Should a wildcard SSL certificate secure both the root domain as well as the sub-domains?

There’s some inconsistency between SSL implementations on how they match wildcards, however you’ll need the root as an alternate name for that to work with most clients. For a * cert, should pass should pass should not pass may pass depending on implementation (but probably not). Essentially, the standards say that … Read more

Is there a reason to use an SSL certificate other than Let’s Encrypt’s free SSL?

Certificate lifespan Security Shorter lifespan is better. Simply because revocation is mostly theoretical, in practice it cannot be relied on (big weakness in the public PKI ecosystem). Management Without automation: Longer lifespan is more convenient. LE may not be feasible if you, for whatever reason, cannot automate the certificate management With automation: Lifespan doesn’t matter. … Read more

SSL Certificate Location on UNIX/Linux

For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root. If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.

How to view all ssl certificates in a bundle? suggests this one-liner: openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout It indeed worked for me, but I don’t understand the details so can’t say if there are any caveats. updated june 22: for openssl 1.1.1 and higher: a single-command answer can be found here (openssl storeutl -noout -text -certs … Read more