easy / certificate generation / testing

Back to overview Newer post: canon / mf8350 / driver hell Older post: setuid / seteuid / uid / euid

easy / certificate generation / testing

  • Written by
    Walter Doekes
  • Published on

If I’m going to be requesting SSL certificates more often, I’d better automate the process a bit.

The result:
easycert.sh (view)

Possible invocation styles:

$ easycert.sh -h
Usage: easycert.sh -c NL -l Groningen -o OSSO\ B.V. -e info@osso.nl osso.nl
Usage: easycert.sh osso.nl "/C=NL/L=Groningen/O=OSSO B.V./CN=osso.nl/"
Usage: easycert.sh -T www.osso.nl 443

Generating a key and certificate:

$ easycert.sh -o "My Company" mycompany.com
Subject: /C=NL/L=Groningen/O=My Company/CN=mycompany.com/emailAddress=info@osso.nl
Enter to proceed...
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................++
..................++
e is 65537 (0x10001)
mycompany_com-2012.csr

The same, but in a non-interactive fashion:

$ easycert.sh mycompany.com "/C=NL/L=Groningen/O=My Company/CN=mycompany.com/emailAddress=info@osso.nl" </dev/null 2>&0
mycompany_com-2012.csr
$ ls -l mycompany_com-2012.*
-rw-r--r-- 1 walter walter 1704 2012-10-25 12:14 mycompany_com-2012.csr
-rw-r--r-- 1 walter walter 3243 2012-10-25 12:14 mycompany_com-2012.key

Testing SSL configuration on the server:

$ easycert.sh mail.osso.nl 993 -T
The list below should be logically ordered,
and end with a self-signed root certificate:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.osso.nl
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

Now all it needs is a CGI front-end so the customers can generate their own CSRs while leaving the keys privately on the server. No wait.. I added that already. Just run the script as a cgi script and you’ll get the files in /tmp.

Update 2013-05-28

Sending the last self-signed certificate is generally only unnecessary overhead. In the example above, the third and final certificate in the chain may be skipped.

And see the SSL Labs SSL analyzer for a helpful report about the state of your HTTPS server.

Common Apache2 configs you may need to add:

# Fight BEAST attack
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Common NginX config:

ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers          ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
ssl_prefer_server_ciphers on;
Back to overview Newer post: canon / mf8350 / driver hell Older post: setuid / seteuid / uid / euid

Location

Helperpark 282A

9723ZA Groningen

Phone: +31 (0)50 210 3520

E-mail: info@osso.nl

Links

OSSO B.V.

  • IBAN NL45RABO0105881341EUR
  • KvK 02087026
  • BTW NL820103500B01
Copyright © 2024 OSSO B.V.