I downloaded the server certificates from GoDaddy, which was used for a mail server running Postfix and Dovecot.
Here are some notes.The downloaded zip file contained three files:
a) d29733cc9c571769.crt
b) d29733cc9c571769.pem
c) gd_bundle-g2-g1.crt
You can check if the certificate is paired with your private key.
$ openssl rsa -noout -modulus -in your_private.key | openssl md5
$ openssl x509 -noout -modulus -in d29733cc9c571769.crt | openssl md5
The outputs of above two commands should be the same.
Also, you can check if the public key in the purchased certificate is the same with one which is generated from your private key.
$ openssl rsa -in yourprivate.key -pubout
$ openssl x509 -in d29733cc9c571769.crt -noout -pubkey
$ openssl rsa -in yourprivate.key -pubout
$ openssl x509 -in d29733cc9c571769.crt -noout -pubkey
You might also want to check the chain between the server and intermediate certificates.
$ openssl verify -CAfile gd_bundle-g2-g1.crt d29733cc9c571769.crt
$ openssl verify -CAfile gd_bundle-g2-g1.crt d29733cc9c571769.crt
You want to check the valid date.
$ openssl x509 -noout -in d29733cc9c571769.crt -dates
$ openssl x509 -noout -in d29733cc9c571769.crt -dates
Then, you create a pem file from d29733cc9c571769.crt and gd_bundle-g2-g1.crt.
$ cat d29733cc9c571769.crt gd_bundle-g2-g1.crt > tmp.pem
You can check the order of certificates in the pem file.
$ openssl crl2pkcs7 -nocrl -certfile tmp.pem | openssl pkcs7 -print_certs -noout
You see pairs of subject and issuer lines.
$ cat d29733cc9c571769.crt gd_bundle-g2-g1.crt > tmp.pem
You can check the order of certificates in the pem file.
$ openssl crl2pkcs7 -nocrl -certfile tmp.pem | openssl pkcs7 -print_certs -noout
You see pairs of subject and issuer lines.
An issuer must be the same with the subject following.
The last line should be the root CA.
The last line should be the root CA.
Also, you can check if the PEM format is correct.
$ openssl x509 -inform PEM -in tmp.pem -text
After installing new certificates onto the server and restarting the services, you see the valid date is updated.
% echo -n Q | openssl s_client -servername my_mailserver.com -connect my_mailserver.com:587 -starttls smtp | openssl x509 -noout -dates
% echo -n Q | openssl s_client -servername my_mailserver.com -connect my_mailserver.com:25 -starttls smtp | openssl x509 -noout -dates
% openssl s_client -showcerts -servername my_mailserver.com -connect my_mailserver.com:995 | openssl x509 -noout -dates
% openssl s_client -showcerts -servername my_mailserver.com -connect my_mailserver.com:993 | openssl x509 -noout -dates
% echo -n Q | openssl s_client -servername my_webserver.com -connect my_webserver.com:443 | openssl x509 -noout -dates
0 件のコメント:
コメントを投稿