Posts Tagged ‘ssl’

Check SSL certificates

Wednesday, August 24th, 2011

This post is mostly a collection of commands to check SSL certificates and make sure they are what you think they are. Especially when things do not go as expected, these commands are handy to have around. First, some definitions. We call the signed certificate cert.crt, the private key server.key, the certificate sign request cert.csr and any intermediate/chain certificates chain.pem. Substitude in the commands below with your files. It’s assumed you have all these certificates in the PEM format, for easy use with Apache’s mod_ssl.

Checking if the CSR is actually a public key from your serverkey

You need to check the modulo of the private key and the certificate sign request. The output of these two commands should be the same if the csr is made with this server key.

$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually created from the CSR that you created

You need to check the modulo of both files. The output of the two commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually the public key from your serverkey

This should be obvious if you read the two items above. The output of both commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

Checking if the chain file actually applies to the signed certificate

openssl verify -CAfile chain.pem -verbose cert.crt

Output the details from a certificate sign request

openssl req -text -in cert.csr

Output the details from a signed certificate

openssl x509 -text -in cert.crt

Release of Nagios plugins developed by Kumina

Monday, May 2nd, 2011

In addition to the kuminami repository we released last Friday, we’re happy to announce the release of our nagios-plugins-kumina repository, storing our in-house developed plugins for Nagios.

The repository stores two plugins for Nagios, namely a plugin to monitor SSL certificate validity by checking on-disk PEM files, but also a plugin to monitor fluctuations in system load, by comparing the ratio between the 1, 5 and 15 minute system load.

As with the kuminami repository, the code also ships with the infrastructure to build Debian packages.

Puppet on puppetmaster, some tips

Wednesday, January 26th, 2011

We often run a puppet on the puppetmaster which connects to the local puppetmaster. In the past, I’ve run into some problems, so I thought it best to write down a couple of tips to keep in mind when setting this up. These helped me out in the past:

  • Have a separate SSL dir for the puppetmaster and the client. The following snippet shows how to do that:
    [puppetd]
    ssldir = /var/lib/puppet/ssl
    
    [puppetmasterd]
    ssldir = /var/lib/puppet-server/ssl
    
    [puppetca]
    ssldir = /var/lib/puppet-server/ssl

    The addition to puppetca is needed because it needs to know where to sign the certificates. Of course, if you run 2.6 or higher, you need to replace puppetd with agent, puppetmasterd with mast and puppetca with… ca I think.

  • Explicitely set the certname and the certdnsnames for the puppetmaster, as follows:
    [puppetmasterd]
    certname = puppet
    certdnsnames = puppet.my.domain

That’s it. Hope it helps someone. You’re going to need to remove all old ssl dirs after you changed this and regenerate the certificates.