Issue¶

I would like to confirm my SSL certificate details and verify that my intermediate/chain certificate files are in the correct order. 

Resolution¶

SSL (Secure Socket Layer) is a critical component of sites that need to handle sensitive or personal information. You can use SSL with Acquia Cloud by adding HTTPS/SSL support to your site.

Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. The bash commands, and details, below, demonstrate how you can test the validity of an SSL certificate, and its associated SSL bundle components.

Notes:¶

• This article assumes you have OpenSSL installed in a place you can test with it.
• For full details on the OpenSSL flags, see the OpenSSL main page.
• For the examples used below, assume that :
  • certificate.pem is the Main/Server Certificate to be uploaded
  • ssl.key is the Private Key for the Main/Server Certificate
  • certificate-chain.pem is the Intermediate or Chain Certificate

The recommended order of these checks is:¶

1. Check to see if the Private Key and Main/Server Certificate are in PEM format
2. Verify that the Private Key and Main/Server Certificate match
3. Verify that the Public Key contained in the Private Key file and the Main/Server Certificate are the same
4. Check that the Valid From and Valid To dates of the certificate are correct
5. Check the validity of the Certificate Chain
6. Check the order of the Intermediate or Chain Certificates
7. Remove a Private Key password

List Of Commands For Validating SSL Bundle¶

1. Check that Private Key and Main/Server Certificate are in PEM format:¶

For details on formats, see the Format conversions section, below.
Run the following commands to check if your files are already in the required PEM format:

• Check to see if your Private Key is in PEM format:  
  copy

  openssl rsa -inform PEM -in /tmp/ssl.key

• Check to see if your Main/Server Certificate is in PEM format:

  copy

  openssl x509 -inform PEM -in /tmp/certificate.crt

  copy

2. Verify that the Private Key and Main/Server Certificate match:¶

openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in ssl.key | openssl md5

The output of these two commands must be exactly the same. If you cannot locate a matching Private Key to your Main/Server Certificate, you will be required to re-key the certificate by generating a new CSR and/or requesting an updated certificate from your SSL vendor.
 

3. Verify that the Public Keys contained in the Private Key file and the Main/Server Certificate are the same:¶

openssl x509 -in certificate.pem -noout -pubkey
openssl rsa -in ssl.key -pubout

The output of these two commands should be the same.

4. Check that the Valid From and Valid To dates of the certificate are correct:¶

openssl x509 -noout -in certificate.pem -dates

Ensure that the current date is between the certificate's Not Before and Not After dates.

5. Check the validity of the Certificate Chain:¶

openssl verify -CAfile certificate-chain.pem certificate.pem

If the response is OK, the check is valid.

6. Check the order of your certificates:¶

The most common reason for a certificate deployment to fail is that the Intermediate/Chain Certificates are not in the correct order. Specifically, Intermediate Certificate files must end with the root certificate or certificate most proximate to the root and be in a descending order from the Main/Server Certificate to the Root. You can determine the order of your Intermediate Certificate files by running the following command:

openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -noout

Here is an example of that command against an Intermediate/Chain Certificate that is in the correct order:

openssl crl2pkcs7 -nocrl -certfile $certificate-chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

The command shows a condensed version of SSL certificate details as two lines. The two lines are equivalent to one certificate file within your chain.

From the two lines that indicate one certificate file, the second line must match the first line of the proceeding file, as shown by the arrows in the image below:

In addition to the lines matching, the chain must end with the Root Certificate or certificate most proximate to the Root.

Certificate files can be re-ordered by copying and pasting them in the appropriate order within the "CA intermediate certificates" field on the installation form in the UI.

If the same two lines/certificate section appear in the chain, it means there are redundant files present which will result in an installation error. If there is a repeated certificate in the chain, please remove it before attempting the installation.

You can determine the Main/Server Certificate by running the same command as previously mentioned. An example of the output for the main/server certificate, which should go in the "SSL Certificate" field within the installation form in the Acquia Cloud login interface, is:

openssl crl2pkcs7 -nocrl -certfile $certificate.pem | openssl pkcs7 -print_certs -noout 
subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA

We can determine if a file is the Main/Server Certificate if it looks similar to the example above, as it will include your unique organizational information that was provided in the CSR used to obtain the certificate originally.

7. Remove a Private Key password:¶

SSL Private keys must be unencrypted and non-password protected on our platform. You can use the following OpenSSL command to remove a private key password:

openssl rsa -in [file1.key] -out [file2.key]

The result should generate a non-encrypted version of your private key. 

Convert between formats:¶

SSL files must be in PEM format in order to be installed on our platform. Common file extensions that are within the PEM format include .pem, .crt, .cer, and .cert. You can read more about the PEM format here: What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?  

If you need to convert the format of your SSL files to PEM, please use the following commands:

• Convert PFX to PEM

  copy

  openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

• Convert P7B to PEM

  copy

  openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

• Convert DER to PEM

  copy

  openssl x509 -inform der -in certificate.cer -out certificate.pem

   

External Validation (Once Installed and Activated)¶

The following are some tools to validate SSL certificates once installed on the Acquia Cloud platform and activated. If you have doubts about the veracity of the validation, please file a Support case with us and we can help look into it. Note that we can't always guarantee these tools will always work or return the correct information.

• SSL Checker will simulate what browsers of the web take as your certificate and displays information about it. Be sure to check in all of your domains and subdomains you intend to cover.
• A command line tool can display the same information.
  • It requires installation that Acquia Support cannot assist with.