Versions Compared

Version Old Version 2 New Version 3
Changes made by

Milton Suen

Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Install testssl.sh:

    • Clone the repository from GitHub

      Code Block
      git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh

    • Make the script executable

      Code Block
      chmod +x testssl.sh

  2. Ensure HAProxy is running and configured to handle SSL/TLS traffic.

    • Check that the front-end and back-end configurations are correct.

    • HAProxy must expose the SSL/TLS port (default is 443) for testing.

Steps to Validate a PEM Certificate File

Check PEM File Syntax

Run the following command to ensure the PEM file contains valid certificates:

Code Block
openssl x509 -in <certificate_file>.pem -noout -text

This command:

  • Verifies the certificate’s syntax.

  • Displays details such s issuer, subject, validity period, and extensions.

If the PEM file contains the entire chain (server + intermediate certificates), use:

Code Block
openssl crl2pkcs7 -nocrl -certfile <certificate_file>.pem | openssl pkcs7 -print_certs -noout

This breaks down and lists all certificates in the chain.

Test the Certificate with OpenSSL

You can test a PEM certificate directly by hosting it temporarily with a test server like openssl:

1. Start a Local Test Server using OpenSSL

Use openssl to serve the PEM certificate on a local port:

Code Block
openssl s_server -accept 4433 -cert <certificate_file>.pem -key <private_key>.key

  • Replace <certificate_file>.pem with your PEM file.

  • Replace <private_key>.key with the corresponding private key.

2. Run testssl.sh Against the Local Test Server

With the test server running (openssl), validate the certificate using testssl.sh:

Code Block
./testssl.sh --certs https://127.0.0.1:4433

This checks:

  • Certificate validity.

  • Complete certificate chain.

  • Expiration and trustworthiness.

3. Validate Certificate Chain

Ensue the PEM file contains:

  • The server certificate.

  • Intermediate certificates (in proper order).

Concatenate the certificates if necessary:

Code Block
cat server.crt intermediate.crt > fullchain.pem

Use testssl.sh to validate the chain:

Code Block
./testssl.sh --certs https://127.0.0.1:4433

Look for issues like “Incomplete chain” or “Missing intermediate certificates.

4. Additional Tests

Check Certificate Expiration

Code Block
openssl x509 -in <certificate_file>.pem -noout -dates

This outputs the notBefore and notAfter dates.

Verify Certificate Matches the Private Key

Code Block
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The output of both commands should match.

Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

Code Block
openssl verify -CAfile <root_ca.pem> <certificate_file>.pem

Testing SSL Certificates on HAProxy

...