Verify a certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Verify a certificate

Yassine Chaouche
Dear list,

I would like to learn how to use openssl tools to make sure
a chained certificate is valid ? 

example :

Let's say I got the Cert certificate signed by Intermdiate
X, but by making the full chain certificate I inadvertly
inserted Intermediate Y instead of X. The (broken)
certificate chain inside
Cert would be :

Cert < Intermediate Y < Root X

How do I detect this error with openssl tools ? are there
tools that print issuer and subject of each certificate in
a chain ?

Thanks for your guidance.
Reply | Threaded
Open this post in threaded view
|

Re: Verify a certificate

Viktor Dukhovni
On Tue, Jan 05, 2021 at 01:43:12PM +0100, Yassine Chaouche wrote:

> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?

If, by chain, you mean a PEM file with one or more X509 certificates,
then yes.  Suppose the file is "certs.pem":

    $ openssl crl2pkcs7 -nocrl -certfile certs.pem |
        openssl pkcs7 -print_certs -noout -subject -issuer

If you want to instead verify the chain, against some root CA in some
file (perhaps the very same file, just use certs.pem instead of
roots.pem):

    $ openssl verify -untrusted certs.pem -trusted roots.pem certs.pem

You can also check for the expected hostname with

    $ openssl verify -untrusted certs.pem -trusted roots.pem \
        -verify_hostname www.example.com certs.pem

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Verify a certificate

Bernhard Fröhlich-2
In reply to this post by Yassine Chaouche
Hello,

just in case you want to check a webserver installation (which is not
explicitly mentioned in Viktor's answer) I want to add this...

In this case (IMHO) the s_client tool of openssl can do what you need. Try

     openssl s_client -connect yourhost.example.org:443 -CAfile
SpecialCAFile.pem

where "SpecialCAFile.pem" only contains the root certificate of your
"Root X" CA. This gives quite a bit of text as output. Look for a line
"Verification: OK" in this output (usually after the PEM-encoded server
certificate), if you can find it the certificate chain should be OK.
Otherwise you'll find something like "Verification error: unable to get
local issuer certificate"

Hope this helps,
Ted
;)

On 2021-01-05 13:43, Yassine Chaouche wrote:

> Dear list,
>
> I would like to learn how to use openssl tools to make sure
> a chained certificate is valid ?
>
> example :
>
> Let's say I got the Cert certificate signed by Intermdiate
> X, but by making the full chain certificate I inadvertly
> inserted Intermediate Y instead of X. The (broken)
> certificate chain inside Cert would be :
>
> Cert < Intermediate Y < Root X
>
> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?
>
> Thanks for your guidance.