Site icon David Yin's Blog

Some issues when I use SSL on web server Apache

I purchased SSL certificate from Gogetssl.com. The Comodo Essential SSL is a good deal on the list. I paid it $37.45 for FIVE years.

OK back to the title.

1) The CSR generator online is default sha1. Use my own openssl command to generate sha256 CSR, KEY files.

There are so many articles related sha1 vs sha256 ssl

If you can, use SHA-256 instead of SHA-1.

SHA1 is going to retired.

The command I use to generate private key and CSR file.

openssl req -new -newkey rsa:2048 -nodes <b>-sha256</b> -out www.mydomain.com.sha256.csr -keyout www.mydomain.key -subj "/C=FR/ST=Calvados/L=CAEN/O=TBS INTERNET/CN=www.moydomain.com"

Please make your own command with this tool.  Then add -sha256 in it . The above is for reference only.

2) Chain CA order

The certificate I received from gogetssl is a zip file. Unzip it and I got four certificate files.

To make a ca-bundle file, combine the three crt files into one.

When combine them, be carefully the order of files.

Put the content of COMODORSADomainValidationSecureServerCA.crt in the beginning of the ca-bundle file. Then paste the content of COMODORSAAddTrustCA.crt below, and paste the content of AddTrustExternalCARoot.crt.

3) Chain issues – Contains anchor

This is a issue when I check the ssl on ssllabs.com

AddTrustExternalCARoot.crt is the root CA. Self issued. Some people said the issue is because of this self issued root CA.

There are some post about it. They said it is safe when not include it in the ca-bundle

Comodo support article Qualys forum thread

Some tools:

SSL checker: http://www.sslshopper.com/ssl-checker.html

Qualys SSL labs https://www.ssllabs.com/ssltest/analyze.html

Symantec SSL Toolbox  https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

 

 

Exit mobile version