openssl -check

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl -check

"Georg Höllrigl"
Hello,
 
Is there a way to verifiy a cert?
I'm thinking about some equivalent to
 
openssl rsa -noout -in example.key -check
 
but for the public part.
 
I found some broken certifiate (lines in the PEM encoding got swapped)
 
openssl x509 -in broken.cer but see no way to verify...
 
compareing with the original cert shows different thumbprint... but shouldn't there be some kind of checksum to verify?
 
 
Kind Regards,
Georg

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl -check

Jakob Bohm-7
On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.

For certificates that are not self-signed, openssl x509 -verify should
do it.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl -check

"Georg Höllrigl"
 
 
Gesendet: Mittwoch, 06. September 2017 um 18:06 Uhr
Von: "Jakob Bohm" <[hidden email]>
An: [hidden email]
Betreff: Re: [openssl-users] openssl -check
On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.

For certificates that are not self-signed, openssl x509 -verify should
do it.
 
Agreed. That would be exactly what I had in mind - but it's not working. 
-verify only exists for "openssl req" to check a CSR?
 
I've created an example broken certificate from google:
 
-----BEGIN CERTIFICATE-----
MIIEhTCCA22gAwIBAgIIfWIk/Ev1U/YwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODE1MTYwNzUyWhcNMTcxMTA3MTYwNDAw
WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
b29nbGUuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbeswnWzb
cRDKvHNhuYkL/qTSSSTfEXZ86FSnK8hyNAoLvjZY/EV1kZKHpD/i7ZHxkwDLry/A
pAAzCBcndbZAEv4Y3GIWr5hmfO5pC6dgSoPmB/DEjmiZSq4fs++gcRbOpZJvctY4
XFp7r1pR3yHojoDVLDKpdVMduaeUzSEPhsFOycDPKKCziPGbfMIz8myOeIxlXkxi
0upGCXyMSyM9uw2XNQKZduknZHnFaG7ButMPcd/bcCIOU/7xwh+a9l6Qmi1Ss4Go
0kjL2B9nQ/q+0sXqi9f/W5g3KoR9GE4ho7bOU4iraFTVLo74O1zbjjTX1hU3UM4E
fbKjQz7sProFAgMBAAGjggFTMIIBTzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYXSCCWdvb2dsZS5hdDBoBggrBgEF
BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
c3AwHQYDVR0OBBYEFEzWPMkeG3KRZe8rEi5J0b3O22IPMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgor
BgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA6Ty7suanq
5/q7HWaF9dd0aZ1ay3mcTWj0ZqBE4R7UKAh8/dirAamb4Eo22fulHxWYeEdKnLhC
yyr//RuFiAMlkqySQcyBWO3kfEkG3l5GKMRokAEX31n7SSol9DA8+yfl1YmRxd79
7GC9HLwczgqdOzMNr40TMKAjIHcNL7S7UtLdynappkzvE7iA8ljZhymPabwYk3XU
TTr4if+Wt7uLNGqa+Vczur+jkywKXvUBoWukY9dCEsx67UoUyUkk4syGH19pVlDk
zHy4NC1X5b/4aw3XAH/IkgxFzPRiSXDwyEeea71xWEGpaRzGqaEMvU2mAghQIxYD
B2SERYFC9cRX
-----END CERTIFICATE-----
 
 
At the command line, I won't see a difference from a correct to a broken certificate.
In comparison, when checking a key i get "RSA key ok".
 
Georg
 
 
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl -check

Jakob Bohm-7
On 07/09/2017 07:58, "Georg Höllrigl" wrote:

> *Gesendet:* Mittwoch, 06. September 2017 um 18:06 Uhr
> *Von:* "Jakob Bohm" <[hidden email]>
> *An:* [hidden email]
> *Betreff:* Re: [openssl-users] openssl -check
> On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> > Hello,
> > Is there a way to verifiy a cert?
> > I'm thinking about some equivalent to
> > openssl rsa -noout -in example.key -check
> > but for the public part.
> > I found some broken certifiate (lines in the PEM encoding got swapped)
> > openssl x509 -in broken.cer but see no way to verify...
> > compareing with the original cert shows different thumbprint... but
> > shouldn't there be some kind of checksum to verify?
> The signature on a certificate is a very strong checksum.
>
> For certificates that are not self-signed, openssl x509 -verify should
> do it.
> Agreed. That would be exactly what I had in mind - but it's not working.
> -verify only exists for "openssl req" to check a CSR?
> I've created an example broken certificate from google:
>
Sorry, I got the syntax wrong.

It's simply openssl verify

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users