If you like my tips, buy me a coffee

SSL Tools

I believe that it is my responsibility to transfer the knowledge I gathered through the years of my experience with SSL

CSR Online Generator

https://csrgenerator.com

SSL troubleshooting tools

https://www.sslshopper.com/ssl-certificate-tools.html

SSL Checker
CSR Decoder
Certificate Decoder
Certificate Key Matcher
SSL Converter

Nice text tools

https://convertcase.net

This command is used to get the SSL certificate details (Root Certificate, Intermediate Certificate and Server Certificate):

openssl s_client -showcerts -servername <HOST> -connect <HOST>:<PORT> </dev/null

Get Let's Encrypt SSL Cert for free

Install certbot. Click here for instructions.

There are many options to install the free certificate on your server.

I used this command more often:

certbot -d domain.tld,www.domain.tld --manual --preferred-challenges dns certonly

I used this command to when I have a CSR file and have access to the domain DNS:

certbot certonly --csr domain.csr --manual --preferred-challenges dns-01 -d domain.tld,www.domain.tld

Create PFX from PEM/CRT and KEY using OPENSSL tool on MAC

When using the openssl tool on a MAC terminal, the output .PFX export password will not work on non-MAC system, i.e. Windows Server.

When importing the .PFX file on a Windows certificate store, you will get this error: "The password you entered is incorrect"

For MAC

openssl pkcs12 -inkey <key file>.pem -in <chain file>.pem -export -out <output file name>.pfx

For Windows (non MAC)

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey <key file>.pem -in <chain file>.pem -export -out <output file name>.pfx

Using openssl command line to generate the CSR file and the Private Key

openssl req -new -newkey rsa:4096 -nodes -keyout <domain>-key.pem -out <domain>.csr

After signing the certificate with the CA, you will get the signed certificate and CA-Bundle files (Chain file).

Using the openssl command to generate the PFX file

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey <key file>.pem -in <chain file>.pem -export -out <output file name>.pfx

Get Let's Encrypt SSL Cert for free (multi sub-domains) using openssl with san.cnf file & certbot tools:

Get CSR file

openssl req -new -newkey rsa:4096 -nodes -keyout <domain>-key.pem -out <domain>.csr -config san.cnf

san.cnf file template

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

C = AE

ST = <stat>

L = <city>

O = <name of entity>

OU = <department>

CN = <domain>

[v3_req]

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = <domain>

DNS.2 = www.<domain>

DNS.3 = <sub1>.<domain>

DNS.4 = <sub2>.<domain>

Run certbot command:

certbot certonly --csr <domain>.csr --manual --preferred-challenges dns-01 -d <domain> -d www.<domain> -d <sub1>.<domain> -d <sub2>.<domain>

Add all TXT records as per the instruction of the certbot tool. Make sure you wait for sometime after you add the last TXT record to make sure that records are propgated.

The certbot tool will generate the signed certificate files for you to use.

After signing the certificate with the CA, you will get the signed certificate and CA-Bundle files (Chain file).

Using the openssl command to generate the PFX file

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey <key file>.pem -in <chain file>.pem -export -out <output file name>.pfx

Page updated

Google Sites

Report abuse