Question RE certificate chain verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question RE certificate chain verification

Jakob Curdes

Hi, I am new to the list and have a question where it seems I cannot find the answer in archives here or in other sources.

We want to verify the certificate chain of an "official" certificate, but including the revocation status of the intermediate certs, via CRL or OCSP.
(The chain verification itself is easy and solved, our problems lie just with getting the revocation status of an arbitrary certificate).

It seems to turn out that a) this is seldom done completely (otherwise I think there would be more "working recipes") and it is not easy to do it in a generic way as we keep getting various errors at different steps.

Wtihout making it too long, we want to do the following:
a) retrieve and save certificate from server via URL
b)retrieve and save certificate chain from server
c) determine OCSP URL or CRL list URL
d1) verify cert against OCSP source OR
d2) download CRL; then verify cert against CRL

Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from current CentOS 7.

When using OCSP, we keep getting spurious error messages from the OCSP servers like "unauthorized" or "Bad request" when issuing an openssl command like

openssl ocsp  -no_nonce -issuer certificate1_chain.pem -cert certificate1.pem -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com/gsalphasha2g2" -resp_text
Error querying OCSP responsder (SIC!!)
140058021447584:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request
openssl ocsp -no_nonce -issuer certificate2_chain.pem -cert certificate2.pem -url http://ocsp.comodoca.com -header "HOST" "ocsp.comodoca.com" -resp_text
Responder Error: unauthorized (6)
(Note that this does not seem to be related to nonce requests or missing host headers - thanks to Ivan Ristic and others these are well-known problems...)
Needless to say that using a browser you get a 200 response!

When going the CRL way, we keep getting
/usr/bin/openssl verify -crl_check_all -CAfile certificate1_chain_crl.pem certificate1.pem
certificate1.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate
error 20 at 0 depth lookup:unable to get local issuer certificate
although the chain seems to be complete and we downloaded the CRL from the CRL URL specified in the certificate. The depth 0 error can probably be ignored as this is the root cert!?
But the depth 2 cert is the final cert and all intermediates are given, so why can the issuer certificate not be found?

=> We are obviously doing things wrong or omitting something.
Has anybody out there a working recipe how to do this for typical certificate chains?

Thank you for any hints,
Jakob Curdes
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Question RE certificate chain verification

OpenSSL - User mailing list
On Tue, February 21, 2017 12:16, Jakob Curdes wrote:

> Hi, I am new to the list and have a question where it seems I cannot find
> the answer in archives here or in other sources.
>
> We want to verify the certificate chain of an "official" certificate, but
> including the revocation status of the intermediate certs, via CRL or
> OCSP.
> (The chain verification itself is easy and solved, our problems lie just
> with getting the revocation status of an arbitrary certificate).
>
> It seems to turn out that a) this is seldom done completely (otherwise I
> think there would be more "working recipes") and it is not easy to do it
> in a generic way as we keep getting various errors at different steps.
>
> Wtihout making it too long, we want to do the following:
> a) retrieve and save certificate from server via URL
> b)retrieve and save certificate chain from server
> c) determine OCSP URL or CRL list URL
> d1) verify cert against OCSP source OR
> d2) download CRL; then verify cert against CRL
>
> Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from
> current CentOS 7.

try this:

CAFILE=/etc/pki/certs/ca-bundle.trust.crt

CERT=/tmp/cert.crt  <-- cert to validate
ISSUER=/tmp/issuer.crt   <-- issuing ca cert

OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)
OCSPHOST=$(echo "$OCSPURL" |gawk --field-separator=\/ '{ print $3 }' -)

OCSPRESULT=$(openssl ocsp -CAfile $CAFILE -no_nonce -noverify -issuer
$ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST |grep "$CERT")



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Question RE certificate chain verification

Jakob Curdes
In reply to this post by Jakob Curdes


Hi, I am new to the list and have a question where it seems I cannot find
the answer in archives here or in other sources.

We want to verify the certificate chain of an "official" certificate, but
including the revocation status of the intermediate certs, via CRL or
OCSP.
(The chain verification itself is easy and solved, our problems lie just
with getting the revocation status of an arbitrary certificate).

It seems to turn out that a) this is seldom done completely (otherwise I
think there would be more "working recipes") and it is not easy to do it
in a generic way as we keep getting various errors at different steps.

Wtihout making it too long, we want to do the following:
a) retrieve and save certificate from server via URL
b)retrieve and save certificate chain from server
c) determine OCSP URL or CRL list URL
d1) verify cert against OCSP source OR
d2) download CRL; then verify cert against CRL

Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from
current CentOS 7.
try this:

CAFILE=/etc/pki/certs/ca-bundle.trust.crt

CERT=/tmp/cert.crt  <-- cert to validate
ISSUER=/tmp/issuer.crt   <-- issuing ca cert

OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)
OCSPHOST=$(echo "$OCSPURL" |gawk --field-separator=\/ '{ print $3 }' -)

OCSPRESULT=$(openssl ocsp -CAfile $CAFILE -no_nonce -noverify -issuer
$ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST |grep "$CERT")


Thank you, we will try this, will probably take a couple of days. 
Regards, Jakob Curdes
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users