HTTPS Certificate validation

Application

is currently in GoDaddy applies for the

Cn=*.test.com

After receiving the document, a copy will be sent to the Administrative department's Legal Group and deposited in the safe.

Document composition

• GD_BUNDLE.CRT file The certificate chain provided by GoDaddy

• TEST.COM.CRT file certificate

• test.com.csr File certificate issuance request (first use only)

• Test.com.key private Key file

the configuration of HTTPS on Nginx requires two parameters:

• the files required by the ssl_certificate instruction are generated by the cat test.com.crt gd_bundle.crt >test_chained.crt , and a file contains the test in order ,GoDaddy Center,GoDaddy root three certificate

• Ssl_certificate_key directive requires test.com.key file

New Certificate Validation

we received the new gd_bundle.crt and test.com.crt Two files, which should theoretically match the old one. Test.com.key 's. To verify this guess, use the following steps:

1. Generate a text file infile

2. with the old test.com.key file, execute

OpenSSL rsautl-sign-in Infile-inkey test.com.key-out Sig

infile signature, output to sig file

1. with the new test.com.crt file, execute

OpenSSL rsautl-verify-in Sig-certin-inkey test.com.crt

Verifies that the signature is identical to the infile original, indicating that the CRT and key are matched

Certificate monitoring, refer to my other article

Zabbix to monitor whether an SSL certificate expires

after receiving the alarm, you need to pay close attention, prepare to update the certificate, the update operation is as follows:

1 , get a new certificate, find SSL The certificate owner obtains the certificate, and the certificate mainly includes files like this: 278E42C55249ED.CRT and the GD_BUNDLE-G2-G1.CRT , respectively: Test the certificate, GoDaddy Intermediate certificate;

2 , synthetic Certificate: cat 278e42c55249ed.crt gd_bundle-g2-g1.crt > Test.crt (Note the order: Test the certificate is in front, otherwise Nginx will report an error that cannot be matched);

3, delete godaddy root certificate:gd_bundle-g2-g1.crt The root certificate is included in the intermediate certificate, and the generic browser has the GoDaddy root certificate, So you need to delete the root certificate in the certificate file, directly edit the certificate file, delete the last certificate block on it, in order to ensure that the deletion of the root certificate can be downloaded on the GoDaddy official website to confirm the root certificate under https:// Certs.godaddy.com/repository.

4 , confirm that the signature algorithm is not SHA-1 of, SHA-2 currently Windows XP SP3 the previous version is not supported.

# OpenSSL x509-noout-text-in test.com.crt | grep ' Signature algorithm: '

Signature algorithm:sha1withrsaencryption

Signature algorithm:sha1withrsaencryption

5 , git Upload and online puppet updated.

HTTPS Certificate validation