Practical SSL
Various SSL related information and tools
Conversion
This section lists the most frequently used certification convertions to perform with openssl.
OpenSSL Convert PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.crt -nodes
OpenSSL Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca.crt
Chaining
Often you will need to chain two certificates into what is known as a certificate list.
[RFC4346 snippet]
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
under the assumption that the remote end must already possess it
in order to validate it in any case.
Important Note: Order matters!
For public certificates, e.g. for webservers, avoid putting the CA certificate in the certificate list. We just need the server certificate and any intermediates.
With all this out of the way, combining the files is as easy as:
cat server.pem intermediate.pem > fullchain.pem
And that’s it. Once deployed, you can always test using SSL Labs.
Service configuration
When it comes to implementing services with decent SSL/TLS configuration, a good place to start is Mozilla’s SSL Configuration Generator website. Here you can easily generate a working and up-to-date config for a range of services and security-levels.