Un certificat SSL est un fichier de données qui lie une clé cryptographique aux informations d’une organisation ou d’un individu. Installé sur un serveur web, le certificat active le cadenas et le protocole « https » (via le port 443) dans les navigateurs, afin d’assurer une connexion sécurisée entre le serveur web et le navigateur.
Généralement, le SSL est utilisé pour sécuriser les transactions bancaires, le transfert de données et les informations de connexions, telles que les noms d’utilisateur et les mots de passe. Récemment, le TLS (successeur du SSL) est devenu la norme pour sécuriser l’utilisation de sites de réseaux sociaux. Les certificats SSL lient ensemble :
- Un nom de domaine, un nom de serveur et un nom d’hôte.
- L’identité de l’organisation (nom d’entreprise) et le lieu.
Afin de vérifier sa validité, voici la commande à exécuter :
openssl x509 -in certificat.rsa.crt -text | grep Not Not Before: Jun 14 11:22:15 2019 GMT Not After : Jun 13 11:22:15 2020 GMT
Not Before : Installer le 14 juin 2019
Not After : Périme le 13 juin 2020
Pour voir le domaine concerné par le certificat :
openssl x509 -in certificat.crt -text | grep DNS DNS:*.certificat.fr, DNS:certificat.fr
Vérifier le hash :
openssl x509 -noout -modulus -in certificat.crt | openssl md5 && openssl rsa -noout -modulus -in certificat.key | openssl md5 (stdin)= 7835ec3b7f61346018f92ec16bccf4ef (stdin)= 7835ec3b7f61346018f92ec16bccf4ef
Si les hash sont identiques sur les 2 lignes, alors le certificat sera valide.
Vérifier un certificat :
openssl x509 -in certificat.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 8c:05:8a:7c:23:d9:a8:cd Signature Algorithm: sha256WithRSAEncryption Issuer: C = FR, ST = Bouche Du Rhone, L = Marseille, O = Jaguar Network, OU = CsC, CN = jaguarnetwork.jn-hebergement.com, emailAddress = test@test.com Validity Not Before: Jun 14 11:34:54 2019 GMT Not After : Jun 13 11:34:54 2020 GMT Subject: C = FR, ST = Bouche Du Rhone, L = Marseille, O = Jaguar Network, OU = CsC, CN = jaguarnetwork.jn-hebergement.com, emailAddress = teest@test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ae:34:69:a4:60:7d:d3:73:a9:7b:e0:1c:8f:4d: 8d:ef:db:bd:c1:62:c9:f9:37:fa:14:c3:96:41:8d: dc:35:a9:9b:6d:a5:ab:bf:27:ab:92:8c:65:60:bd: bb:96:d4:2c:20:03:2c:c4:a1:56:0d:c9:1c:29:cd: 35:30:84:2f:9a:49:3c:fc:b2:92:d0:7d:02:33:af: 00:5d:bc:a0:f7:a8:bf:62:37:2c:b2:23:eb:04:73: 8d:5f:04:07:ee:84:23:33:41:fc:cc:3b:04:c4:4e: 3d:81:3d:71:03:e1:48:10:f9:ec:44:25:61:9d:8f: e6:4d:5c:02:b4:5e:a9:2c:bb:cf:15:5b:99:48:6f: 63:ee:71:70:3f:39:fa:bb:cc:59:00:e8:78:1a:fc: 4b:85:5a:ee:da:10:3b:27:04:8c:aa:8c:f2:33:f3: 0e:10:7a:2c:0c:83:9b:b2:2c:49:a1:4d:b9:27:42: 8a:41:52:0f:1b:4b:34:4d:b8:5e:50:ec:f2:6b:d6: 10:05:c2:2b:14:92:24:17:45:5b:0e:2c:4e:6b:4a: 7c:fa:13:29:ee:3e:42:a9:f6:b4:d6:0a:fc:b9:84: 81:d7:b9:ca:a7:fe:24:8e:b9:bf:d5:48:e9:9c:08: af:b7:d1:e8:60:fc:33:a2:4d:5d:41:87:06:ac:e4: 72:59:a1:ea:bc:55:ab:93:6e:ec:48:08:d8:f0:49: c1:c8:ea:7c:e8:ca:ac:24:78:48:b7:ee:f0:d1:06: 53:c5:a7:6f:c6:f2:ab:da:9e:ac:a2:73:84:05:b5: b1:f7:28:ff:fb:38:12:b3:2a:15:78:c8:b7:74:a7: 09:70:ef:8a:18:1d:ea:94:d4:23:25:b6:b5:e4:0d: df:d9:83:d7:76:b1:64:fe:c7:bd:47:69:b1:6b:8a: 6a:f5:59:da:80:9b:0e:6d:2f:86:5c:d5:af:4f:7f: 89:35:6f:a2:47:4d:ef:a9:74:6d:a4:e4:df:95:84: e6:88:f5:b4:ab:47:c3:59:88:06:99:60:fb:2e:f0: 9c:c7:70:7f:5f:23:47:3a:49:c6:d7:aa:24:f8:44: 58:cb:69:8b:f8:ae:63:69:36:b5:c5:36:c0:31:b1: 43:89:ad:67:7d:39:48:42:05:51:72:2b:0a:48:80: c2:e5:1f:c6:63:4f:9e:93:b4:d0:ae:c6:89:08:e0: c9:a2:ad:2f:fc:18:68:30:ff:9e:ff:5a:35:4b:68: f7:83:87:7a:36:1f:2e:d6:0f:13:40:27:9a:c2:01: 91:78:c2:8f:56:51:36:01:e6:27:47:f8:7a:31:fa: 42:8b:89:88:64:e0:d6:24:53:0f:ce:37:4b:91:8d: 82:98:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4F:C0:95:F3:B6:5E:0F:EC:71:02:28:BE:C9:1E:47:25:DE:40:3D:66 X509v3 Authority Key Identifier: keyid:4F:C0:95:F3:B6:5E:0F:EC:71:02:28:BE:C9:1E:47:25:DE:40:3D:66 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 67:5c:d2:6b:a4:8d:67:cb:93:df:ae:bc:ef:33:b8:3e:7d:8b: a1:94:31:fc:cf:58:b3:29:43:87:9a:a5:98:2b:e5:15:d5:ff: 89:50:45:40:5c:40:32:e3:b8:96:a2:11:17:e3:c8:15:7e:3c: 73:88:11:da:f9:c2:bc:22:17:41:69:19:33:d2:5e:9a:55:a0: 32:25:35:9a:06:2e:25:33:57:08:0d:7a:92:51:3f:3c:7e:20: a4:b2:a0:bb:67:4d:16:fc:48:df:84:53:92:41:6e:56:91:20: d7:0c:26:f0:4f:b7:38:d2:c8:17:39:b3:49:27:aa:29:cf:79: 5b:f5:df:0c:2d:68:9a:ea:be:bb:68:50:57:c0:b8:7a:e4:dd: 3e:ec:24:45:2b:1f:b4:c8:40:c7:12:f5:63:e1:27:c5:61:dd: 5c:b4:ed:6a:28:e2:d3:75:87:76:6c:10:14:71:7b:dd:58:60: 87:50:b7:6b:d3:4f:27:df:1d:0a:a3:6a:1d:1a:9d:ae:f5:aa: 0f:61:b6:2c:8f:d6:29:2f:41:8d:fd:a8:97:8c:34:15:75:52: 5b:b5:ea:76:5c:27:64:13:ff:fa:0c:39:c7:14:31:fa:46:a0: f6:9c:1a:48:a5:ec:74:d8:3b:85:8a:42:ac:6e:d2:03:24:21: f4:f4:a9:dd:a5:7c:a5:e2:a6:a0:d1:21:86:41:30:5f:8a:96: 0b:6a:47:12:60:0b:2e:a6:ad:b1:89:c2:4f:37:f1:4e:93:1d: e8:79:87:24:11:5c:28:c4:bb:42:78:12:2a:3a:44:e6:62:e8: 7c:d1:d5:f7:a6:13:dc:e2:70:aa:11:bc:44:cf:d8:b4:c4:50: af:c5:2f:ab:d2:e2:b4:e4:5d:74:7b:01:98:85:fa:33:62:ad: 6d:17:f5:d8:2e:a0:2f:60:b0:ac:5e:17:96:cd:35:42:42:c2: 96:f5:4a:b3:d7:70:17:3d:b4:83:a5:7c:cd:e2:6c:10:6d:cb: d1:dd:d8:ac:85:74:c2:0c:a7:8d:f8:12:b4:79:09:fe:15:bd: 38:ba:f9:21:fe:fb:2d:4d:29:a0:54:2f:b9:f4:ce:38:45:52: a0:3d:63:2e:06:27:4f:11:0b:ea:d1:81:80:38:26:d4:b5:2d: 34:3b:21:69:df:e3:8a:15:16:87:7e:f6:4d:d5:ab:b5:b8:54: fc:a2:85:b6:39:87:e7:7e:33:37:4d:3a:71:27:d3:95:06:2b: 9b:12:51:a3:29:cc:8d:f2:8e:3b:1e:3d:ac:b9:f7:e2:a9:60: 10:b9:93:9f:fb:e4:d4:22:a6:f7:3e:aa:a6:a9:e1:13:d4:c6: 34:b9:52:42:16:f4:53:05
Vérifier une clé privée :
openssl rsa -in server.key -check<:pre>
Tester si tout fonctionne :
openssl s_client -connect www.jaguarnetwork.com:443 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, CN = *.jaguar-network.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.jaguar-network.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIHxzCCBq+gAwIBAgIQMNKhebYRBUDnZc3KnpMbwDANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xODEwMjQwMDAwMDBaFw0yMDEwMjMyMzU5NTlaMEIxITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UEAwwUKi5qYWd1YXItbmV0d29y ay5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3fwr+SU6TOhLV Ca0Ig+L2YSjR9pD38NhQ09vgB37rvNBfgECG6cixrEgpg+PQK1Oio/x5kdrT+10F EUEsML0cKBhscts3S3iPs+mOXPfB3zImXy7FgA7aS6GRMemM9D+SucIqzJT3Ya2j dvpX5lSzKSSvuXOWFhGEsVO2zvb+boFdZAv9uZfYRVs4f6q9CYFr7XguKvYTa/sn WzMPIwFfIdEL/VYDt3q2pgQUgXqUn66Z+k/J+N/gWqd6Zc2BaNJlbpQgpvu2cLui OZgVfN7Up1ps2ZISEwg3CjgG4iPU2hYwPvcXD3uROOGUKfD70/TZDOlecklhAKXc OJwcjzbJpJTsbfsO+31JADjVbRn6czYszsfMH11he+N9M9jYMzB2ThVqZLt1Wzce I3MpXIUXq8KLuXFfx+kjhnutYZ8OaKpI6E+qkJ+8T/4722v0tlcdXAkXH6LpgTjV BCKdoSE4DJgaqNXHUFsJRaqWyWHCMCz9ae1bzEA68p3T20Jp3f51PaS67sbGabcy OUqyVT5Dc6DN9HDwZmE6/FUls+iVRsK8SLzW8OnSpcuWmDXJWvVVHH88isUPQQjA 2j3/DWsjncabbXGiCxlrhB021HAZVcSSHRMGO5TOlkTNNx8x6KypbCxZl93tdHzP TGigWl2++Z/vJmrFPwXG0rJuMzLSJwIDAQABo4IDaDCCA2QwHwYDVR0jBBgwFoAU kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFCH20kHLlyxfydPe/7rkZQNK 6TypMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAzBgNVHREELDAqghQqLmph Z3Vhci1uZXR3b3JrLmNvbYISamFndWFyLW5ldHdvcmsuY29tMIIBfwYKKwYBBAHW eQIEAgSCAW8EggFrAWkAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9 ywAAAWallGJmAAAEAwBHMEUCIQDrhkRmJQTaZCJtyI+6kVhWrR3bd4KPNPgdn7M4 riD7eQIgDQqnGfYx7Ef9AtnWglKYL5Pu8RUrUB1ntM3Zy34//IYAdgBep3P531bA 57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWallGKLAAAEAwBHMEUCIQDTTkiQ n8JHehmoq38SyEp4h2V8WB0QzLzX8G+dPQHWlQIgeWZreUmUuShDWfZnv5lrgdtN 8ynkTWYC4eYhKTVj/CsAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQ XgAAAWallGJiAAAEAwBIMEYCIQDGu8q4nLZVu2Bzc9Y/WAWMbPptszlp5X0kld0k ZeJqhgIhAIBzcMFXJbP5KF48jXnC8Gf+kdxixyh1RBG22ajYhMHFMA0GCSqGSIb3 DQEBCwUAA4IBAQCKLfRsNG1pnLXKh3ho0Oue7JS9TwUcU62ehYg5AuuqcECYZNXW ySBD3oBSBZtB+VYGcLT59f+PjuUloPAEIrDS/bTOXTZlCEMZE8cRp0QorvMBrPZM 8ZIVwzoaiAdmgNdcf98JWFhZJnxxmmxRV2/kyyi3Bn9+aDhUaweuIIIwSMo5CF/n mXFH+bE95yv4WYq+LoYkVioSidjVvZccM64S0l6nyN9tAgTcDm2arGb16SOURtF1 MULDO6AOHSPbzUtGE8Rs/wo/vQGc0p9VlI4cn3edOSlHEkNdFbzN8+pwDMa29yd6 9+G2nHB+O+po9clJsqvPbnECV0GVVeRc1idH -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.jaguar-network.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5712 bytes and written 302 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 566C264B96E97541C6B8F1338CB1E6C63813E1EE0D82A47F1592C33C7D60A733 Session-ID-ctx: Master-Key: 82713D315EAD6F0685AF2EA9BCBDB585651B1B23D061ADE214C7221F7686C1BC2C049CBC1D15C04DD7DB17E1F403D602 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1567175284 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
Pour vérifier la configuration avant de reload le service apache / nginx :
apache2ctl -t nginx -t
ATTENTION : Cela ne teste que la bonne syntaxe de la configuration et non la validité des certificats.