David Yin's Blog

Currently Viewing Posts Tagged Qualys

Tools to check your SSL Installation

September 19, 2015
0 Comments

I have tried some tools to diagnose my SSL certificate installation.

Some related to correct certificate, and more on certificate chain issues.

SSL Certificates are trusted from its parent, or issued by its high lever certificate. It looks like a chain, one connect to other one and gos to the CA root.

Say, I have a SSL certificate for domain seo.g2soft.net.

  • Certificate of seo.g2osft.net is issued by Comodo RSA domain Validation Secure Server CA
  • Comodo RSA domain Validation Secure Server CA is issued by Comodo RSA certification Authority
  • Comodo Rsa Certification Authority is issued by AddTrust External CA Root.

The last one, AddTrust External CA Root is one of root CAs.  It is issued by itself. Root Certificates was installed in every computer or browsers already. It is trusted and in the trust store.

certificate-chain

The above is a corrected installation.

Tool One:

Geocerts SSL Checker

https://www.geocerts.com/ssl_checker

Tool Two:

DigiCert SSL Installation Diagnostics Tool

https://www.digicert.com/help/

Continue reading “Tools to check your SSL Installation”

Some issues when I use SSL on web server Apache

September 20, 2014
0 Comments

I purchased SSL certificate from Gogetssl.com. The Comodo Essential SSL is a good deal on the list. I paid it $37.45 for FIVE years.

OK back to the title.

1) The CSR generator online is default sha1. Use my own openssl command to generate sha256 CSR, KEY files.

There are so many articles related sha1 vs sha256 ssl

If you can, use SHA-256 instead of SHA-1.

SHA1 is going to retired.

The command I use to generate private key and CSR file.

openssl req -new -newkey rsa:2048 -nodes <b>-sha256</b> -out www.mydomain.com.sha256.csr -keyout www.mydomain.key -subj "/C=FR/ST=Calvados/L=CAEN/O=TBS INTERNET/CN=www.moydomain.com"

Please make your own command with this tool.  Then add -sha256 in it . The above is for reference only.

2) Chain CA order

The certificate I received from gogetssl is a zip file. Unzip it and I got four certificate files.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • yourdomain.crt

To make a ca-bundle file, combine the three crt files into one.

When combine them, be carefully the order of files.

Put the content of COMODORSADomainValidationSecureServerCA.crt in the beginning of the ca-bundle file. Then paste the content of COMODORSAAddTrustCA.crt below, and paste the content of AddTrustExternalCARoot.crt.

3) Chain issues – Contains anchor

This is a issue when I check the ssl on ssllabs.com

AddTrustExternalCARoot.crt is the root CA. Self issued. Some people said the issue is because of this self issued root CA.

There are some post about it. They said it is safe when not include it in the ca-bundle

Comodo support article Qualys forum thread

ssl-labs

Continue reading “Some issues when I use SSL on web server Apache”

  • Archives