Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openssl]

OpenSSL: The Open Source Toolkit for SSL and TLS

OpenSSL is an open source project which develops software for Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1), as well being a full-strength general purpose cryptography library.

OpenSSL provides both a library (for use within your own program), and a series of command line tools for common tasks.

1601 questions
15
votes
1 answer

How to configure nginx + ssl with an encrypted key in .pem format

I would like to set up ssl for an existing nginx server. I got handed both a certificate and the corresponding (encrypted) private key. Both are in .pem format (each in its own file). About all tutorials (e.g. 1) I found assume a key in the .key…
Zappl
  • 151
  • 1
  • 1
  • 3
15
votes
1 answer

How can I create a PKCS12 File using OpenSSL (self signed certs)

I have a bit9 server, and I'm fairly new to the environment, as well as certs. The area to upload the cert says "Import Server Certificate From PKCS12 File" I'm going to just use a self signed cert (I'm hoping it's ok with that), and I'm running…
trueCamelType
  • 1,086
  • 5
  • 20
  • 42
15
votes
3 answers

Protecting against POODLE SSL on stunnel

How can I mitigate POODLE SSL vulnerability when using stunnel as HTTPS reverse proxy?
Sergey
  • 948
  • 5
  • 10
  • 22
15
votes
2 answers

OpenSSL returns different SSL certificate to that shown by Chrome

When querying Sparkfun's CDN url using OpenSSL with the following command: openssl s_client -showcerts -connect dlnmh9ip6v2uc.cloudfront.net:443 The common name returned in the certificate is *.sparkfun.com, which fails to verify, but if you load…
Geoffrey
  • 63
  • 2
  • 14
15
votes
4 answers

How to set up my own full-featured certificate authority?

I'd like to set up a certificate authority, which I can then import to all the company's browsers and systems to get rid of all those nasty client warnings when using HTTPS or SSL.
Ivan
  • 3,398
  • 19
  • 50
  • 71
14
votes
1 answer

Re-issuing self-signed root CA without invalidating certificates signed by it

I created a self-signed root Certificate Authority for a few internal services in our company, which I configured myself (mostly served over HTTPS). Then I created certificates for those services, signed with this CA. Now I want to add an x509…
AngerySysadmin
  • 143
  • 1
  • 8
14
votes
6 answers

Debian jessie nginx with openssl 1.0.2 to use ALPN rather than NPN

I am running debian jessie on my server and recently upgraded to new nginx web server with http/2 support (nginx 1.10). As today, it works great and webserver is delivering content with http2 protocol. I have read, that chrome is dropping NPN…
Juraj Nemec
  • 263
  • 1
  • 3
  • 11
14
votes
3 answers

How to manually create Puppet CA and certificates?

I am wondering how to manually (using openssl instead of puppet ca command) create CA that would be usable by Puppet? The goal would be to script creation of such CA's to deploy them on multiple puppetmasters, instead of certificates being created…
SpankMe
  • 251
  • 1
  • 2
  • 4
14
votes
4 answers

OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?

I wish to configure OpenSSL such that when running openssl req -new to generate a new certificate signing request, I am prompted for any alternative subject names to include on the CSR. I have added this line to the [req_attributes] section of my…
Maxy-B
  • 243
  • 1
  • 2
  • 7
13
votes
5 answers

convert .p7b key to a .pfx

I have an SSL certificate in .p7b format that I need to convert to .pfx. If I try this through the windows certificate managment the option to expert as a .pfx is disabled. Trying with openssl I have found the following two commands to do the…
DrStalker
  • 6,946
  • 24
  • 79
  • 107
13
votes
1 answer

OCSP responder not present?

Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP. Multiple questions arise, so please bear with…
Robert Weaver
  • 231
  • 2
  • 3
13
votes
4 answers

How to disable TLS 1.1 & 1.2 in Apache?

I have an Ubuntu 12.04.2 LTS server running Apache 2.2.22 with mod_ssl and OpenSSL v1.0.1. In my vhosts config (everything else within which behaves as I would expect), I have the SSLProtocol line with -all +SSLv3. With that configuration, TLS 1.1 &…
Kyle Lowry
  • 279
  • 1
  • 2
  • 9
13
votes
5 answers

CentOS openLDAP cert trust issues

# LDAPTLS_CACERTDIR=/etc/ssl/certs/ ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. # openssl…
84104
  • 12,905
  • 6
  • 45
  • 76
13
votes
3 answers

SSL Certificate error: verify error:num=20:unable to get local issuer certificate

I've been trying to get an SSL connection to an LDAPS server (Active Directory) to work, but keep having problems. I tried using this: openssl s_client -connect the.server.edu:3269 With the following result: verify error:num=20:unable to get local…
Brian
12
votes
2 answers

Cannot decrypt private key eventhough I know passphrase

I think my problem comes down to the fact something is wrong with the key but I cannot just decrypt it, for further investigation, with out parsing it. But I am not sure. I am trying to use standard method: openssl rsa -in ./id_rsa -out…
luk32
  • 243
  • 1
  • 3
  • 7
1 2 3
99 100