Table of Contents
- Overview
- Checking Certificates
- Certificate Serial Number & Fingerprint
- Importing Missing Certificates
Overview
This article describes how to check if the correct root certificate is installed, the certificate serial number and fingerprint, and how to import missing certificates.
Depending on the age of the distribution, the correct root certificate could already be installed pending regular updates; however, it is possible to manually check the correct certificates are installed utilising OpenSSL
and cURL
.
Please note, the certificate installation displayed below is used as an example. Please review this article for information on our current live root certificate.
Checking Certificates
You can check if the correct root certificate is installed by querying our platform using the following cURL
command: curl --verbose https://live.cardeasexml.com/ultradns.php
. If the connection is successful and verified by the root certificate, you will see the following entry below. Please note the line * SSL certificate verify ok.
curl --verbose https://live.cardeasexml.com/ultradns.php
* Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to live.cardeasexml.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=GB; L=Bristol; O=Creditcall Ltd; OU=Infrastructure; CN=live.cardeasexml.com
* start date: Aug 15 00:00:00 2018 GMT
* expire date: Aug 14 12:00:00 2020 GMT
* subjectAltName: host "live.cardeasexml.com" matched cert's "live.cardeasexml.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte TLS RSA CA G1
* SSL certificate verify ok.
> GET /ultradns.php HTTP/1.1
> Host: live.cardeasexml.com
> User-Agent: curl/7.61.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Length: 7
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
Certificate Serial Number & Fingerprint
It is important to check the serial number and fingerprint of each certificate before installation. You can verify the serial number and fingerprint of a certificate using OpenSSL
, and running the following command to return the serial number and SHA1 fingerprint: openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in RootCertificateHere.crt
Below is an example run against the DigiCertglobalRootG2 certificate file:
$ openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in DigiCertGlobalRootG2.crt
serial=033AF1E6A711A9A0BB2864B11D09FAE5
SHA1 Fingerprint=DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
Importing Missing Certificates
The importing of certificates varies per Linux distribution - we have included instructions on how to install a certificate for common distro's used by our partners below.
Debian
To install your own root certificate in Debian, copy or move the relevant root certificate into the following directory: /usr/local/share/ca-certificates
.
After you have copied the certificate to the correct directory you will need to refresh the installed certificates and hashes. You can perform this with the following command: sudo update-ca-certificates
.
You will notice that the command reports it has installed certificates if required (up-to-date installations may already have the root certificate). More recent Mono installations will hook into the update-ca-certificates function and also sync the Mono certificates store. If this is not the case, you will need to update the Mono certificate store by running the following command: cert-sync /etc/ssl/certs/ca-certificates.crt
.
Red Hat / CentOS
The installation of a root certificate on Red Hat or CentOS depends on the release and age of the distribution. We'll be focusing on CentOS 6 in this guide.
To manage and install certificates in CentOS 6 you'll need to install the ca-certificates
package and enable the dynamic CA configuration feature by issuing the command update-ca-trust force enable
.
To install your own root certificate in Red Hat or CentOS, copy or move the relevant root certificate into the following directory: /etc/pki/ca-trust/source/anchors/
.
After you have copied the certificate to the correct directory you will need to refresh the installed certificates and hashes. You can perform this with the following command: update-ca-trust extract
.
Once this has been performed, you will need to update the Mono certificate store by running the following command: cert-sync /etc/pki/tls/certs/ca-bundle.crt
.