Blog: May 2015

Self-Signing Certificate Authorities

Introduction

If you run a website which receives or displays personal information, passwords or other secrets, you need to encrypt your connections using SSL or TLS. This is what puts the "S" into HTTPS, FTPS, IMAPS, POPS etc, and requires private keys and public certificates. Your browser (or other SSL/TLS client) trusts certain CAs (certificate authorities), and they in turn are willing to trust you by issuing you a certificate, if you throw money at them.

This is necessary for public-facing production deployments, and these days the cheapest certificates don't cost the earth - for example, Namecheap's start ...

Read full post

Tips for SSL certificates

Display CSR information:

openssl req -text -noout -in foo.csr

Display signed cert information:

openssl x509 -in foo.crt.pem -noout -text

To remove a password from a key:

openssl rsa -in foo.key.pem -out foo-unlocked.key.pem

To decode a CRL:

openssl crl -text -in ca.crl.pem

To check a certificate against a CRL:

cat ca/ca.crl.pem ca/ca.crt.pem > crl-check.pem
openssl verify -CAfile crl-check.pem -crl_check foo.crt.pem

Read full post