SSL 與 CA

SSL 的全名是 Secure Sockets Layer,即安全通訊端層,簡而言之,這是一種標準的技術,用於保持網際網路連線安全以及防止在兩個系統之間發送的所有敏感資料被罪犯讀取及修改任何傳輸的資訊,包括潛在的個人詳細資料。兩個系統可以是伺服器與用戶端 (例如購物網站與瀏覽器),或者伺服器至伺服器 (例如,含有個人身份資訊或含有薪資資訊的應用程式)。 憑證伺服器 - Certificate Authority (CA),這個伺服器可以用來建立SSL加密連線所需的 Server 及 Root 憑證檔。 對於商用型網站的加密連線,通常會使用 Verisign 或其他第三方認證機構,來簽署需要的憑證檔,但這些需要定期付費,如果不想付費給這些機構做簽署,可以自己架設伺服器來建立及發行所需的憑證檔。 CA 可以使用 Linux 或 Windows 來架設,此篇將以 Linux 為案例,Windows 用戶可以安裝 Windows 元件:Certificate Service。

Links to Tutorials

Let's Encrypt
Test SSL - 這些工具可以檢測 SSL 網站的所有資訊
Monitoring SSL
SSL Certificates

SSL 常用技巧

Check TLS/SSL certificate expiration date

from a website)

DOM="www.cloudcoin.global" 
PORT="443" 
## note echo added ## 
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

output

depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudcoin.global
verify return:1
DONE
notBefore=Jun  5 00:00:00 2020 GMT
notAfter=Jun  5 12:00:00 2021 GMT

from a PEM encoded certificate file)

openssl x509 -enddate -noout -in /etc/nginx/ssl/www.cyberciti.biz.fullchain.cer

output

notAfter=Dec 29 23:48:42 2020 GMT

Shell script to alert sysadmin

#!/bin/bash
# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v2.x+
# -------------------------------------------------------------------------------
PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer"
 
# 7 days in seconds 
DAYS="604800" 
 
# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
_from="system-account@your-dommain"
_to="sysadmin@your-domain"
_openssl="/usr/bin/openssl"
$_openssl x509 -enddate -noout -in "$PEM"  -checkend "$DAYS" | grep -q 'Certificate will expire'
 
# Send email and push message to my mobile
if [ $? -eq 0 ]
then
	echo "${_sub}"
        mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
        # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
        source ~/bin/cli_app.sh
        push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
fi