Issue
I would like to confirm my SSL certificate details and verify that my intermediate/chain certificate files are in the correct order.
Resolution
SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.
Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format than .key
or .crt
:
Check the order of your certificates:
The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. Specifically, intermediate certificate files must end with the root certificate or certificate most proximate to the root and be in a descending order from the main/server certificate to the root. You can determine the order of your intermediate files by running the following command:
openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -noout
Here is an example of that command against an intermediate chain cert that is in the correct order:
openssl crl2pkcs7 -nocrl -certfile $certificate-chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
The command shows a condensed version of SSL certificate details as two lines. The two lines are equivalent to one certificate file within your chain.
From the two lines that indicate one certificate file, the second line must match the first line of the proceeding file, as shown by the arrows in the image below:
In addition to the lines matching, the chain must end with the Root certificate or certificate most proximate to the Root.
Certificate files can be re-ordered by copying and pasting them in the appropriate order within the "CA intermediate certificates" field on the installation form in the UI.
If the same two lines/certificate section appear in the chain, it means there are redundant files present which will result in an installation error. If there is a repeated certificate in the chain, please remove it before attempting the installation.
You can determine the main/server certificate by running the same command as previously mentioned. An example of the output for the main/server certificate, which should go in the "SSL Certificate" field within the installation form in the UI, is:
openssl crl2pkcs7 -nocrl -certfile $certificate.pem | openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
We can determine if a file is the main/server certificate if it looks similar to the example above as it will include your unique organizational information that was provided in the CSR used to obtain the certificate originally.
Verify that the private key and main/server certificate match:
openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in ssl.key | openssl md5
The output of these two commands must be exactly the same. If you cannot locate a matching private key to your main/server certificate, you will be required to re-key the certificate by generating a new CSR and/or requesting an updated certificate from your SSL vendor.
Check the dates that the certificate is valid:
openssl x509 -noout -in certificate.pem -dates
Ensure that the current date is between the certificate's start and end dates.
Check the validity of the certificate chain:
openssl verify -CAfile certificate-chain.pem certificate.pem
If the response is OK
, the check is valid.
Verify that the public keys contained in the private key file and the certificate are the same:
openssl x509 -in certificate.pem -noout -pubkey
openssl rsa -in ssl.key -pubout
The output of these two commands should be the same.
Other checks and format conversions:
SSL files must be in PEM format in order to be installed on our platform. Common file extensions that are within the PEM format include .pem, .crt, .cer, and .cert. You can read more about the PEM format here: What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
If you need to convert the format of your SSL files to PEM, please use the following commands:
-
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
-
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
-
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
You can also run the following commands to check if your files are already in the required format:
- Check to see if your Key is in PEM format:
openssl rsa -inform PEM -in /tmp/ssl.key
-
Check to see if your Certificate is in PEM format:
openssl x509 -inform PEM -in /tmp/certificate.crt
SSL Private keys must be unencrypted and non-password protected on our platform. You can use the following OpenSSL command to remove a private key password:
openssl rsa -in [file1.key] -out [file2.key]
The result should generate a non-encrypted version of your private key.