Versions Compared

Version Old Version 10 New Version Current
Changes made by

Milton Suen

Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

Prerequisites

1. Install OpenSSL:

  1. Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:

    Code Block
    openssl version

2. Install testssl.sh:

  1. Clone the repository from GitHub

    Code Block
    git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
chmod +x testssl.sh

  2. HAProxy Configuration (if applicable):

    • Confirm HAProxy is running with SSL/TLS enabled.

    • Verify the SSL port (default: 443) is exposed for testing.

...

Code Block
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The outputs must match, the certificate and key are correctly paired.

3. Check Certificate

...

Expiry Date

Confirm the certificate is within its validity period:

...

Code Block
./testssl.sh https://<haproxy_domain_or_IP>:<port>

This checks:

  • Supported protocols.

  • Available ciphers.

  • Certificate properties.

2. Certificate Chain Validation:

Ensure the full complete certificate chain is providedpresent:

Code Block
./testssl.sh --certs https://<haproxy_domain_or_IP>:<port>

This identifies:

  • Missing intermediate certificates.

  • Trust issues in the chain.

...

1. Incomplete Certificate Chain

  • Ensure the PEM file includes:

    • Server certificate.

    • Intermediate certificates (in proper order).

  • Combine certificates if necessary:

    Code Block
    cat server.crt intermediate.crt > fullchain.pem

2. Verify Full Certificate Chain Delivery

HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:

...

Update your HAProxy configuration to use the fullchain.pem:

Code Block
frontend www-https_frontend
    bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend app_www-backend-scsp

...

2. Untrusted Certificate

  • Verify the root CA is trusted on client systems.

  • Cross-check using online tools like SSL Labs.

...

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

...

Advanced Testing with testssl.sh

1. Check

...

for Expiring Certificates

Run the following to get alerts about Certificates nearing expiration:

...

Code Block
./testssl.sh --protocols https://<haproxy_domain_or_IP>
./testssl.sh --ciphers https://<haproxy_domain_or_IP>

3. Generate Reports for Documentation

Export results for documentation or reporting:

...