Saturday 29 August 2020

Sslmerge - Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate

Posted on 09:38 by Mordiadi


Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.

How To Use
It's simple:
# Clone this repository
git clone https://github.com/trimstray/sslmerge

# Go into the repository
cd sslmerge

# Install
./setup.sh install

# Run the app
sslmerge -i /data/certs -o /data/certs/chain.crt
  • symlink to bin/sslmerge is placed in /usr/local/bin
  • man page is placed in /usr/local/man/man8

Parameters
Provides the following options:
  Usage:
    sslmerge <option|long-option>

  Examples:
    sslmerge --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt
    sslmerge --in /tmp/certs --out bundle_chain_certs.crt --with-root
    sslmerge -i Server.crt -o bundle_chain_certs.crt

  Options:
        --help        show this message
        --debug       displays information on the screen (debug mode)
    -i, --in          add certificates to merge (certificate file, multiple files or directory with ssl certificates)
    -o, --out         saves the result (chain) to file
        --with-root   add root certificate to the certificate chain

How it works
Let's start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).
The correct chain for the ssllabs.com domain (the result of the openssl command):
Certificate chain
 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
The above code presents a full chain consisting of:
  • Identity Certificate (Server Certificate)
    issued for ssllabs.com by Entrust Certification Authority - L1K
  • Intermediate Certificate
    issued for Entrust Certification Authority - L1K by Entrust Root Certification Authority - G2
  • Intermediate Certificate
    issued for Entrust Root Certification Authority - G2 by Entrust Root Certification Authority
  • Root Certificate (Self-Signed Certificate)
    issued for Entrust Root Certification Authority by Entrust Root Certification Authority

Scenario 1
In this scenario, we will chain all delivered certificates. Example of running the tool:

Scenario 2
In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:

Certificate chain
In order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:
  • Server Certificate
  • Intermediate CAs and Root CAs
This is very important because without it you will not be able to determine the beginning and end of the chain.
However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?
Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.
If you want to add a root certificate to the certificate chain, call the utility with the --with-root parameter.

Certification Paths
Sslmerge allows use of two certification paths:

Output comments
When generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.
Here is a list of all possibilities:

not found identity (end-user, server) certificate
The message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.

found correct identity (end-user, server) certificate
The reverse situation here - message displayed when a valid server certificate is found.

not found first intermediate certificate
This message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.

not found second intermediate certificate
Similar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.

one or more intermediate certificate not found
This message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.

found 'n' correct intermediate certificate(s)
This message indicates the number of valid intermediate certificates.

not found correct root certificate
The lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.

an empty CN field was found in one of the certificates
This message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

Requirements
Sslmerge uses external utilities to be installed before running:

Other

Contributing
See this.

Project architecture
See this.


Related articles


  1. Pentest Tools Website Vulnerability
  2. Bluetooth Hacking Tools Kali
  3. Hack Apps
  4. Hacker Tools List
  5. Hacker Tools Free Download
  6. Nsa Hack Tools
  7. Hacker Techniques Tools And Incident Handling
  8. Hacks And Tools
  9. Hack App
  10. Hack Tools For Ubuntu
  11. Pentest Tools Review
  12. Hacking Tools Mac
  13. Hacking Tools And Software
  14. Hacker Tools Software
  15. Hacking Tools For Mac
  16. Wifi Hacker Tools For Windows
  17. How To Hack
  18. Install Pentest Tools Ubuntu
  19. Hacker Tools Github
  20. Hacking Tools Online
  21. Hack App
  22. Hacking Tools Hardware
  23. Hacker Tools Linux
  24. Pentest Tools
  25. Hacker
  26. Wifi Hacker Tools For Windows
  27. Ethical Hacker Tools
  28. Hack Tools Mac
  29. Top Pentest Tools
  30. Pentest Tools Review
  31. Tools 4 Hack
  32. Pentest Tools Kali Linux
  33. Hacking Tools Online
  34. Pentest Tools Port Scanner
  35. Pentest Tools For Ubuntu
  36. How To Hack
  37. Hacker Tools Free
  38. Pentest Tools Website Vulnerability
  39. Pentest Tools Website Vulnerability
  40. Hack Apps
  41. Pentest Tools Url Fuzzer
  42. What Is Hacking Tools
  43. Github Hacking Tools
  44. Hacker Tools Online
  45. Hacker Tools For Mac
  46. Pentest Tools Online
  47. Pentest Tools Kali Linux
  48. Blackhat Hacker Tools
  49. Hacking Tools For Windows Free Download
  50. Pentest Tools Apk
  51. Hacker Tools Apk
  52. What Is Hacking Tools
  53. Hack Rom Tools
  54. Hacker Tools Linux
  55. Hacking Tools 2020
  56. Hacker
  57. Pentest Tools For Windows
  58. Hacker Tools Windows
  59. Hacking Tools Download
  60. Hack Tools Mac
  61. Hacking Tools For Games
  62. Hack Tools 2019
  63. Pentest Recon Tools
  64. Hacking Tools Mac
  65. Pentest Tools Review
  66. Hacker Search Tools
  67. Hackers Toolbox
  68. Hacker Tools For Ios
  69. Pentest Tools Tcp Port Scanner
  70. Pentest Tools Website Vulnerability
  71. Hacking Tools Usb
  72. Top Pentest Tools
  73. Hacker Tools 2019
  74. New Hacker Tools
  75. Github Hacking Tools
  76. Hacking Tools Hardware
  77. Hackers Toolbox
  78. Beginner Hacker Tools
  79. Hacker Tools 2019
  80. Pentest Tools Kali Linux
  81. Pentest Tools Review
  82. Underground Hacker Sites
  83. Pentest Tools For Ubuntu
  84. Hacking Tools Windows
  85. Hack Website Online Tool
  86. Hackrf Tools
  87. Hak5 Tools
  88. Pentest Tools Subdomain
  89. Hacker Tools 2019
  90. Hacking Tools Windows
  91. Hacking Tools Windows 10
  92. Hacking Tools Windows 10
  93. Pentest Tools Online
  94. Hack Tools 2019

No Response to "Sslmerge - Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate"

Leave A Reply

Subscribe to: Post Comments (Atom)

BTC

Doge

LTC

BCH

DASH

Tokens

SAMPAI JUMPA LAGI

SEMOGA ANDA MEMPEROLEH SESUATU YANG BERGUNA