local certificate openssl x509 -text -in /etc/ssl/certs/example.com.pem # check remote certificate openssl s_client -connect example.com:443 | openssl x509 -text -noout openssl s_client -starttls smtp -connect smtp.example.com:25
OpenStack Wildcard
https://blog.sleeplessbeastie.eu/2016/11/14/how-to-generate-self-signed-ssl-certificate/
Links
http://panticz.de/apache2_openssl_certificate
http://www.panticz.de/Install-SSL-CA-Certificate