easy / certificate generation / testing
If I’m going to be requesting SSL certificates more often, I’d better automate the process a bit.
The result:
easycert.sh
(view)
Possible invocation styles:
$ easycert.sh -h
Usage: easycert.sh -c NL -l Groningen -o OSSO\ B.V. -e info@osso.nl osso.nl
Usage: easycert.sh osso.nl "/C=NL/L=Groningen/O=OSSO B.V./CN=osso.nl/"
Usage: easycert.sh -T www.osso.nl 443
Generating a key and certificate:
$ easycert.sh -o "My Company" mycompany.com
Subject: /C=NL/L=Groningen/O=My Company/CN=mycompany.com/emailAddress=info@osso.nl
Enter to proceed...
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................++
..................++
e is 65537 (0x10001)
mycompany_com-2012.csr
The same, but in a non-interactive fashion:
$ easycert.sh mycompany.com "/C=NL/L=Groningen/O=My Company/CN=mycompany.com/emailAddress=info@osso.nl" </dev/null 2>&0
mycompany_com-2012.csr
$ ls -l mycompany_com-2012.*
-rw-r--r-- 1 walter walter 1704 2012-10-25 12:14 mycompany_com-2012.csr
-rw-r--r-- 1 walter walter 3243 2012-10-25 12:14 mycompany_com-2012.key
Testing SSL configuration on the server:
$ easycert.sh mail.osso.nl 993 -T
The list below should be logically ordered,
and end with a self-signed root certificate:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.osso.nl
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Now all it needs is a CGI front-end so the customers can generate their
own CSRs while leaving the keys privately on the server. No wait.. I
added that already. Just run the script as a cgi script and you’ll get
the files in /tmp.
Update 2013-05-28
Sending the last self-signed certificate is generally only unnecessary overhead. In the example above, the third and final certificate in the chain may be skipped.
And see the SSL Labs SSL analyzer for a helpful report about the state of your HTTPS server.
Common Apache2 configs you may need to add:
# Fight BEAST attack
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Common NginX config:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
ssl_prefer_server_ciphers on;