I have tried to find the answer to this but I couldn't find an answer...
How do I check if my SSL Certificate is using SHA1 or SHA2?
Reason I ask is because it might have to do with the certificate not loading on Mozilla Browers....
Any ideas? Can I check through cPanel?
Use the Linux Command Line
Use the command line, as described in this related question: How do I check if my SSL Certificate is SHA1 or SHA2 on the commandline.
Command
Here's the command. Replace www.yoursite.com:443 to fit your needs. Default SSL port is 443:
openssl s_client -connect www.yoursite.com:443 < /dev/null 2>/dev/null \
| openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
Results
This should return something like this for the sha1:
Signature Algorithm: sha1WithRSAEncryption
or this for the newer version:
Signature Algorithm: sha256WithRSAEncryption
References
The article Why Google is Hurrying the Web to Kill SHA-1 describes exactly what you would expect and has a pretty graphic, too.
Update: The site below is no longer running because, as they say on the site:
As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. In addition, SHA-1 support was removed by most modern browsers and operating systems in early 2017. Any new certificate you get should automatically use a SHA-2 algorithm for its signature.
Legacy clients will continue to accept SHA-1 certificates, and it is possible to have requested a certificate on December 31, 2015 that is valid for 39 months. So, it is possible to see SHA-1 certificates in the wild that expire in early 2019.
Original answer:
You can also use https://shaaaaaaaaaaaaa.com/ - set up to make this particular task easy. The site has a text box - you type in your site domain name, click the Go button and it then tells you whether the site is using SHA1 or SHA2.
Background
You can check by visiting the site in your browser and viewing the certificate that the browser received. The details of how to do that can vary from browser to browser, but generally if you click or right-click on the lock icon, there should be an option to view the certificate details.
In the list of certificate fields, look for one called "Certificate Signature Algorithm". (For StackOverflow's certificate, its value is "PKCS #1 SHA-1 With RSA Encryption".)
openssl s_client -connect api.cscglobal.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm" | cut -d ":" -f2 | uniq | sed '/^$/d' | sed -e 's/^[ \t]*//'
I had to modify this slightly to be used on a Windows System. Here's the one-liner version for a windows box.
openssl.exe s_client -connect yoursitename.com:443 > CertInfo.txt && openssl x509 -text -in CertInfo.txt | find "Signature Algorithm" && del CertInfo.txt /F
Tested on Server 2012 R2 using http://iweb.dl.sourceforge.net/project/gnuwin32/openssl/0.9.8h-1/openssl-0.9.8h-1-bin.zip
Related
I did a protection for my Web Service calls with Man-in-the-Middle Attacks in iOS with SSL Pinning tuto
I would like to renew my certificate on the iOS each two month because this the time my server has to renew his certificate.
For now I do it manually by taping on my mac command line:
openssl s_client -connect <server>:443 </dev/nullsl x509 -outform DER -out <name.der> with OpenSSL under Swift ?
The problem is that I have to send to my customer a new app for install, with a new certificate in the bundle each month.
For this, I would like to use the OpenSSL GitHub for iOS to generate it locally on the ipad/iphone.
I cannot find the way to use it, do you know what is the code I must write to execute that command in Swift by using this github?
Thanks in advance.
I've been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers are happy with them.)
I've got my self-signed root ca file and converted it to .der file, and installed it onto my iPad via web.
But unlike this Answer, I can't see my root ca certificate on the Settings > General > About > Certificate Trust settings.
Is there any limitations for the certificates to be trusted in iOS? Both my iPhone and iPad has this problem. Is there anything wrong in my procedure?
I used these codes to make my ca certificate.
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl x509 -in rootCA.crt -out cert.der -outform DER
If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.
This is very easy to determine by using openssl:
$ openssl s_client -showcerts -connect myserver.com:443 </dev/null
This will show you output for certificates in the cert chain, something like this:
Certificate chain
0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
-----BEGIN CERTIFICATE-----
....encoded cert in PEM format....
-----END CERTIFICATE-----
And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.
If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.
My 'openssl s_client' output ended with the last cert shown with an issuer like this:
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1
I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.
Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.
If, for some reason you need to convert PEM file to DER/CER, just use this command:
$ openssl x509 -in myfile.pem -out myfile.der -outform DER
Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.
Apparently ios does not like certificates without Common Name, so just regenerate it with non empty CN and it will appear in root certificates list
Just use following command then airdrop or send yourself that cert via email.
Make sure to answer all the questions when you see prompts
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
I had same issue until I used this command. I don't know why this happens but the command works.
Cheers!
I have been trying to get this to work for days, but can anyone point me in the right direction (tutorial ect.) for how to get LetsEncypt certs to run in Solr?
I have a Rails site running on 443 with LetsEncrypt and have added solr on the same machine, on a different port. The Solr is running SSL with self-signed certs.
Can i use the same Certs for the main site as both the site and the solr can be accessed on the same URL?
Obviously the solr instance is secured via IP tables as it seemed an easyier setup than reverse proxying while trying to use the same cert.
Any pointers or hints greatly appreciated!
Thanks
Sometimes i overlook the obvious!
As i have a key for the Domain already, and Solr responds on mydomain.com:8983 all that is needed is to create a Java Key Store (jks) from the existing keys on the system.
So all that was needed is
openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -out pkcs.p12 -name NAME
specifing the location of the Lets-Encrypt Cert (on my system /etc/letsencrypt/live/mydomain.com/)
Then convert the PKCS12 key to a jks...
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME
replacing password where needed.
I would have thought the best practace here would be to Automate this in a bash script to be run when the Lets-encrypt certs are renewed.
I'm trying to set up a Rails application using the Rapns library to send push notifications. The project already has this gem configured, I am working toward upgrading it to Rpush. However, I'm having a lot of trouble setting up my certificates.
I've generated all the key pairs and certificates I need with much help from the following articles:
Apple Push Notifications, how do I properly export my cert?
http://quickblox.com/developers/How_to_create_APNS_certificates
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Running the following command
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts
returns the following
Verify return code: 20 (unable to get local issuer certificate)
So with help from Apple's docs I downloaded a CA certificate and ran the following
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts -CAfile /path/to/my/entrust_2048_ca.cer
and got
Verify return code: 0 (ok)
Success! However, my call to run the notifying application
bundle exec rapns development
Outputs 2 lines initially
[2014-08-04 14:29:42] [my app ID] Started, 1 handler.
[2014-08-04 14:29:43] [my app ID] Connected to feedback.sandbox.push.apple.com:2196
but then does nothing as I attempt to trigger notifications. Additionally it will re-prompt me for my PEM pass phrase periodically, making me think it's not really authenticating (which may be a symptom of the return code 20 from before).
I didn't actually fix the certificate itself (I don't think) by downloading the CA certificate. How do I incorporate that into the PEM so this works, or otherwise configure Rapns such that I don't need the CA cert?
using this link i try to make push notification apps .
but, this used old apple panel for generate ssl and provision certificate.
any one generate ssl and provision using new apple panel?
below step for generate ck.pem
1) $ openssl x509 -in aps_developer_identity.cer -inform der -out
PushChatCert.pem
2) $ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
3) $ cat PushChatCert.pem PushChatKey.pem > ck.pem
4) $ telnet gateway.sandbox.push.apple.com 2195
Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net.
Escape character is '^]'.
is this correct step?
please help me......
thanks
You can still use the Provisioning and Development guide. They haven't modified it for the new Certificates, Identifiers & Profiles page (which replaced the iOS Provisioning Portal) yet, but it doesn't make much difference.
In the following screen click on Identifiers :
Then click on the relevant App ID (or create a new one if it doesn't exist).
Then click Edit.
Then make sure the check box next to Push Notifications is enabled (check it if it's not).
Then click Create Certificate... for either Development or Production.
The rest of the process should be identical to the way it was before the portal change, so you can either use the instructions in the link I provided, or instructions from other tutorials (such as the one in the link you provided).