Questions tagged [ssl-certificate]

SSL certificates are used to encrypt and authenticate connections to network servers, most popularly for web servers but also email, file transfers, and other network connections.

Filter by
Sorted by
Tagged with
420 votes
15 answers

Displaying a remote SSL certificate details using CLI tools

In Chrome, clicking on the green HTTPS lock icon opens a window with the certificate details: When I tried the same with cURL, I got only some of the information: $ curl -vvI * ...
Adam Matan's user avatar
  • 13.4k
273 votes
6 answers

how to download the ssl certificate from a website?

I want to download the ssl certificate from, say, using wget or any other commands. Any unix command line? wget or openssl?
RainDoctor's user avatar
  • 4,462
238 votes
7 answers

How do I view the details of a digital certificate .cer file?

I am using Windows and have been given a .cer file. How can I view the details of it?'s user avatar
  • 7,363
197 votes
6 answers

How do I convert a .cer certificate to .pem?

I have a .cer certificate and I would like to convert it to the .pem format. If I remember correctly, I used to be able to convert them by exporting the .cer in Base64, then renaming the file to .pem ...
systempuntoout's user avatar
196 votes
14 answers

How to view all ssl certificates in a bundle?

I have a certificate bundle .crt file. doing openssl x509 -in bundle.crt -text -noout only shows the root certificate. how do i see all the other certificates?
pdeva's user avatar
  • 2,457
189 votes
6 answers

SSL Certificate Location on UNIX/Linux

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?
John Topley's user avatar
  • 2,195
148 votes
8 answers

Is there a reason to use an SSL certificate other than Let's Encrypt's free SSL?

Let's Encrypt are providing free SSL certificates. Are there any downsides compared to other, paid certificates e.g. AWS Certificate Manager?
ripper234's user avatar
  • 5,970
104 votes
5 answers

Should a wildcard SSL certificate secure both the root domain as well as the sub-domains?

I ask this question, because Comodo are telling me that a wildcard certificate for * will also secure the root domain So with a single certificate, both and ...
josswinn's user avatar
  • 1,155
103 votes
3 answers

What is .crt and .key files and how to generate them?

I've the following configuration: SSLEngine on SSLCertificateFile /etc/httpd/conf/ SSLCertificateKeyFile /etc/httpd/conf/ SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:...
Mohammad Ali Akbari's user avatar
94 votes
4 answers

Does each subdomain need its own SSL certificate?

I am creating a websocket server which will live on ws.mysite.example. I want the web socket server to be SSL encrypted as well as domain.example to be SSL encrypted. Do I need to purchase a new ...
user974407's user avatar
  • 1,091
81 votes
5 answers

Best location to keep SSL certificates and private keys on Ubuntu servers?

On Ubuntu, it looks like the best place for a private key used to sign a certificate (for use by nginx) is in /etc/ssl/private/ This answer adds that the certificate should go in /etc/ssl/certs/ but ...
Adam Nelson's user avatar
  • 1,677
79 votes
10 answers

How to avoid lftp Certificate verification error?

I'm trying to get my Pelican blog working. It uses lftp to transfer the actual blog to ones server, but I always get an error: mirror: Fatal error: Certificate verification: subjectAltName does not ...
patrick's user avatar
  • 892
78 votes
6 answers

Generating a self-signed cert with openssl that works in Chrome 58

As of Chrome 58 it no longer accepts self-signed certs that rely on Common Name:!topic/chrome/zVo3M8CgKzQ;context-place=topicsearchin/chrome/category$3ACanary%...
bcardarella's user avatar
  • 1,737
73 votes
6 answers

Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)?

I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma ...
131's user avatar
  • 887
72 votes
2 answers

Must CSRs be generated on the server that will host the SSL certificate?

Is it necessary to generate the CSR (Certificate Signing Request) on the same machine that will host my web application and SSL certificate? This page on SSL Shopper says so, but I'm not sure if that'...
Mike M. Lin's user avatar
71 votes
2 answers

How to combine various certificates into single .pem

I've just finished reading over this great thread explaining the different SSL formats. Now I'm essentially looking for the opposite of How to split a PEM file There's 4 files I want to consolidate, ...
quickshiftin's user avatar
  • 2,145
65 votes
4 answers

How to decide where to purchase a wildcard SSL certificate?

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, ...
user664833's user avatar
  • 1,277
61 votes
11 answers

Why do I need to purchase an SSL certificate when I can generate one locally?

I am having trouble understanding why we need to purchase SSL certificates when we can generate them locally using openSSL. What is the difference between the certificate I purchase and a test ...
S-K''s user avatar
  • 1,311
60 votes
4 answers

Download SSL certificate from aws certificate manager

I am using aws certificate manager for managing SSL. Recently I purchased a wildcard ssl * Now I need that SSL certificate to deploy on enterprise git instance on aws. How can i ...
Shailesh Sutar's user avatar
58 votes
8 answers

Apache: SSLCertificateKeyFile: file does not exist or is empty

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration: SSLEngine On SSLCertificateKeyFile /etc/ssl/private/...
blueFast's user avatar
  • 4,260
56 votes
8 answers

How to remove Private Key Password from pkcs12 container?

I extracted certificate using Chrome's SSL/export command. Then provided it as input to openvpn - in the config for openvpn: pkcs12 "path/to/pkcs12_container" When calling openvpn ~/openvp_config it ...
Ayrat's user avatar
  • 663
56 votes
6 answers

Can an SSL certificate be on a single line in a file (no line breaks)?

SSL certificates by default have line breaks after 67 characters. I'm trying to create SSL certificate files using Chef. Essentially I want to create the entire certificate file from a string variable ...
wrangler's user avatar
  • 3,130
54 votes
11 answers

IIS7: can't set host name on site with SSL cert and port 443

Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be The first ...
p.campbell's user avatar
  • 4,407
52 votes
16 answers

SSL Error - unable to read server certificate from file

I've been setting up SSL for my domain today, and have struck another issue - I was hoping someone could shed some light on.. I keep receiving the following error messages: [error] Init: Unable to ...
williamsowen's user avatar
  • 1,167
51 votes
5 answers

Failed tls handshake. Does not contain any IP SANs

I'm trying to set up logstash forwarder, but I have issues with making a proper secure channel. Trying to configure this with two ubuntu (server 14.04) machines running in virtualbox. They are 100% ...
connery's user avatar
  • 545
50 votes
3 answers

stop apache from asking for SSL password each restart [duplicate]

Using instructions from this site but varying them just a little i created a CA using -newca, i copied cacert.pem to my comp and imported as trusted issuer in IE. I then did -newreq and -sign (note: i ...
user avatar
49 votes
7 answers

Default CA Cert Bundle Location

I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept. I need to append my new .pem file to this default bundle. I'd rather do that ...
Slinky's user avatar
  • 1,027
44 votes
2 answers

Can not get rid of `net::ERR_CERT_COMMON_NAME_INVALID` error in chrome with self-signed certificates

There are numerous question on the web where people are having difficulty setting up self signed certificates for use on internal network. Just to link a few: Getting Chrome to accept self-signed ...
Ashesh's user avatar
  • 545
43 votes
6 answers

View the SSL certificate of a page that immediately redirects to another

So I've googled quite a bit for this but it appears that my google-fu fails me - apologies if this is a trivial and already answered question, I could not find anything about this I'm trying to ...
Robert Petz's user avatar
41 votes
2 answers

Error code: ssl_error_rx_record_too_long

I have nginx with the following setup: server { listen 80; server_name; root /home/site/public_html; listen 443; #...
Tiffany Walker's user avatar
39 votes
2 answers

nginx permission denied to certificate files for ssl configuration

I'm installing an nginx ssl proxy on my Fedora server. I've created a cert and key pair under /etc/nginx. They look like this: ls -l /etc/nginx/ total 84 ... -rw-r--r--. 1 root root 1346 Sep 20 12:...
numb3rs1x's user avatar
  • 523
37 votes
3 answers

Moving servers and IPs will change. Do SSL certificates need to be re-issued and installed?

We are moving servers to another facility with different block of IP addresses. Will we need to get new SSL certificates issued and installed once the move has taken place? If so, is there any way to ...
dmr83457's user avatar
  • 747
36 votes
4 answers

How to make Firefox trust system CA certificates?

Our network admin recently enabled HTTPS inspection on our firewall/router. For IE users this is fine because the certs have all been distributed via Active Directory for domain-joined machines. ...
Wes Sayeed's user avatar
  • 1,922
35 votes
2 answers

Save Remote SSL Certificate via Linux Command Line

Can you think of any linux command-line method for saving the certificate presented by a HTTPS server? Something along the lines of having curl/wget/openssl make a SSL connection and save the cert ...
user avatar
35 votes
4 answers

Is the alert “SSL3_READ_BYTES:sslv3 alert bad certificate” indicating that the SSL failed

While running the below command openssl s_client -host -port 9093 I get the following error: 139810559764296:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt....
kris433's user avatar
  • 453
35 votes
2 answers

Details on exact expiration datetime of an SSL certificate?

Let's say we have an SSL certificate for a site. According to a web browser, the certificate expires tomorrow, Dec 10 2011. OK, but that glosses over time zones. When will it expire, exactly? 00:00 ...
Greg Hendershott's user avatar
35 votes
2 answers

Can I build my own Extended Validation SSL certificate?

I can create by own CA and generate a self signed SSL certificate this way. But what does it take to make the browser show the certificate as being an "Extended Validation SSL certificate" ? Can I ...
Niels Basjes's user avatar
  • 2,196
34 votes
4 answers

How to generate .key and .crt file from JKS file for httpd apache server

I have the mycert.jks file only. Now i need to extract and generate .key and .crt file and use it in apache httpd server. SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt ...
Sohan's user avatar
  • 759
34 votes
1 answer

Certificate does not have a name

I've installed an SSL certificate in IIS, however the 'Name' column is showing as blank even though I entered a friendly name. Is there any way to fix this?
Jonathan's user avatar
  • 1,309
34 votes
1 answer

Trusting an untrustworthy CA - Can I restrict how system trusts it?

(Posted to ServerFault instead of StackOverflow because I feel it concerns OS configuration more than programming code). I'm currently responsible for maintaining a system which connects to a third-...
Dai's user avatar
  • 2,290
33 votes
4 answers

How do I know if *.pem is password protected using ssh-keygen?

I have got a file myfile-privkey.pem. How do I check if the private key file is password protected using ssh-keygen?
Wojtek's user avatar
  • 465
33 votes
2 answers

How can I work around problems with certificate configuration in Remote Desktop Services?

I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I'm seeing can be found in Step #4. At this point I am ...
Michael Steele's user avatar
32 votes
7 answers

Redirect non-www to www over SSL with Nginx

I'm having an error when trying to redirect to When I go to, it doesn't redirect and returns the page/200 status. I don't want this, ...
Thomas V.'s user avatar
  • 2,101
30 votes
1 answer

openssl keeps giving me "unknown option" errors

I'm trying to create an SSL cert for the first time. I have no idea how this works and am simply following some instructions provided to me. first command works fine: openssl genrsa -des3 -out ...
PetroleumJelliffe's user avatar
29 votes
3 answers

Do I need a separate SSL certificate for a DNS redirect?

I am implementing a multi-tenant application where my application hosts and serves technical documentation for a tenant's product. Now, the approach that I was considering was - I host the ...
codematix's user avatar
  • 401
29 votes
5 answers

Is a Self Signed SSL Certificate a False Sense of Security?

Is a Self Signed SSL certificate a false sense of security? If you are being eavesdropped, the user will simply accept the certificate like he/she always does.
Andre's user avatar
  • 1,351
29 votes
1 answer

What does "tlsv1 alert unknown ca" mean?

I am trying to do a curl request using a client certificate like so: curl -E my.pem And I get the following error message: curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:...
grasevski's user avatar
  • 401
28 votes
2 answers

Can't upload certificate to AWS

I'm doing: aws iam upload-server-certificate --server-certificate-name MysiteCertificate --certificate-body Downloads/mysite/mysite.crt --private-key mysite.pem --certificate-chain Downloads/mysite/...
Shamoon's user avatar
  • 911
28 votes
2 answers

How does one install a custom CA certificate on CentOS?

I'm trying to install a certificate for my internal certificate server on a series of CentOS systems, and I'm finding the documentation on this to be almost non existent. My end goal is to be able to ...
Mikey T.K.'s user avatar
  • 1,417
28 votes
2 answers

Curl: unable to get local issuer certificate. How to debug?

I’ve got an odd problem. Updated my LAMP dev machine (Debian) to PHP 7. Afterwards I cannot connect to a specific TLS encrypted API via Curl anymore. The SSL cert in question is signed by thawte. ...
Rob's user avatar
  • 383

2 3 4 5