Un certificat SSL est un fichier de données qui lie une clé cryptographique aux informations d’une organisation ou d’un individu. Installé sur un serveur web, le certificat active le cadenas et le protocole « https » (via le port 443) dans les navigateurs, afin d’assurer une connexion sécurisée entre le serveur web et le navigateur.

Généralement, le SSL est utilisé pour sécuriser les transactions bancaires, le transfert de données et les informations de connexions, telles que les noms d’utilisateur et les mots de passe. Récemment, le TLS (successeur du SSL) est devenu la norme pour sécuriser l’utilisation de sites de réseaux sociaux. Les certificats SSL lient ensemble :

  • Un nom de domaine, un nom de serveur et un nom d’hôte.
  • L’identité de l’organisation (nom d’entreprise) et le lieu.

Afin de vérifier sa validité, voici la commande à exécuter :

openssl x509 -in certificat.rsa.crt -text | grep Not

 

Not Before: Jun 14 11:22:15 2019 GMT

Not After : Jun 13 11:22:15 2020 GMT

Not Before : Installer le 14 juin 2019

Not After : Périme le 13 juin 2020

Pour voir le domaine concerné par le certificat :

openssl x509 -in certificat.crt -text | grep DNS

 

DNS:*.certificat.fr, DNS:certificat.fr

Vérifier le hash :

openssl x509 -noout -modulus -in certificat.crt | 
openssl md5 && openssl rsa -noout -modulus -in certificat.key | openssl md5

 

(stdin)= 7835ec3b7f61346018f92ec16bccf4ef

(stdin)= 7835ec3b7f61346018f92ec16bccf4ef

Si les hash sont identiques sur les 2 lignes, alors le certificat sera valide.

Vérifier un certificat :

openssl x509 -in certificat.crt -text -noout

 

 

 

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

8c:05:8a:7c:23:d9:a8:cd

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = FR, ST = Bouche Du Rhone, L = Marseille, 
O = Jaguar Network, OU = CsC, CN = jaguarnetwork.jn-hebergement.com, 
emailAddress = test@test.com

Validity

Not Before: Jun 14 11:34:54 2019 GMT

Not After : Jun 13 11:34:54 2020 GMT

Subject: C = FR, ST = Bouche Du Rhone, L = Marseille, 
O = Jaguar Network, OU = CsC, CN = jaguarnetwork.jn-hebergement.com, 
emailAddress = teest@test.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:ae:34:69:a4:60:7d:d3:73:a9:7b:e0:1c:8f:4d:

8d:ef:db:bd:c1:62:c9:f9:37:fa:14:c3:96:41:8d:

dc:35:a9:9b:6d:a5:ab:bf:27:ab:92:8c:65:60:bd:

bb:96:d4:2c:20:03:2c:c4:a1:56:0d:c9:1c:29:cd:

35:30:84:2f:9a:49:3c:fc:b2:92:d0:7d:02:33:af:

00:5d:bc:a0:f7:a8:bf:62:37:2c:b2:23:eb:04:73:

8d:5f:04:07:ee:84:23:33:41:fc:cc:3b:04:c4:4e:

3d:81:3d:71:03:e1:48:10:f9:ec:44:25:61:9d:8f:

e6:4d:5c:02:b4:5e:a9:2c:bb:cf:15:5b:99:48:6f:

63:ee:71:70:3f:39:fa:bb:cc:59:00:e8:78:1a:fc:

4b:85:5a:ee:da:10:3b:27:04:8c:aa:8c:f2:33:f3:

0e:10:7a:2c:0c:83:9b:b2:2c:49:a1:4d:b9:27:42:

8a:41:52:0f:1b:4b:34:4d:b8:5e:50:ec:f2:6b:d6:

10:05:c2:2b:14:92:24:17:45:5b:0e:2c:4e:6b:4a:

7c:fa:13:29:ee:3e:42:a9:f6:b4:d6:0a:fc:b9:84:

81:d7:b9:ca:a7:fe:24:8e:b9:bf:d5:48:e9:9c:08:

af:b7:d1:e8:60:fc:33:a2:4d:5d:41:87:06:ac:e4:

72:59:a1:ea:bc:55:ab:93:6e:ec:48:08:d8:f0:49:

c1:c8:ea:7c:e8:ca:ac:24:78:48:b7:ee:f0:d1:06:

53:c5:a7:6f:c6:f2:ab:da:9e:ac:a2:73:84:05:b5:

b1:f7:28:ff:fb:38:12:b3:2a:15:78:c8:b7:74:a7:

09:70:ef:8a:18:1d:ea:94:d4:23:25:b6:b5:e4:0d:

df:d9:83:d7:76:b1:64:fe:c7:bd:47:69:b1:6b:8a:

6a:f5:59:da:80:9b:0e:6d:2f:86:5c:d5:af:4f:7f:

89:35:6f:a2:47:4d:ef:a9:74:6d:a4:e4:df:95:84:

e6:88:f5:b4:ab:47:c3:59:88:06:99:60:fb:2e:f0:

9c:c7:70:7f:5f:23:47:3a:49:c6:d7:aa:24:f8:44:

58:cb:69:8b:f8:ae:63:69:36:b5:c5:36:c0:31:b1:

43:89:ad:67:7d:39:48:42:05:51:72:2b:0a:48:80:

c2:e5:1f:c6:63:4f:9e:93:b4:d0:ae:c6:89:08:e0:

c9:a2:ad:2f:fc:18:68:30:ff:9e:ff:5a:35:4b:68:

f7:83:87:7a:36:1f:2e:d6:0f:13:40:27:9a:c2:01:

91:78:c2:8f:56:51:36:01:e6:27:47:f8:7a:31:fa:

42:8b:89:88:64:e0:d6:24:53:0f:ce:37:4b:91:8d:

82:98:21

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

4F:C0:95:F3:B6:5E:0F:EC:71:02:28:BE:C9:1E:47:25:DE:40:3D:66

X509v3 Authority Key Identifier:

keyid:4F:C0:95:F3:B6:5E:0F:EC:71:02:28:BE:C9:1E:47:25:DE:40:3D:66

 

X509v3 Basic Constraints: critical

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

67:5c:d2:6b:a4:8d:67:cb:93:df:ae:bc:ef:33:b8:3e:7d:8b:

a1:94:31:fc:cf:58:b3:29:43:87:9a:a5:98:2b:e5:15:d5:ff:

89:50:45:40:5c:40:32:e3:b8:96:a2:11:17:e3:c8:15:7e:3c:

73:88:11:da:f9:c2:bc:22:17:41:69:19:33:d2:5e:9a:55:a0:

32:25:35:9a:06:2e:25:33:57:08:0d:7a:92:51:3f:3c:7e:20:

a4:b2:a0:bb:67:4d:16:fc:48:df:84:53:92:41:6e:56:91:20:

d7:0c:26:f0:4f:b7:38:d2:c8:17:39:b3:49:27:aa:29:cf:79:

5b:f5:df:0c:2d:68:9a:ea:be:bb:68:50:57:c0:b8:7a:e4:dd:

3e:ec:24:45:2b:1f:b4:c8:40:c7:12:f5:63:e1:27:c5:61:dd:

5c:b4:ed:6a:28:e2:d3:75:87:76:6c:10:14:71:7b:dd:58:60:

87:50:b7:6b:d3:4f:27:df:1d:0a:a3:6a:1d:1a:9d:ae:f5:aa:

0f:61:b6:2c:8f:d6:29:2f:41:8d:fd:a8:97:8c:34:15:75:52:

5b:b5:ea:76:5c:27:64:13:ff:fa:0c:39:c7:14:31:fa:46:a0:

f6:9c:1a:48:a5:ec:74:d8:3b:85:8a:42:ac:6e:d2:03:24:21:

f4:f4:a9:dd:a5:7c:a5:e2:a6:a0:d1:21:86:41:30:5f:8a:96:

0b:6a:47:12:60:0b:2e:a6:ad:b1:89:c2:4f:37:f1:4e:93:1d:

e8:79:87:24:11:5c:28:c4:bb:42:78:12:2a:3a:44:e6:62:e8:

7c:d1:d5:f7:a6:13:dc:e2:70:aa:11:bc:44:cf:d8:b4:c4:50:

af:c5:2f:ab:d2:e2:b4:e4:5d:74:7b:01:98:85:fa:33:62:ad:

6d:17:f5:d8:2e:a0:2f:60:b0:ac:5e:17:96:cd:35:42:42:c2:

96:f5:4a:b3:d7:70:17:3d:b4:83:a5:7c:cd:e2:6c:10:6d:cb:

d1:dd:d8:ac:85:74:c2:0c:a7:8d:f8:12:b4:79:09:fe:15:bd:

38:ba:f9:21:fe:fb:2d:4d:29:a0:54:2f:b9:f4:ce:38:45:52:

a0:3d:63:2e:06:27:4f:11:0b:ea:d1:81:80:38:26:d4:b5:2d:

34:3b:21:69:df:e3:8a:15:16:87:7e:f6:4d:d5:ab:b5:b8:54:

fc:a2:85:b6:39:87:e7:7e:33:37:4d:3a:71:27:d3:95:06:2b:

9b:12:51:a3:29:cc:8d:f2:8e:3b:1e:3d:ac:b9:f7:e2:a9:60:

10:b9:93:9f:fb:e4:d4:22:a6:f7:3e:aa:a6:a9:e1:13:d4:c6:

34:b9:52:42:16:f4:53:05

 Vérifier une clé privée :

openssl rsa -in server.key -check<:pre>

 

Tester si tout fonctionne :


openssl s_client -connect www.jaguarnetwork.com:443

CONNECTED(00000003)

depth=2 C = GB, ST = Greater Manchester, L = Salford, 
O = COMODO CA Limited, CN = COMODO RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, 
O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

verify return:1

depth=0 OU = Domain Control Validated, CN = *.jaguar-network.com

verify return:1

---

Certificate chain

0 s:/OU=Domain Control Validated/CN=*.jaguar-network.com

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
RSA Domain Validation Secure Server CA

1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
RSA Domain Validation Secure Server CA

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
RSA Certification Authority

2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
RSA Certification Authority

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIHxzCCBq+gAwIBAgIQMNKhebYRBUDnZc3KnpMbwDANBgkqhkiG9w0BAQsFADCB

kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G

A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV

BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD

QTAeFw0xODEwMjQwMDAwMDBaFw0yMDEwMjMyMzU5NTlaMEIxITAfBgNVBAsTGERv

bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UEAwwUKi5qYWd1YXItbmV0d29y

ay5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3fwr+SU6TOhLV

Ca0Ig+L2YSjR9pD38NhQ09vgB37rvNBfgECG6cixrEgpg+PQK1Oio/x5kdrT+10F

EUEsML0cKBhscts3S3iPs+mOXPfB3zImXy7FgA7aS6GRMemM9D+SucIqzJT3Ya2j

dvpX5lSzKSSvuXOWFhGEsVO2zvb+boFdZAv9uZfYRVs4f6q9CYFr7XguKvYTa/sn

WzMPIwFfIdEL/VYDt3q2pgQUgXqUn66Z+k/J+N/gWqd6Zc2BaNJlbpQgpvu2cLui

OZgVfN7Up1ps2ZISEwg3CjgG4iPU2hYwPvcXD3uROOGUKfD70/TZDOlecklhAKXc

OJwcjzbJpJTsbfsO+31JADjVbRn6czYszsfMH11he+N9M9jYMzB2ThVqZLt1Wzce

I3MpXIUXq8KLuXFfx+kjhnutYZ8OaKpI6E+qkJ+8T/4722v0tlcdXAkXH6LpgTjV

BCKdoSE4DJgaqNXHUFsJRaqWyWHCMCz9ae1bzEA68p3T20Jp3f51PaS67sbGabcy

OUqyVT5Dc6DN9HDwZmE6/FUls+iVRsK8SLzW8OnSpcuWmDXJWvVVHH88isUPQQjA

2j3/DWsjncabbXGiCxlrhB021HAZVcSSHRMGO5TOlkTNNx8x6KypbCxZl93tdHzP

TGigWl2++Z/vJmrFPwXG0rJuMzLSJwIDAQABo4IDaDCCA2QwHwYDVR0jBBgwFoAU

kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFCH20kHLlyxfydPe/7rkZQNK

6TypMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG

AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI

KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC

ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P

RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF

BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP

TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB

BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAzBgNVHREELDAqghQqLmph

Z3Vhci1uZXR3b3JrLmNvbYISamFndWFyLW5ldHdvcmsuY29tMIIBfwYKKwYBBAHW

eQIEAgSCAW8EggFrAWkAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9

ywAAAWallGJmAAAEAwBHMEUCIQDrhkRmJQTaZCJtyI+6kVhWrR3bd4KPNPgdn7M4

riD7eQIgDQqnGfYx7Ef9AtnWglKYL5Pu8RUrUB1ntM3Zy34//IYAdgBep3P531bA

57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWallGKLAAAEAwBHMEUCIQDTTkiQ

n8JHehmoq38SyEp4h2V8WB0QzLzX8G+dPQHWlQIgeWZreUmUuShDWfZnv5lrgdtN

8ynkTWYC4eYhKTVj/CsAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQ

XgAAAWallGJiAAAEAwBIMEYCIQDGu8q4nLZVu2Bzc9Y/WAWMbPptszlp5X0kld0k

ZeJqhgIhAIBzcMFXJbP5KF48jXnC8Gf+kdxixyh1RBG22ajYhMHFMA0GCSqGSIb3

DQEBCwUAA4IBAQCKLfRsNG1pnLXKh3ho0Oue7JS9TwUcU62ehYg5AuuqcECYZNXW

ySBD3oBSBZtB+VYGcLT59f+PjuUloPAEIrDS/bTOXTZlCEMZE8cRp0QorvMBrPZM

8ZIVwzoaiAdmgNdcf98JWFhZJnxxmmxRV2/kyyi3Bn9+aDhUaweuIIIwSMo5CF/n

mXFH+bE95yv4WYq+LoYkVioSidjVvZccM64S0l6nyN9tAgTcDm2arGb16SOURtF1

MULDO6AOHSPbzUtGE8Rs/wo/vQGc0p9VlI4cn3edOSlHEkNdFbzN8+pwDMa29yd6

9+G2nHB+O+po9clJsqvPbnECV0GVVeRc1idH

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/CN=*.jaguar-network.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5712 bytes and written 302 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol  : TLSv1.2

Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 566C264B96E97541C6B8F1338CB1E6C63813E1EE0D82A47F1592C33C7D60A733

Session-ID-ctx:

Master-Key: 
82713D315EAD6F0685AF2EA9BCBDB585651B1B23D061ADE214C7221F7686C1BC2C049CBC1D15C04DD7DB17E1F403D602

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1567175284

Timeout   : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

Pour vérifier la configuration avant de reload le service apache / nginx :

apache2ctl -t

nginx -t

 

ATTENTION : Cela ne teste que la bonne syntaxe de la configuration et non la validité des certificats.