GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → trimstray → Mkchain

trimstray / Mkchain

Licence: gpl-3.0
Open source tool to help you build a valid SSL certificate chain.

Programming Languages

shell
77523 projects

Labels

opensslcertificatesssl-certificateschain

Projects that are alternatives of or similar to Mkchain

jota-cert-checker
Check SSL certificate expiration date of a list of sites.
Stars: ✭ 45 (-85.34%)
Mutual labels:  openssl, certificates, ssl-certificates
Getaltname
Extract subdomains from SSL certificates in HTTPS sites.
Stars: ✭ 320 (+4.23%)
Mutual labels:  certificates, ssl-certificates
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (+39.09%)
Mutual labels:  certificates, ssl-certificates
Letscertbot
Let's Certbot is a tool builds automated scripts base on Certbot for obtaining, renewing, deploying SSL certificates.
Stars: ✭ 84 (-72.64%)
Mutual labels:  certificates, ssl-certificates
keymaster
Short term certificate based identity system (ssh/x509 ca + openidc)
Stars: ✭ 59 (-80.78%)
Mutual labels:  certificates, ssl-certificates
httpsbook
《深入浅出HTTPS:从原理到实战》代码示例、勘误、反馈、讨论
Stars: ✭ 77 (-74.92%)
Mutual labels:  openssl, certificates
Certify
SSL Certificate Manager UI for Windows, powered by Let's Encrypt. Download from certifytheweb.com
Stars: ✭ 1,075 (+250.16%)
Mutual labels:  certificates, ssl-certificates
Ssl Checker
Python script that collects SSL/TLS information from hosts
Stars: ✭ 94 (-69.38%)
Mutual labels:  openssl, ssl-certificates
sscg
Simple Signed Certificate Generator
Stars: ✭ 57 (-81.43%)
Mutual labels:  openssl, certificates
Openssl Osx Ca
Simple periodic task to sync OSX Keychain certs to Homebrew installed OpenSSL & LibreSSL
Stars: ✭ 185 (-39.74%)
Mutual labels:  openssl, certificates
learn-ssl
A set of example programs that demonstrate various OpenSSL functions and enable "learning by doing".
Stars: ✭ 15 (-95.11%)
Mutual labels:  openssl, certificates
acmed
ACME (RFC 8555) client daemon
Stars: ✭ 121 (-60.59%)
Mutual labels:  certificates, ssl-certificates
LBDuoDian
No description or website provided.
Stars: ✭ 21 (-93.16%)
Mutual labels:  ssl-certificates
gke-managed-certificates-demo
GKE ingress with GCP managed certificates
Stars: ✭ 21 (-93.16%)
Mutual labels:  ssl-certificates
qsslcaudit
test SSL/TLS clients how secure they are
Stars: ✭ 22 (-92.83%)
Mutual labels:  openssl
Revssl
A script that automates generation of OpenSSL reverse shells
Stars: ✭ 284 (-7.49%)
Mutual labels:  openssl
letsencrypt-to-vault
Renew or get Let's Encrypt certificates and send it to Hashicorp Vault
Stars: ✭ 84 (-72.64%)
Mutual labels:  certificates
openssl-RPM-Builder
Build latest OpenSSL binary
Stars: ✭ 46 (-85.02%)
Mutual labels:  openssl
cve-2021-3449
CVE-2021-3449 OpenSSL denial-of-service exploit 👨🏻‍💻
Stars: ✭ 220 (-28.34%)
Mutual labels:  openssl
spring-boot-rest-clientcertificates-docker-compose
Example project showing how to access REST endpoints from multiple servers that are secured by different client certificates, using Spring´s RestTemplate & Docker Compose
Stars: ✭ 19 (-93.81%)
Mutual labels:  ssl-certificates
View All Similar Projects ➔

mkchain

Open source tool to help you build a valid SSL certificate chain.

Travis-CI Version License

DescriptionHow To UseParametersHow it worksRequirementsOtherLicense

Created by trimstray and contributors

Master

Description

Is an open source tool to help you build a valid SSL certificate chain. Also can help you fix the incomplete chain and download all missing CA certificates. You can also download all certificates from remote server and get your certificate chain right.

How To Use

It's simple:

# Clone this repository
git clone https://github.com/trimstray/mkchain

# Go into the repository
cd mkchain

# Install
./setup.sh install

# Run the app
mkchain -i /data/certs -o /data/chain.crt
  • symlink to bin/mkchain is placed in /usr/local/bin
  • man page is placed in /usr/local/man/man8

Parameters

Provides the following options:

  Usage:
    mkchain <option|long-option>

  Examples:
    mkchain --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt
    mkchain --in /tmp/certs --out bundle_chain_certs.crt --with-root
    mkchain -i Server.crt -o bundle_chain_certs.crt
    mkchain -i https://incomplete-chain.badssl.com/ --with-root

  Options:
        --help        show this message
        --debug       displays information on the screen (debug mode)
    -i, --in          add certificates to merge (file, multiple files, directory with ssl certificates
                      or remote domain)
    -o, --out         saves the result (chain) to a file
        --with-root   add root certificate to certificates chain

-o|--out - without this param mkchain save output chain to mkchain/chains/ directory.

How It Works

Before read it, please see article about SSL Certificate Chain.

Let's start with ssllabs certificate chain. They are delivered together with the mkchain and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).

The correct chain for the ssllabs.com domain (the result of the openssl command):

Certificate chain
 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority

The above code presents a full chain consisting of:

  • Identity Certificate (Server Certificate)

    issued for ssllabs.com by Entrust Certification Authority - L1K

  • Intermediate Certificate

    issued for Entrust Certification Authority - L1K by Entrust Root Certification Authority - G2

  • Intermediate Certificate

    issued for Entrust Root Certification Authority - G2 by Entrust Root Certification Authority

  • Root Certificate (Self-Signed Certificate)

    issued for Entrust Root Certification Authority by Entrust Root Certification Authority

Scenario 1

In this scenario, we will chain all delivered certificates. Example of running the tool:

Master

Scenario 2

In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:

Master

Certificate Chain

In order to create a valid chain, you must provide the tool with all the necessary certificates (if you set directory for -i|--in param). It will be:

  • Server Certificate
  • Intermediate CAs and Root CAs

This is very important because without it you will not be able to determine the beginning and end of the chain.

If you set only certificate file as a -i|--in value, mkchain automatically download all necessary certificates.

However, if you look inside the generated chain after generating with mkchain, you will not find the root certificate there.

Why? Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.

If you want to add a root certificate to the certificate chain, call the utility with the --with-root parameter.

Certification Paths

mkchain allows use of two certification paths:

Master

Output comments

When generating the chain of certificates, mkchain displays comments with information about certificates, including any errors.

Here is a list of all possibilities:

not found identity (end-user, server) certificate

The message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the mkchain ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.

found correct identity (end-user, server) certificate

The reverse situation here - message displayed when a valid server certificate is found.

not found first intermediate certificate

This message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.

not found second intermediate certificate

Similar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.

one or more intermediate certificate not found

This message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.

found 'n' correct intermediate certificate(s)

This message indicates the number of valid intermediate certificates.

not found correct root certificate

The lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the mkchain, it treats the chain as incomplete displaying information about the incorrect creation of the chain.

an empty CN field was found in one of the certificates

This message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

Requirements

mkchain uses external utilities to be installed before running:

This tool working with:

  • GNU/Linux (testing on Debian and CentOS)
  • Bash (testing on 4.4.19)

MacOS/FreeBSD:

  • replace for getopt(1) that supports GNU-style long options (pkg install getopt)
  • also work on MacOS with greadlink from coreutils (installed via homebrew)

Other

Contributing

See this.

Project architecture

See this.

License

GPLv3 : http://www.gnu.org/licenses/

Free software, Yeah!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].