-
Notifications
You must be signed in to change notification settings - Fork 5
/
index.xml
158 lines (149 loc) · 5.76 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<!--
Copyright (C) 2014 Opsmate, Inc.
See COPYING file for license information.
-->
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:whatsmychaincert="http://xmlns.sslmate.com/whatsmychaincert" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>What's My Chain Cert?</title>
<meta name="robots" content="noarchive" />
<link rel="stylesheet" type="text/css" media="screen,projection" href="assets/css/style.css" />
<noscript>
<link rel="stylesheet" type="text/css" media="screen,projection" href="assets/css/noscript.css" />
</noscript>
<script type="text/javascript" src="assets/js/script.js">
</script>
<script type="text/javascript">
whatsmychaincert_endpoint = '<whatsmychaincert:endpoint/>';
</script>
</head>
<body>
<div id="root">
<div id="masthead">
<h1>What's My Chain Cert?</h1>
<p class="by">By <a href="https://sslmate.com">SSLMate</a></p>
</div>
<p>
Did you know that when you install an SSL certificate, you have to install
not only your site's certificate, but also one or more intermediate (a.k.a. chain)
certificates? Failure to install the correct chain can cause certificate
errors in browsers, driving visitors away from your site. To complicate matters,
some browsers cache intermediate certificates, or download missing intermediates
on-demand, meaning that an improperly-configured chain could work in some browsers
but not others, making this an annoying problem to debug.
</p>
<p>
This site tests if your server is serving the correct certificate chain,
tells you what chain you <em>should</em> be serving, and helps you configure your
server to serve it.
</p>
<div class="test" id="test">
<h2>Test Your Server</h2>
<div class="box">
<div id="test_results">
</div>
<form id="test_form" method="GET" whatsmychaincert:action="test" onsubmit="return test_form_submit(this);">
<input type="text" name="host" placeholder="example.com" size="25"/>
<input type="submit" name="submit_btn" value="Test"/>
</form>
<p class="instructions minor">Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like: <code>example.com:993</code></p>
</div>
</div>
<div class="generate" id="generate">
<h2>Generate the Correct Chain</h2>
<p>
The generated chain will include your server's leaf certificate, followed
by every required intermediate certificate, optionally followed by the root
certificate.
</p>
<div class="box by_cert">
<p class="instructions major">
Paste your certificate in the box below to generate the correct chain for it,
based on the metadata embedded in the certificate.
</p>
<form method="POST" whatsmychaincert:action="generate">
<input type="hidden" name="include_leaf" value="1"/>
<p><textarea name="pem" rows="8" cols="80"></textarea></p>
<p class="buttons">
<input type="submit" name="submit_btn" value="Generate Chain"/>
<label>
<input type="checkbox" name="include_root" value="1"/>
Include Root Certificate
</label>
</p>
</form>
</div>
<div class="box by_hostname">
<p class="instructions major">
Or, enter the hostname of a server to generate the correct chain for its certificate:
</p>
<form method="GET" whatsmychaincert:action="generate">
<input type="hidden" name="include_leaf" value="1"/>
<p><input type="text" name="host" placeholder="example.com" size="25"/></p>
<p class="buttons">
<input type="submit" name="submit_btn" value="Generate Chain"/>
<label>
<input type="checkbox" name="include_root" value="1"/>
Include Root Certificate
</label>
</p>
</form>
</div>
</div>
<div class="moreinfo" id="include_root">
<h2>Include the Root Certificate?</h2>
<p>
You do <strong>not</strong> need to include the root certificate in
the certificate chain that you serve, since clients already have
the root certificate in their trust stores. Including the root is
inefficient since it increases the size of the SSL handshake.
</p>
<p>
A separate chain that includes the root certificate is sometimes
used for other purposes, such as
<a href="https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx">OCSP stapling</a>.
Such advanced configuration is beyond the scope of this guide,
although the generator will generate such chains if you
check the "Include Root Certificate" box.
</p>
</div>
<div class="config" id="config">
<h2>Configure Your Server</h2>
<p>
Note: some software requires you to put your site's certificate chain
(e.g. <code>example.com.chained.crt</code>) and your private key
(e.g. <code>example.com.key</code>) in separate files, while other
software requires you to put them in the same file.
</p>
<p>
You can generate the combined file (<code>example.com.combined.pem</code>) with a command such as:
</p>
<p>
<code class="block">cat example.com.key example.com.chained.crt > example.com.combined.pem</code>
</p>
<div class="box">
<whatsmychaincert:configguide/>
</div>
<p>
Don't forget to restart your server software after changing its configuration!
</p>
</div>
<div class="moreinfo">
<h2>A Better Way to Get SSL Certificates</h2>
<p>
<a href="https://sslmate.com">SSLMate</a> lets you get SSL certs from
the command line. SSLMate saves you time and effort by automating away the error-prone
tedium of CSR generation, certificate chain assembly, and renewals.
</p>
</div>
<div id="footer">
<p>
© 2020 Opsmate, Inc.
<!--
<a href="https://github.com/SSLMate">Source code</a>
-->
</p>
</div>
</div>
</body>
</html>