SSL - TLS
------------

This page gives insight on how to manage and check HTTPS certificates for SSL/TLS connections.

Self signed certificate
~~~~~~~~~~~~~~~~~~~~~~~

This is a one-liner to generate a self signed certificate. Answer the questions and you are done::

  openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt

And if you don't want to manually answer the questions for creating the certificate, add the `-subj` option::

  openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt -subj "/C=CH/ST=FR/L=Local/O=Home/CN=localhost"

Certificate chain
~~~~~~~~~~~~~~~~~~

Web servers must be sending the full certificate chain if we want the clients to be able to validate the certificates.

The `openssl` tool can be used to verify this chain:

::

  openssl s_client -showcerts -connect google.com:443

This will show all details about the certificates and the chain.

To print only a summary of the chain, this command will give the required information:

::

  openssl s_client -showcerts -connect google.com:443 2>/dev/null | grep "[s]:"

Inspect Certificate File
~~~~~~~~~~~~~~~~~~~~~~~~

Check a certificate file (individual certificate .crt or fullchain .pem)::

  openssl x509 -in certificate.crt -text -noout

Check a private key file::

  openssl rsa -in privkey.pem -check