A quick way to troubleshoot SSL chain issues using OpenSSL

Jason Samuel — Thu, 14 Jan 2010 17:07:48 +0000

You can use OpenSSL and run this command:

openssl.exe s_client -connect www.mysite.com:443

which will use a generic SSL/TLS client to connect to your site and give you a ton of diagnostic info. You can see your entire SSL cert chain, the SSL handshake, SSL session info, etc. Here’s a full list of switches you can use with it: http://www.openssl.org/docs/apps/s_client.html

And here’s a great online tool to graphically verify your SSL chain is intact: http://www.sslshopper.com/ssl-checker.html

A quick way to troubleshoot SSL chain issues using OpenSSL is a post from: JasonSamuel.com

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances

Jason Samuel — Thu, 07 Jan 2010 16:35:58 +0000

Often times you might have to add an SSL cert to a Cisco or Citrix appliance but it only accepts the SSL cert and private key in a certain format. Your CA (certificate authority) will issue the SSL cert to you as a .crt. From there, you need to package the cert with the private key and in the format your appliance requires. There are different ways to do this and one easy way I like is using IIS and OpenSSL which is a free open source tool and can be downloaded here: http://www.openssl.org

1. Create a temporary site in IIS and generate a CSR. Make sure the CN (common name) you enter matches whatever appliance you are trying to generate it for exmp: wireless.mycompany.com

2. Submit the CSR to your CA such as Verisign, GoDaddy, Network Solutions, etc. and wait for them to validate and issue your cert.

3. Get the .crt from the CA once they issue it and convert it to .cer. Just open the .crt by double clicking on it and and save it as .cer using the export wizard. This is necessary since IIS does not accept .crt.

4. Install the .cer in IIS using the Web Server Certificate Wizard where you originally generated the CSR. Just process the pending request to install it.

5. View the cert in IIS and export it with the private key in pkcs12 (.pfx) format. Just set the password as “password” since you will be deleting it after conversion is complete later.

6. Go to the directory where OpenSSL.exe is and type in the following to convert the .pfx to a .pem

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem

7. Type the “password” when prompted for the pass phrase.

8. Install the .pem on the appliance and it should work

IMPORTANT NOTE:

If you are doing it for some appliances like a Cisco IronPort, you need to add the nodes switch when creating the .pem:

openssl pkcs12 -in nameofcert.pfx -out nameofcert.pem –nodes

The –nodes switch ensures that the key inside the .pem is left unencrypted. If you attempt to install a .pem created without the -nodes switch, the appliance will take the cert but will not accept the private key since it cannot read it in an encrypted state.

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances is a post from: JasonSamuel.com

JasonSamuel.com » OpenSSL

A quick way to troubleshoot SSL chain issues using OpenSSL

How to convert an SSL cert to a .pem for installation on Citrix and Cisco appliances