Preparing SSL Certificates for Installation
Quite a lot has been written about the installation of SSL certificates on a web server, and usually this question doesn’t cause difficulties for system administrators. However, just before installing it is nice to do a few checks in order not to contemplate the annoying “The site security certificate is not trusted!” In the browser (the site’s security certificate is not trusted!). This is especially true when you receive certificates not from a registrar, but from a customer who may, for example, confuse private keys or send a certificate in the format of your text editor with the addition of formatting garbage.
Thus, to get everything working right away, before installing the SSL certificate, it is advisable to do several checks.
So let's get started ...
1. We check the integrity of the certificate:
If at the output we get its module, then the integrity of the certificate is not broken. Otherwise there will be an error: “unable to load certificate”.
2. Similarly, we check the integrity of the private key:
3. We look at the validity of the certificate:
4. Check the certificate for revocation .
5. We check the compliance of the certificate and private key:
If the results are the same, then the certificate and private key match each other.
If you need to install a couple of SSL certificates per year, then the above commands are enough. However, when you have to work with certificates regularly, it is best to use ready-made scripts. As an example, I would venture to offer my own development under bash. The scripts will do all these actions without any extra gestures on your part (tested in Ubuntu, but most likely it will work in other Linux distributions).
Checking the certificate and private key for integrity and consistency:
Checking the validity of the certificate and its absence in the revocation lists:
The above tests close those SSL installation problems I’ve ever encountered in practice. But if you think that it is worth checking some more parameters, share in the comments, I will be grateful.
Thus, to get everything working right away, before installing the SSL certificate, it is advisable to do several checks.
So let's get started ...
1. We check the integrity of the certificate:
openssl x509 -noout -modulus -in certificate.crt
If at the output we get its module, then the integrity of the certificate is not broken. Otherwise there will be an error: “unable to load certificate”.
2. Similarly, we check the integrity of the private key:
openssl rsa -noout -modulus -in privatekey.key
3. We look at the validity of the certificate:
openssl x509 -noout -text -in certificate.crt | grep -e "Not Before" -e "Not After"
4. Check the certificate for revocation .
5. We check the compliance of the certificate and private key:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privatekey.key | openssl md5
If the results are the same, then the certificate and private key match each other.
Automation
If you need to install a couple of SSL certificates per year, then the above commands are enough. However, when you have to work with certificates regularly, it is best to use ready-made scripts. As an example, I would venture to offer my own development under bash. The scripts will do all these actions without any extra gestures on your part (tested in Ubuntu, but most likely it will work in other Linux distributions).
wget https://raw.githubusercontent.com/o-pod/security/master/ssl-check-matching.sh
chmod a+x ssl-check-matching.sh
wget https://raw.githubusercontent.com/o-pod/security/master/ssl-check-revoc.sh
chmod a+x ssl-check-revoc.sh
Checking the certificate and private key for integrity and consistency:
./ssl-check-matching.sh certificate.crt privatekey.key -v
Checking the validity of the certificate and its absence in the revocation lists:
./ssl-check-revoc.sh -f certificate.crt -v
The above tests close those SSL installation problems I’ve ever encountered in practice. But if you think that it is worth checking some more parameters, share in the comments, I will be grateful.