The main SSL tools on Linux to manage certificates are

• keytool
• openssl

SSL configuration in httpd.conf

$ grep SSLCertificate /etc/httpd/conf.d
SSLCertificateChainFile "/etc/httpd/conf.d/ssl.pem/example.pem"          #certificate chain
SSLCertificateFile "/etc/httpd/conf.d/ssl.crt/exmple.crt"                #domain certificate (private key signed by 3rd party CA)
SSLCertificateKeyFile "/etc/httpd/conf.d/ssl.key/exmple.key"             #private key file

Usefull OpenSSL commands

Renew a certificate based on the current certificate

openssl x509 -x509toreq -in current_certificate.crt -out new_certificate_request.csr -signkey the_current_certificate_private_key.key

Search installed certificates

Example searches

find -H / -name "*.crt" | while read line ; do echo $line ; openssl x509 -in certificate.crt -text | egrep -i 'Algorithm|Issuer' ; done
find -H / -name "*.crt" | while read line ; do echo $line ; openssl x509 -in $line -text | egrep -i 'Algorithm|Issuer|Not After' ; done
find -H / -name cacerts | while read line ; do echo $line ; /usr/bin/keytool -list -v -keystore $line -storepass changeit -noprompt | egrep -i 'Alias|Owner|algorithm|SHA1' ; done;
find -H / -path /usr/share/doc -prune -o -name "*.pem" | while read line ; do echo $line ; openssl x509 -in $line -text | egrep -i 'Algorithm|Issuer|After' ; done
find -H / -path "/usr/share/doc /proc" -prune -o -name "*.pem" | while read line ; do echo $line ; openssl x509 -in $line -text | egrep -i 'Algorithm|Issuer|After' ; done

-H do not follow symbolic links
-path "pattern" file name matches shell pattern
-prune -o ignores a whole directory tree if the pattern matches a directory path

Verify a certificate from a CLI

Insecure option tells libcurl to not verify the peer.

curl --insecure -v https://www.example.com/mgm-your-account 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

If your webserver uses SNI scheme is not IP based, specify the vhost server using -servername option, otherwise can be skipped

echo | openssl s_client -connect <web_server_IP>:443 -servername www.example.com 2>/dev/null | openssl x509 -inform pem -noout -text

                                   Apache_server        Hosted_website_in_virtual_host_directive
                                      |                               |
server1# openssl s_client -connect 10.0.0.1:443 -servername www.example.com

OpenSSL test modules

With Server Name Indication (SNI), a web server can have multiple SSL certificates installed on the same IP address. SNI-capable browsers will specify the hostname of the server they’re trying to reach during the initial handshake process. This allows the web server to determine the correct SSL certificate to use for the connection. If you try to connect to Small Sites server with s_client, you’ll find that you receive the default SSL certificate installed on my server and not the one for this site. Therefore we need to use the -servername argument and s_client will do the additional SNI negotiation step.

OpenSSL provides three modules that allow you to test SSL connections: s_client, s_server and s_time. The first two, as the names suggest, are for simulating a client and a server in an SSL connection. The third one is for connection timing tests. I’ll start with a closer look at the s_client module.

S_client is particularly useful for checking which protocols and which ciphers the server agrees to use. This information is useful in security and functionality audits. For example, you could use this protocol information to find servers that don’t accept a legitimate protocol or cipher, thus preventing a legitimate client from connecting. You could also locate servers that accept weak protocols or ciphers and could thus allow a malicious attack.

s_client - output interpretation - https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

Preview a certificate from CLI

openssl x509 -in /etc/httpd/conf/ssl.crt/certificate.crt -text -noout

Preview CSR request from CLI

openssl req -in certificate.csr -text -noout

Disabling Diffie-Hellman on Apache Servers

On each web server, in the ssl.conf file or, in some cases, the main Apache conf file, add the !DH: identifier to the start of the SSLCipherSuite config option string.

Procedure In Apache's conf directory, locate file: ssl.conf or httpd.conf

Look for the SSLCipherSuite keyword, whose string value must be similar to the following string:

"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

Add !DH: after the ALL: list so that the line looks like the following string:

"ALL:!DH:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

Note: The !ADH: string in the above string is now redundant and can be removed. Repeat this edit in every SSL config section, if you are not using one global section. Save the file. Restart the web server for the changes to take effect.

Control Apache server

ssh apache.server.com "apachectl configtest"
ssh apache.server.com "apachectl graceful"
ssh apache.server.com "service httpd status"

Chain certificate structure

Apache ChainSSL is in PEM format containing all certificates from domain one to Root CA

# cat www_example_com_chain_cert-PEM.crt

-----BEGIN CERTIFICATE-----          #Domain certificate, eg. www_example_com.crt
MIIHkTCCBnmgAwIBAgIUZDLrn0fQy7z62YTRnsd/BsvWI1swDQYJKoZIhvcNAQEL
   < output obmitted >
TlXvxzWXBaAm4YzdMQt0owFUbeItrgn8IcfotEesUU6OMSGOSFi+WTlSC6rJmZM+
eNyDv54nHqqlCpbvZI3umxDx015/
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----          #Intermitennt CA, eg. QuoVadis_EV_SSL_ICA_G1.crt
MIIFeTCCA2GgAwIBAgIUc9pa+iPZP7qELgog9AHJ2G4k/F0wDQYJKoZIhvcNAQEL
   < output obmitted >
OUKBHeWRPmCuv59UkTZXA/LT/tHt2JC6htu2pYislARuJGsnq4Bgrw76c0AS3UF8
wxZChJIYvI+fVDAKwQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----          #Root certificate, eg. QuoVadis_Root_CA_2.crt
MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
   < output obmitted >
ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
-----END CERTIFICATE-----

Java Keytool certificate management

Default password

changeit

Types of Java keystores

Terms like keyStore and trustStore are often used interchangeably and the same file can act as keystore as well as trustStore it just matter of pointing javax.net.ssl.keyStore and javax.net.ssl.trustStore properties to that file but there is a slight difference between keystore and trustStore.

• Trustedstore - a keystore containing system wide available Root certificates
• Java keystore - a keystore used by an application

Typical locations of a keystores

• located in server.xml file of Tomcat / Jboss server
• /etc/pki/tls/certs/ca-bundle.crt
• Trustedstore - JAVA_HOME/jre/lib/security/cacerts

Keytool useful commands

List a keystore

keytool -list -v -keystore tomcat.jks

Add a trusted certificate to keystore

keytool -import -trustcacerts -file GoDaddy_rootCA.cer -alias rootCA -keystore cacerts.jks

Remove

keytool -delete -alias godaddy_rootCA -keystore cacerts.jks

Preview a trusted store of different format than JKS. You can also add -storetype parameter for pkms7, 10 or 12 stores listing

keytool --printcert -file /etc/pki/tls/certs/ca-bundle.crt

Resources

• Working with Certificates and SSL Oracle documentation, keytool
• OpenSSL Commands To Keep Handy spin.atomicobject.com, includes SAN .cnf
• Java certs explained Keytool Example
• Difference between trustedStore and keyStore in Java - SSL