Issue
I would like to confirm my SSL certificate includes the correct information and validate it is in the right order.
Resolution
SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.
Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format than .key or .crt:
- Open a command prompt window and
cdto the location of your existing certificate, and then verify the certificate chain by using the following command:openssl verify -CAfile certificate-chain.crt certificate.crtIf the response is
OK, the check is valid. - Verify that the public keys contained in the private key file and the certificate are the same:
openssl x509 -in certificate.crt -noout -pubkey openssl rsa -in certificate.key -puboutThe output of these two commands should be exactly the same.
- Verify that the private key and public key are a key pair that match:
openssl rsa -noout -modulus -in certificate.key | openssl md5 openssl x509 -noout -modulus -in certificate.crt | openssl md5The output of these two commands must be exactly the same.
- Check the dates that the certificate is valid:
openssl x509 -noout -in certificate.crt -datesEnsure that the current date is between the certificate's start and end dates.
-
Check the order of your certificates.
The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:openssl crl2pkcs7 -nocrl -certfile $MAIN_CERT_FILE.PEM | openssl pkcs7 -print_certs -noout openssl crl2pkcs7 -nocrl -certfile $CHAIN_CERT_FILE.PEM | openssl pkcs7 -print_certs -nooutYour output should look similar to this:
openssl crl2pkcs7 -nocrl -certfile $MAIN_CERT_FILE.PEM | openssl pkcs7 -print_certs -noout subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CAopenssl crl2pkcs7 -nocrl -certfile $CHAIN_CERT_FILE.PEM | openssl pkcs7 -print_certs -noout subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CAThese need to conclude with the root certificate or cert most proximate to the root.
Other checks and format conversions
You may have a key or a certificate in a different format than the standard. You can read What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? for more information on different key formats. Here are some checks you can use:
-
Check to see if your Test Key is in PEM format:
openssl rsa -inform PEM -in /tmp/certificate.key -
Check to see if your Test Certificate is in PEM format:
openssl x509 -inform PEM -in /tmp/certificate.crt -
View the entire contents of the certificate:
openssl x509 -in certificate.crt -noout -text -
Check to see if your Test Certificate is in DER format:
openssl x509 -in certificate.crt -inform DER -text -noout -
Convert a certificate in crt format to PEM:
openssl x509 -in certificate.crt -out certificate.pem -outform PEM -
Convert a DER format to PEM:
openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM