Cloud Platform
Verifying the validity of an SSL certificate
I would like to confirm my SSL certificate details and verify that my intermediate/chain certificate files are in the correct order.
SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.
Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. The bash commands, and details, below, demonstrate how you can test the validity of an SSL certificate, and its associated SSL bundle components.
certificate.pem is the Main/Server Certificate to be uploadedl.key is the Private Key for the Main/Server Certificatecertificate-chain.pem is the Intermediate or Chain CertificateFor details on formats, see the Format conversions section, below.
Run the following commands to check if your files are already in the required PEM format:
Check to see if your Private Key is in PEM format:
openssl rsa -inform PEM -in /tmp/ssl.keyCheck to see if your Main/Server Certificate is in PEM format:
openssl x509 -inform PEM -in /tmp/certificate.crtopenssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in ssl.key | openssl md5The output of these two commands must be exactly the same. If you cannot locate a matching Private Key to your Main/Server Certificate, you will be required to re-key the certificate by generating a new CSR and/or requesting an updated certificate from your SSL vendor.
openssl x509 -in certificate.pem -noout -pubkey
openssl rsa -in ssl.key -puboutThe output of these two commands should be the same.
openssl x509 -noout -in certificate.pem -datesEnsure that the current date is between the certificate's Not Before and Not After dates.
openssl verify -CAfile certificate-chain.pem certificate.pemIf the response is OK, the check is valid.
The most common reason for a certificate deployment to fail is that the Intermediate/Chain Certificates are not in the correct order. Specifically, Intermediate Certificate files must end with the root certificate or certificate most proximate to the root and be in a descending order from the Main/Server Certificate to the Root. You can determine the order of your Intermediate Certificate files by running the following command:
openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -nooutHere is an example of that command against an Intermediate/Chain Certificate that is in the correct order:
openssl crl2pkcs7 -nocrl -certfile $certificate-chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CAThe command shows a condensed version of SSL certificate details as two lines. The two lines are equivalent to one certificate file within your chain.
From the two lines that indicate one certificate file, the second line must match the first line of the proceeding file, as shown by the arrows in the image below:
In addition to the lines matching, the chain must end with the Root Certificate or certificate most proximate to the Root.
Certificate files can be re-ordered by copying and pasting them in the appropriate order within the "CA intermediate certificates" field on the installation form in the UI.
If the same two lines/certificate section appear in the chain, it means there are redundant files present which will result in an installation error. If there is a repeated certificate in the chain, please remove it before attempting the installation.
You can determine the Main/Server Certificate by running the same command as previously mentioned. An example of the output for the main/server certificate, which should go in the "SSL Certificate" field within the installation form in the Acquia Cloud login interface, is:
openssl crl2pkcs7 -nocrl -certfile $certificate.pem | openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CAWe can determine if a file is the Main/Server Certificate if it looks similar to the example above, as it will include your unique organizational information that was provided in the CSR used to obtain the certificate originally.
SSL Private keys must be unencrypted and non-password protected on our platform. You can use the following OpenSSL command to remove a private key password:
openssl rsa -in [file1.key] -out [file2.key]The result should generate a non-encrypted version of your private key.
SSL files must be in PEM format in order to be installed on our platform. Common file extensions that are within the PEM format include .pem, .crt, .cer, and .cert. You can read more about the PEM format here: What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
If you need to convert the format of your SSL files to PEM, please use the following commands:
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodesConvert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cerConvert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
The following are some tools to validate SSL certificates once installed on the Acquia Cloud platform and activated. If you have doubts about the veracity of the validation, please file a Support case with us and we can help look into it. Note that we can't always guarantee these tools will always work or return the correct information.
Cloud Platform