MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
December
Sun Mon Tue Wed Thu Fri Sat
           
14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
2018
Months
Dec


Sun, Mar 12, 2017 10:57 pm

Let's Encrypt certificate expired

A couple of days ago, a user showed me a message she saw on her system about a security certificate issue. When I looked at the message, I realized it was due to the expiration of the Let's Encrypt certificate on the email server used by her system. I logged into that system and queried the server with the openssl command to check the expiration date. I saw it had expired that day, March 10.

# echo "quit" | openssl s_client -connect pop3.moonpoint.com:995 -quiet
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = imap.moonpoint.com
verify error:num=10:certificate has expired
notAfter=Mar 10 19:53:00 2017 GMT
verify return:1
depth=0 CN = imap.moonpoint.com
notAfter=Mar 10 19:53:00 2017 GMT
verify return:1
+OK Dovecot ready.
#

From the root account, I renewed the certificate using the command letsencrypt renew.

[ More Info ]

[/security/encryption/openssl] permanent link

Mon, Jan 30, 2017 10:49 pm

Checking a website's security certificate with OpenSSL

You can use OpenSSL, which is commonly installed on Mac OS X and Linux systems and which is also available for other operating systems (the source code can be downloaded from OpenSSL Downloads and a Windows implementation is available at OpenSSL for Windows), to check the security certificate of a website using an openssl command in the form openssl s_client -showcerts -connect fqdn:port where fqdn is the fully qualified domain name (FQDN) of the website and port is the port that the website is listening on for HTTPS connections, which is usually well-known port 443, though it may sometimes be another port, such as the registered port 8443. The showcerts option instructs openssl to show all certificates in the public key certificate chain.

[ More Info ]

[/security/encryption/openssl] permanent link

Wed, Jan 25, 2017 11:08 pm

Extracting information from a pem file

The X.509 standard is used to manage digital certificates used for public key encryption. One of the filename extensions used for X.509 certificates is .pem, which stands for "Privacy Enhanced Mail". These certificates are Base64 encoded DER certificates. If you have a .pem certificate and want to view information about the contents of the certificate, you can do so with OpenSSL software, which is commonly found on Linux and Mac OS X systems, but is available for other operating systems as well. If you just want to view the expiration date for a certificate you can use an openssl command like the one below:

$ openssl x509 -enddate -noout -in cacert.pem
notAfter=Aug 13 23:59:00 2018 GMT
$

[ More Info ]

[/security/encryption/openssl] permanent link

Sun, Sep 11, 2016 5:05 pm

Let's Encrypt certificate for email server expired

A user sent me a screen shot she took with her phone of a message she saw while checking her email with Microsoft Outlook 2016 which stated:

Internet Security Warning

The server you are connected to is using asecurity certificate
that cannot be verified.

A required certificate is not within its validity period when
verifying against the current system clock or the timestamp in
the signed file.

Do you want to continue using this server?

  

[ More Info ]

[/security/encryption/openssl] permanent link

Mon, Jun 13, 2016 10:37 pm

Using OpenSSL to verify a security certificate for an email server

You can use an OpenSSL s_client -connect command to check a certificate on a remote server by specifying the remote system in the form x.x.x.x:port where x.x.x.x is the IP address of the remote system and port is the relevant port or you can use the fully qualified domain name (FQDN) in place of the IP address. E.g., I used the command below to check the status of a certificate I obtained from Let's Encrypt, a "certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites." The server I checked functions as a POP3S server using port 995, so that was the port I specified.

[ More Info ]

[/security/encryption/openssl] permanent link

Sun, Oct 13, 2013 10:10 pm

Verifying an SSL Certificate

If you have an SSL certificate on a Linux or Unix system, you can check it using the openssl command with openssl verify /path_to_certificate/certificate, e.g., as below:
# openssl verify /etc/ssl/certs/example.crt
/etc/ssl/certs/example.crt: /C=US/CN=example.com
error 18 at 0 depth lookup:self signed certificate
OK

In the case above, the country specified with the domain is the United States as shown by /C=US and the common name specified for the domain when the certificate was created and for which the certificate should be valid is example.com as shown by /CN=example.com.

The certificate is self-signed, which results in the error 18 message.

The dates for which the certificate is valid can be specified with openssl x509 -in /path_to_certificate/certificate -text | grep Not as shown below:

# openssl x509 -in /etc/ssl/certs/example.crt -text | grep Not
            Not Before: Oct 11 21:06:30 2013 GMT
            Not After : Oct 11 21:06:30 2014 GMT

In the case above, the certificate is valid from October 11, 2013 through October 11, 2014. After October 11, 2014, anyone visiting the website for which the certificate was used for HTTPS connections will be warned by his/her browser that there is a problem with the certificate because it will have expired.

X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

References:

  1. OpenSSL: The Open Source toolkit for SSL/TLS
  2. Troubleshooting with openssl
    Date: February 11, 2010
    MoonPoint Support

[/security/encryption/openssl] permanent link

Fri, Feb 12, 2010 3:57 pm

Using OpenSSL to calculate Message Digest

The md5sum command can be used to calculate an MD5 message digest (MD5 is an abbreviation for "Message-Digest algorithm 5"), which is a cryptographic hash function. The md5sum program is commonly found on Linux systems and programs which the provide the same functionality are also available for Microsoft Windows systems, e.g. digestIT 2004. But, if such a program isn't present on a system, e.g. an OS X system, but OpenSSL is present, you can use the openssl command to obtain message digests, which can allow you to verify that a file, such as an executable file, was not changed since it was released by the originator.

If you issue the command openssl dgst filename, openssl will, by default, provide the MD5 checksum for the file. You can also use other cryptographic hash functions, such as SHA, SHA1, MD2, or you can specify MD5.

$ openssl dgst images.zip
MD5(images.zip)= 796faa884fb0125eda60cd5e8aa8daa1
$ openssl md5 images.zip
MD5(images.zip)= 796faa884fb0125eda60cd5e8aa8daa1
$ openssl sha1 images.zip
SHA1(images.zip)= 3070ac89b7a4327e217045b1cac790c1dc048d8f
$ openssl sha images.zip
SHA(images.zip)= 021e35f63c55e22355bea99f73df885659a46d15
$ openssl md2 images.zip
MD2(images.zip)= 47bd3f0cc33710997f2fe57b1f7cc2c5

The available message digest options include the following:

MESSAGE DIGEST COMMANDS

       md2       MD2 Digest

       md5       MD5 Digest

       mdc2      MDC2 Digest

       rmd160    RMD-160 Digest

       sha       SHA Digest

       sha1      SHA-1 Digest

       sha224    SHA-224 Digest

       sha256    SHA-256 Digest

       sha384    SHA-384 Digest

       sha512    SHA-512 Digest

[/security/encryption/openssl] permanent link

Thu, Feb 11, 2010 6:02 pm

Troubleshooting with openssl

You can use the command openssl s_client -connect xxx.xxx.xxx.xxx:yyyyy command, where xxx.xxx.xxx.xxx is the IP address of the server and yyyyy is the port number on the server used for HTTPS. The port is usually 443, but does not have to be that port. You can, of course, also use a fully qualified domain name (FQDN), such as paypal.com, instead of an IP address.

By using the command, one can determine if a system is responding correctly using the HTTPS protocol. E.g. below is an example of a query issued against paypal.com:

$ openssl s_client -connect paypal.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIQPma+WJDWF71INO8b3EN2LDANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMDkwNjEx
MDAwMDAwWhcNMTAwNjExMjM1OTU5WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBheVBhbCwg
SW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczETMBEGA1UEAxQKcGF5
cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqCjJNlLuv02o0lG7
YPO3vreiUl5ptCTgbLD7TkYRrYivoZQUQZh0whOchbh3kabbPnqyVULcq4dGZeNx
eQLppc0n/YhxJnsPqoBoyg45/Xpc5HWKVuMsDMBRtTLwyjcfH7GVljUiDH/YoKL7
OCtpdJ+mgmLyqTWj+d8DpYWiDA0CAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzIt
Y3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5Bgtg
hkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5j
b20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW
gBSl7wsRzsBBA6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDov
L1NWUlNlY3VyZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBu
BggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAA9sBxK8/hfHF6iKghED
jNTMpTLHT3lx8rdHnHD1UN5/lA0H8oMbjt6uzQVp9h9Xv/pOop/ItNNitdffTOnW
fVds+nMb56WSuX1d0fPn5KGGQcTMzTpA5Uxn3qnWXQc92O47qGEZSZ/aEYZjaHn2
VX5MFf2JXX1FQOyL288vCalmGAPLggjo3Hn0tWgK4Dd69l8JPm51FtEyijor/svw
FoxF7cJ6g92mgmu3JC10xhIXYDHiIAiTIzA3KCdAZikM4waZU8quRjgAIGrS0rRa
ohw0aAvy7gUrMWaws7+de3H0y/zQxfEbAsVzZ0+QA2WrGsa6EVKjcwW+VCJSLNZq
NeU=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3029 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: E24FE41E08BCBB5246EE5EAC08E7E4ACBB4708F0CD0089E9EF602E4F3C435922
    Session-ID-ctx:
    Master-Key: FFF8BF97F79796457EE44860212C5F887FFE8F62F4A6FC908DB1A382489BE5C2963C2D5F84BC526911FA5EB096634603
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1262641575
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

You can check the expiration date of an SSL certificate by first retrieving the certificate using commands such as in the first line below. You can then check the expiration date with a command such as the one on the next line, which shows that the current certificate for PayPal expires at midnight Greenwich Mean Time (GMT) on June 11, 2010.

$ echo "" | openssl s_client -connect paypal.com:443 > certificate
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Net
work
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
DONE
$ openssl x509 -in certificate -noout -enddate
notAfter=Jun 11 23:59:59 2010 GMT

Another example below shows the results returned for a self-signed certificate:

# echo "" | /usr/local/ssl/bin/openssl s_client -connect 10.10.0.108:443 > certi
ficate
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
CN=localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
CN=localhost
verify return:1
DONE
# /usr/local/ssl/bin/openssl x509 -in certificate -noout -enddate
notAfter=Feb 12 11:44:04 2018 GMT

References:

  1. OpenSSL: Documents, s_client(1)
    OpenSSL: The Open Source toolkit for SLS/TLS
  2. When does my certificate expire?
    barndonhutchinson.com -- Linux, Solaris, and general UNIX notes.

[/security/encryption/openssl] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo