Versions Compared

Version Old Version 11 New Version Current
Changes made by

Milton Suen

Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

...

Code Block
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The outputs must match, the certificate and key are correctly paired.

3. Check Certificate

...

Expiry Date

Confirm the certificate is within its validity period:

...

Code Block
./testssl.sh https://<haproxy_domain_or_IP>:<port>

This checks:

  • Supported protocols.

  • Available ciphers.

  • Certificate properties.

2. Certificate Chain Validation:

Ensure the full complete certificate chain is providedpresent:

Code Block
./testssl.sh --certs https://<haproxy_domain_or_IP>:<port>

This identifies:

  • Missing intermediate certificates.

  • Trust issues in the chain.

...

1. Incomplete Certificate Chain

Ensure the PEM file includes:

...

...

Intermediate certificates (in proper order).

...

Combine certificates if necessary:

Code Block
cat server.crt intermediate.crt > fullchain.pem

2. Verify Full Certificate Chain Delivery

HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:

...

Update your HAProxy configuration to use the fullchain.pem:

Code Block
frontend www-https_frontend
    bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend app_www-backend-scsp

...

2. Untrusted Certificate

  • Verify the root CA is trusted on client systems.

  • Cross-check using online tools like SSL Labs.

...

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

...

Advanced Testing with testssl.sh

1. Check

...

for Expiring Certificates

Run the following to get alerts about Certificates nearing expiration:

...

Code Block
./testssl.sh --protocols https://<haproxy_domain_or_IP>
./testssl.sh --ciphers https://<haproxy_domain_or_IP>

3. Generate Reports for Documentation

Export results for documentation or reporting:

...