Forum Topic

Thanks for your participation and contribution.


Back to Useful References

SSL

Post a reply
232 views
i90runner
i90runner

Useful SSL references

https://www.ssllabs.com/ssltest/analyze.html.

Use OPENSSL to verify the certificate that's being returned. To do this check, connect to the backend by using -servername. It should return the SNI, which needs to match with the FQDN of the backend pool:

openssl s_client -connect backendvm.contoso.com:443 -servername backendvm.contoso.com

SITE_URL="h1bsalary.org"
SITE_SSL_PORT="443"
openssl s_client -connect ${SITE_URL}:${SITE_SSL_PORT} -servername ${SITE_URL} |  openssl x509 -noout  -dates

https://www.computertechblog.com/create-a-pfx-file-with-a-certificate-chain/

Last updated

i90runner
i90runner
host=nm-rel.emetric.net
 % openssl s_client -connect $host:443 -servername $host
CONNECTED(00000005)
depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = "DigiCert, Inc.", CN = GeoTrust Global TLS RSA4096 SHA256 2022 CA1
verify return:1
depth=0 CN = nm-rel.emetric.net
verify return:1
---
Certificate chain
 0 s:/CN=nm-rel.emetric.net
   i:/C=US/O=DigiCert, Inc./CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
 1 s:/C=US/O=DigiCert, Inc./CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHkTCCBXmgAwIBAgIQDY43/rVz+45yw4x3Pl8KQDANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT
K0dlb1RydXN0IEdsb2JhbCBUTFMgUlNBNDA5NiBTSEEyNTYgMjAyMiBDQTEwHhcN
MjIwNzE1MDAwMDAwWhcNMjMwMTE1MjM1OTU5WjAdMRswGQYDVQQDExJubS1yZWwu
ZW1ldHJpYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDExo2b
E5pOmxZIF1Ea08YHDsV0THDZY2bwpXS6HGne77wzePqy56jgu8DLCEZT0Q2fw5Re
dMOYDTj2VPwKTyykmuUOEt+cjgbZtFNGP89OeRr67f30m1Lm6rR+QKP0MK1/SjnI
Vu3u44NWabLLYPDWlteFPyKBROxPowIsdSWVR6bhU+73lDVgY1NInOHaWH3Da+Db
FRzWvzgzvhOjXVasCTbn6Sk1UkrHrUEopnl1vgel6vVNV/msfSO2pYWUXUt3kuUl
hK/RbnmnbUdw1qygjMIlgjgAAvbx5vhSri/1T/fWT/PFOiax3Pf6zOAWOB2R32Wv
MFcDD06Cvq1jJQLdAgMBAAGjggOMMIIDiDAfBgNVHSMEGDAWgBSltNbrNsTna6bf
xGQLASogBLhmIzAdBgNVHQ4EFgQUWqdBlUAmMffqPI5r/Rf0MamzLLcwHQYDVR0R
BBYwFIISbm0tcmVsLmVtZXRyaWMubmV0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEagRIZCaHR0
cDovL2NybDMuZGlnaWNlcnQuY29tL0dlb1RydXN0R2xvYmFsVExTUlNBNDA5NlNI
QTI1NjIwMjJDQTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
R2VvVHJ1c3RHbG9iYWxUTFNSU0E0MDk2U0hBMjU2MjAyMkNBMS5jcmwwPgYDVR0g
BDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2VydHMuZGln
aWNlcnQuY29tL0dlb1RydXN0R2xvYmFsVExTUlNBNDA5NlNIQTI1NjIwMjJDQTEu
Y3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB1AOg+0No+
9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABggKKbPMAAAQDAEYwRAIgTyLb
teT94cze8GgSkXbh8vQT2xD3R1+cfY/MzZ+v5tQCIHSotpsigO2oQLBNwmOi+Yi6
7/NdadGpODWV/bUjM6C6AHcANc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M7
1kwAAAGCAoptBQAABAMASDBGAiEAoI6+K6srjUeuX8NcByuYHSUrOdpmsvOeOV8g
cMe1dagCIQDHyZ3dVY/anD40Ui49/L7T3RAxuSutVSMlpP8l6rtshQB3ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABggKKbPYAAAQDAEgwRgIhAIOs
z/41t8J6oUi+zGMrwIB/ieCWy89ffNep8WGIGiUMAiEAhl89r3PWxe208iiB9RWF
HVAmzswtF8MhUqN1MNNSCNgwDQYJKoZIhvcNAQELBQADggIBAH6iKNuOTbUo10j/
+9iKjv3FNhW7VfV6N+tIN7DqeDxxPIrl8eJW4NSVrEAsq+VzX8b7+Smh5dHrIeAd
ODpApAUvZ83e4UHu2tdmC5FOy96stUkxz6M7CUihOX5jNoofDO+1rWH94GIQPy5Z
Ej3JsA23b25zLSM9mxGLXMpxbujGSDViCmVOzsb9jYxCQvzPKWmdkjUVu27/K/kW
mWf7BjZvzLZdwIuQPx2Wx0PSprxNAqPjwGZwrxaR8jB54zDhk9R4Fj1oD1iKB0dR
ypg+014JOaYaVyQNq3FPKx3Z34KCvznOcQiiek3SVm4XWutVkYwceQ3qaCEoRoM/
SXGMh/SvFl7zs8ILBrvpf1XCYbk8YTFglap1kl5yWThnRsURkXQqgzxFpCwzZ8Id
dvSo7L+HkNv/vZut87sDzJRQifYveUnrVFlEgVpxuk0Rk/iVTke5RkL/y55IYXDJ
VBLxcFBKZYNcweEJTacYeyooSkTtxnqm4jthyc3aZ2lpToe/tXJJoKbOeIwQRlkF
WPboDhYJBO4jnFSM9EtiQhH3yHVsFNydghLz+/alzx060QoQpRdMg7talguQAJ6U
g3uQD9/To6qGVZFIpz8whOOItiXCspXunny1P23yegSyDFzzcMLmuCPpr9H/Bn10
m2mzjjvEh6sKyEwUBwYGDvhksQuR
-----END CERTIFICATE-----
subject=/CN=nm-rel.emetric.net
issuer=/C=US/O=DigiCert, Inc./CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5078 bytes and written 381 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A11400009320854F8C204DE1EF31E844075EC42692EC01CDE0F7107AF518E603
    Session-ID-ctx: 
    Master-Key: 65DACEA241DE3A2CDAC728E2B81A686915426ADC60E2302692B0F4687FE9EABA778C677CC9FFD87FB6F5DA3922691A46
    Start Time: 1658247144
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Last updated

i90runner
i90runner
 ~ % openssl s_client -connect $host:443 -servername $host
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = Texas, L = San Antonio, O = "EMETRIC, LLC", CN = *.emetric.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/L=San Antonio/O=EMETRIC, LLC/CN=*.emetric.net
   i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGtzCCBZ+gAwIBAgIQD24ePKoakb6Wf/Yn9V+R2zANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA1MTkwMDAwMDBa
Fw0yMzA2MTkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEU
MBIGA1UEBxMLU2FuIEFudG9uaW8xFTATBgNVBAoTDEVNRVRSSUMsIExMQzEWMBQG
A1UEAwwNKi5lbWV0cmljLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALtx/XnKXjlX5EvpWPKKnvkLOZWJqVSIRWqcRQLJ5xmO/+TrJgZ39pxc/6Oi
Bzdfjpk7mdgRlgZf8q/dfLfR1VJy3XBUruuw6tVHYX9pnxXvCT+YGf3eIiGk+xy0
5pvDx2r8F26Q/XTbeLnqAh5fp4qRLekTrdA2bqIB4bvPCo+OdzBkmpAYMskwl1NQ
x3oeMetDI2H3DXD2omZbvkVLhy6isZ0L7uIZAgezbHVg/ERvMocijjdnR/WQUMoY
ldGqR298QHKHgC8iSrucwiC04KVqlS+I0Ko7zyLWj8mHqkAcwM4vB0n3BoPIU+bl
yl3sgelYyeW6B7a3vSNNblOvlk8CAwEAAaOCA3owggN2MB8GA1UdIwQYMBaAFLdr
ouqoqoSMeeq02g+YssWVdrn0MB0GA1UdDgQWBBQINQQHtDyQlyrIC5I0anGHzCtJ
VTAlBgNVHREEHjAcgg0qLmVtZXRyaWMubmV0ggtlbWV0cmljLm5ldDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGPBgNVHR8E
gYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRM
U1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwPgYDVR0g
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdp
Y2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAkGA1Ud
EwQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AOg+0No+9QY1MudXKLyJ
a8kD08vREWvs62nhd31tBr1uAAABgNoNbkYAAAQDAEcwRQIgGx4jQUMeX3WwIAB7
YXS4QEtvHSnOkeH9vgQH5ilardECIQDEXn51vs+5B/GSNf9FcCLBjrsnjyHDmlJ0
uimDPJF4tgB3ADXPGRu/sWxXvw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABgNoN
bbEAAAQDAEgwRgIhAMf9WHqAW/ugt4WPcQbmXGUM3hcLZeKHw5FPvUJ7FtRnAiEA
p7HemHjSL6lFxblNpJWND262HaaPVJ1Tb9BZkZJAnK4AdQCzc3cH4YRQ+GOG1gWp
3BEJSnktsWcMC4fc8AMOeTalmgAAAYDaDW3iAAAEAwBGMEQCIAmPFUnmHy6OcjgO
YH5QGHYtHjWtzxlGE8vouTHEO4rTAiBNM3PF+mf5Cc8GrC17HEaXyByJlRZKq8IR
eAqpo/BihDANBgkqhkiG9w0BAQsFAAOCAQEAbibjyt3JAUTrQbHPTruTB/nU/aGP
HO7B9/2cHLkiP77UYitKaPLbCDvXweugZ2BBz61cNKgXzTJth7cD5Rye87jPtKUs
NBz9fiHowo6hxI6QqIjrudiItIuYSFUHPq1/iGDjVFnjPZ6bHTGNYhQF7RRNgpqF
assS1mSn1HhcJWX7g/busTkRGIee3xniml/1uzX+fbTro1iFaEzi/SUu0g+bfqBY
3WD7BTSqwBkL0GfCoez7s+n1Fu9n0IN+e8pHCEqkMINZVgtQW3e0Ukj+ILCkOukI
6kWAZI22OBpsnfkTF3zcm/mkM/l6rwIsgUDfQXjoff5KJkaoAbrYoPet/Q==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=San Antonio/O=EMETRIC, LLC/CN=*.emetric.net
issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3634 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ADADCD02552F439CD4DEF2DE56F62BEAEE2999823AB45F62291F159DAF121161
    Session-ID-ctx: 
    Master-Key: FCEC1F09D6C9BE0F3DCFDAB7279851CF299A0B79BE12CCE4FE7D1A00E723C6CB1208B194DE6FB72B7F3CF604EB05D7A7
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fe 80 8a 07 1b f5 0b 04-dc c7 ed aa 66 0d 2f 18   ............f./.
    0010 - 44 c0 d0 f0 0e 73 89 ce-cf db 3d 1a 2f 7e 49 07   D....s....=./~I.
    0020 - 7b 8c b7 ca 38 b2 a9 06-e4 44 62 7f 9c dd 50 59   {...8....Db...PY
    0030 - 13 c6 c4 f1 38 68 4b 3c-14 a3 22 75 36 02 6c 54   ....8hK<.."u6.lT
    0040 - 90 57 91 d6 07 93 1b 97-31 10 d2 37 ca d8 54 59   .W......1..7..TY
    0050 - 58 37 54 82 2a cf 11 84-39 39 dd 91 99 59 1d 36   X7T.*...99...Y.6
    0060 - a1 e2 12 6e 16 5c 82 5d-27 c6 3f ee 94 74 42 0b   ...n.\.]'.?..tB.
    0070 - f8 eb 77 f1 a2 b9 54 41-d9 c6 95 4e 91 6a 66 fb   ..w...TA...N.jf.
    0080 - 2e 3b 97 b7 e6 a9 94 83-82 15 9e 03 27 f9 00 46   .;..........'..F
    0090 - b1 65 13 82 79 03 c2 59-0a 54 64 17 55 0c ef 53   .e..y..Y.Td.U..S
    00a0 - 00 01 a9 3c b4 52 6f 1d-53 17 f9 93 65 f8 2d a2   ...<.Ro.S...e.-.
    00b0 - be 75 2f 9d d3 51 dc 1d-54 40 17 c1 5e 34 68 e9   .u/[email protected]^4h.

    Start Time: 1658247269
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Last updated

1-3 of 3

Reply to this discussion

You cannot edit posts or make replies: You should be logged in before you can post.