Install commercial SSL certificate

• https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
• Installing a SSL certificate on Apache
• https://www.namecheap.com/support/live-chat/ssl.aspx
• How To Set Up a Host Name with DigitalOcean This includes information about WHOIS, changing domain server, configuring domain (A record, AAAA record, CNAME record, MX record, et al)

Check openssl version

http://askubuntu.com/questions/504928/how-to-check-which-openssl-version-is-use-by-apache-on-ubuntu-12-04

odroid@odroid:~$ apt-cache policy openssl
openssl:
  Installed: 1.0.2g-1ubuntu4.5
  Candidate: 1.0.2g-1ubuntu4.5
  Version table:
 *** 1.0.2g-1ubuntu4.5 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages
        500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages
        100 /var/lib/dpkg/status
     1.0.2g-1ubuntu4 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

# Ubuntu 14.04
$ openssl version 
OpenSSL 1.0.1f 6 Jan 2014
# Macbook Pro 10.11
$ openssl version 
OpenSSL 0.9.8zh 14 Jan 2016

Check TLS version

• TLS Checker - Check the SSL/TLS setup of your server or CDN
• Checking remote host TLS / SSL Version with nmap / openssl

• Command prompt to check TLS version required by a host

  nmap --script ssl-enum-ciphers -p 443 www.google.com
  

• Check for SMTP TLS from command line with OpenSSL

  openssl s_client -connect mail.example.com:25 -starttls smtp
  

• How to check SMTP connection from Command Line ( Linux )?

  openssl s_client -connect smtp.pepipost.com:587 -starttls smtp 
  

• Using curl-TLS Everything curl
• How to find out which TLS version the Git command is using?

Check openssl location

A more general way is to use openssl version -d

# On Ubuntu 14.04
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
$ ls /usr/lib/ssl
certs  misc  openssl.cnf  private
$ ls -l /usr/lib/ssl
total 4
lrwxrwxrwx 1 root root   14 Oct  7 11:03 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 Feb 11 09:12 misc
lrwxrwxrwx 1 root root   20 Jan 30 15:42 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root   16 Oct  7 11:03 private -> /etc/ssl/private
$ ls -l /etc/ssl/certs | head
total 912
lrwxrwxrwx 1 root root     26 Oct  7 11:03 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root     45 Oct  7 11:03 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root     29 Oct  7 11:03 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem
lrwxrwxrwx 1 root root     31 Oct  7 11:03 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root     36 Oct  7 11:03 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root     25 Oct  7 11:03 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root     16 Oct  7 11:03 03f2b8cf.0 -> WoSign_China.pem
lrwxrwxrwx 1 root root     41 Oct  7 11:03 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     40 Oct  7 11:03 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
$ ls -l /etc/ssl/certs | wc -l
533

# On Macbook Pro 10.11
$ openssl version -d
OPENSSLDIR: "/System/Library/OpenSSL"
$ ls -l /System/Library/OpenSSL
total 8
drwxr-xr-x  2 root  wheel    68 May 15  2016 certs
drwxr-xr-x  8 root  wheel   272 May 15  2016 misc
-rw-r--r--  1 root  wheel  9390 May 15  2016 openssl.cnf
drwxr-xr-x  2 root  wheel    68 May 15  2016 private
$ ls -l /System/Library/OpenSSL/certs/
$ # empty results

openssl & patch bug

• Check out https://launchpad.net/ubuntu/+source/openssl to see the latest openssl version (number may be different for each of Ubuntu version). As of this writing, the latest openssl on Ubuntu 14.04 is 1.0.1f-1ubuntu2.15 and for Ubuntu 12.04 it is 1.0.1-4ubuntu5.31 (this kind of representation can be obtained using the sudo dpkg -l | grep openssl command; see below). The full list of the publishing history can be accessed through View full publishing history link. From there, we can restrict to Target = Trusty, for example.
• http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl. The following is an output after running sudo apt-get update; sudo apt-get upgrade.

brb@vm-1404:~$ sudo dpkg -l | grep  openssl
ii  libgnutls-openssl27:amd64   2.12.23-12ubuntu2.2   amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                     1.0.1f-1ubuntu2.15    amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  python-openssl              0.13-2ubuntu6         amd64        Python 2 wrapper around the OpenSSL library

• http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/. As you can see although a bug in OpenSSL has been found affecting versions 1.0.1 through 1.0.1f (inclusive), and openssl version is still 1.0.1f in Ubuntu 14.04.1, the build date is on June 2014. So it is safe.

brb@vm-1404:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.1 LTS
Release:	14.04
Codename:	trusty

brb@vm-1404:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 
OPENSSLDIR: "/usr/lib/ssl"

brb@vm-1404:~$ sudo apt-get changelog openssl | grep CVE-2014-0224
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    - CVE-2014-0224

• How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204 [19/March/2015]

Let's Encrypt SSL

• Let's Encrypt通用憑證上線了!
• https://letsencrypt.org/getting-started/ & https://letsencrypt.org/how-it-works/ & https://certbot.eff.org/#ubuntuxenial-apache: install python-certbot-apache package
• How To Secure Apache with Let's Encrypt on Ubuntu 16.04: install python-certbot-apache package
• How to Install Let’s Encrypt on Apache2: install python-letsencrypt-apache package

It takes less than 5 minutes for the whole process!

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

So we can add the following line to the cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. sudo crontab -e

30 2 * * 1 certbot renew >> /var/log/le-renew.log

Note if you currently have already had a working SSL certificate (eg from a purchased one), then even you have removed the certificate from the relevant Apache files you still can't run through sudo certbot. But once your current working SSL certificate expires, sudo certbot will successfully go through even you don't manually remove the certificate from your system.

pem file

• Mentioned by KeeWeb
• What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
• How to get .pem file from .key and .crt files?

CSR files

What Are CSR Files and How Do You Create Them

Monitoring Website SSL/TLS Certificate Expiration Times

• Monitoring Website SSL/TLS Certificate Expiration Times with R, {openssl}, {pushoverr}, and {DT}

• How to check TLS/SSL certificate expiration date from command-line

  DOM="www.cyberciti.biz"
  PORT="443"
  echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
  | openssl x509 -noout -dates