View the contents of a SSL cert.

September 14, 2011 at 1:45 pm (Uncategorized) (, , )

Did you just find a thisserver.crt file on your machine and you want to check the details of what it’s for? In other words you have a SSL certificate that you want to decode.

You need to be on Linux and have OpenSSL installed. Then use the x509 module:

openssl x509 -text -in thisserver.crt



Permalink Leave a Comment

No security exception for SSL EV certificates in Fire Fox 3.6.17

May 18, 2011 at 10:05 am (Technology) (, )

Today I learned something new about Fire Fox 3.6.17. I was migrating a SSL EV certificate from a IIS server onto a Virtual Server that is located on a KEMP LoadMaster. This test server on the LM is running a prototype/test site. Therefore, the domain name doesn’t match the domain name that the SSL cert was created for. This normally will create a SSL name mismatch error in the web browser. This error normally can then be bypassed by the user, this process is called “Security Exception” in Fire Fox. I went to add this exception and found that Fire Fox wouldn’t allow me to add it. What’s interesting is that the exception window tells you that the identification of the certificate is so positive that there is no reason for you to add an exception.

This site provides valid, verified identification. There is no need to add an exception.

I think this is a good thing.  It really helps make the EV certificates more strong and adds value to them.  I guess I’ll go back to using a self signed certificate for testing.

No security exception.

Permalink Leave a Comment

Useful OpenSSL commands.

March 8, 2010 at 11:44 am (linux, Technology, TechTips) (, )

Often times I’ll find myself needing to do tasks with SSL certificates using OpenSSL.  I always need to look up the commands again and this takes time.  I became determined to not allow that to happen again.  This time I decided to write this quick cheat sheet of OpenSSL commands that I use often enough.  If you happen to see a command that I use here that you know of a better way to do it, please post a comment with that information for me.

Generate a private RSA key:

openssl genrsa -out host.key 1024

Generate CSR:

openssl req -new -nodes -key host.key -out host.csr
Note:  Make sure that the CN (Common Name) is the FQDN of the site that this certificate is for.

Self Signed Certificate:

openssl x509 -req -days 30 -in host.csr -signkey host.key -out host.cert

View Certificate:

openssl x509 -in filename.cert -noout -text

Permalink Leave a Comment