Ensuring Certificate Validity Using OpenSSL and testssl.sh

Owned by Milton Suen
Last updated: Nov 26, 2024
3 min read

This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

Prerequisites

1. Install OpenSSL:

  1. Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:

    openssl version

2. Install testssl.sh:

  1. Clone the repository from GitHub

    git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh chmod +x testssl.sh

  2. HAProxy Configuration (if applicable):

    • Confirm HAProxy is running with SSL/TLS enabled.

    • Verify the SSL port (default: 443) is exposed for testing.

Validating a PEM Certificate Locally

1. Check PEM File Syntax

Use OpenSSL to verify certificate file’s syntax:

openssl x509 -in <certificate_file>.pem -noout -text

This command:

  • Verifies the certificate’s syntax.

  • Displays details such s issuer, subject, validity period, and extensions.

To check the entire certificate chain (server + intermediate certificates), use:

This breaks down and lists all certificates in the chain.

2. Verify Certificate Matches Private Key

Ensure the certificate and private key correspond:

The outputs must match.

3. Check Certificate Expiration

Confirm the certificate is within its validity period:

This displays the notBefore and notAfter dates.

4. Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

Test with OpenSSL Local Server

You can test a PEM certificate directly by hosting it temporarily with a test server like openssl.

1. Start a Local Test Server

Use OpenSSL to serve the PEM certificate on a local port:

  • Replace <certificate_file>.pem with your PEM file.

  • Replace <private_key>.key with the corresponding private key.

2. Run testssl.sh Against the Local Test Server

With the test server running (openssl), validate the certificate using testssl.sh:

This checks:

  • Certificate validity.

  • Complete certificate chain.

  • Expiration and trustworthiness.

Using testssl.sh for HAProxy SSL/TLS Validation

1. Basic SSL/TLS Validation

Check the HAProxy SSL/TLS configuration:

This checks:

  • Supported protocols.

  • Available ciphers.

  • Certificate properties.

2. Certificate Chain Validation:

Ensure the full certificate chain is provided:

This identifies:

  • Missing intermediate certificates.

  • Trust issues in the chain.

3. Testing Specific Front-ends

If HAProxy has multiple front-ends on different ports:

Example:

Common Issues and Solutions

1. Verify Full Certificate Chain Delivery

HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:

  • The server certificate.

  • Intermediate certificates.

You can concatenate certificates into a single PEM file as follows:

Update your HAProxy configuration to use the fullchain.pem:

2. Untrusted Certificate

  • Verify the root CA is trusted on client systems.

  • Cross-check using online tools like SSL Labs.

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

4. SSL Configuration Errors

Validate HAProxy configuration:

Ensure the bind directive specifics correct SSL/TLS options.

Advanced Testing with testssl.sh

1. Check the Expiration Warnings

Run the following to get alerts about Certificates nearing expiration:

2. Analyze Protocol and Cipher Support

HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:

3. Generate Reports

Export results for documentation or reporting:

Troubleshooting HAProxy SSL Issues

Incomplete Certificate Chain

  • Ensure intermediate certificates are included in the PEM file.

  • Use testssl.sh --certs to identify missing certificates.

Certificate Not Trusted

  • Verify the root CA is trusted on client systems.

  • Use online tools like SSL Labs to cross-check.

SSL Configuration Errors

Check the HAProxy configuration file for syntax issues:

Ensure bind directives correctly specify SSL options.

Incorrect Certificate Deployment

Verify the certificate file and key are correct:

Example: Validating HAProxy SSL Certificate

Expected Output:

  • Certificate is valid: Yes

  • Chain issues: None

  • Expiration: Valid until YYYY-MM-DD

  • Protocols and ciphers: Secure configurations

Summary

By following these instructions, you can effectively validate SSL/TLS certificates using OpenSSL and testssl.sh. These tools help ensure certificates are valid, chains are complete, and configurations are secure. Regular testing maintains a strong SSL/TLS posture for services like HAProxy.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.