Table of contents
Checking x509 (PEM) certificate
$ openssl x509 -text -noout -insecureFootprint.pem
Certificate: Data: Version: 3 (0x2) Serial Number: 1d:5d:3a:07:7f:be:eb:ee:f3:c9:2f:03:f7:a2:09:d1 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA Validity Not Before: Feb 15 00:00:00 2012 GMT Not After : Feb 14 23:59:59 2015 GMT Subject: C=US, ST=Colorado, L=Broomfield, O=Level 3 Communications, Inc., OU=CDN, CN=secure.footprint.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:de:c8:5f:0d:f4:05:84:5f:b0:29:89:ee:6b: 52:a9:6b:b3:cb:bd:e0:04:0a:dc:27:77:f5:1f:9c: cb:7f:99:1d:ab:3e:6e:1c:ba:f7:e9:61:8b:8e:5e: 41:ff:b4:b0:bf:32:fb:40:fd:85:2a:af:42:26:dd: 5a:1a:1b:34:20:20:80:4b:a0:17:52:b2:ad:54:a4: 21:b2:a8:cc:c2:f1:12:26:13:e0:88:3e:a1:88:c8: 59:93:e5:1c:f5:37:9e:86:f5:6b:f4:20:c9:3f:52: e9:1a:1d:66:ed:36:14:5c:83:69:5b:70:e5:7a:34: 2d:99:2c:e1:d2:32:37:87:60:e9:99:dd:8d:17:d5: 3f:21:84:71:8f:97:7a:ed:3f:1e:2f:17:c8:2a:5e: 7a:63:1f:d1:0f:8d:46:fc:5c:4b:b2:1e:fb:59:b4: 10:c4:33:24:07:6b:cf:57:9a:41:cd:4d:f6:64:df: 4a:4e:d1:1a:fd:80:44:64:39:8a:b3:05:d6:c4:4a: 91:4e:c3:3c:3b:62:30:e8:45:d9:ec:65:9e:ca:b4: 57:2b:1b:5f:53:59:39:52:c5:54:9c:d7:02:16:a8: 1b:9c:10:cf:3e:90:df:a3:5c:85:68:ff:0b:c5:d2: ef:13:37:a4:6a:c9:a8:1f:98:8f:bd:4f:43:d5:d7: 4b:e1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://svr-ov-crl.thawte.com/ThawteOV.crl X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Authority Information Access: OCSP - URI:http://ocsp.thawte.com Signature Algorithm: sha1WithRSAEncryption 60:64:76:d6:71:0a:bf:41:2e:99:25:2e:e0:8f:38:57:81:df: 77:31:2f:29:fe:b3:cf:c4:96:ef:3d:8e:17:1c:15:2f:e1:f5: 3d:47:5d:4a:bf:8c:75:d5:82:30:eb:6d:74:46:9c:8e:05:69: 03:ae:47:84:47:2c:30:bd:0c:d2:b1:81:c5:d6:a0:9f:31:e9: f7:30:ac:a8:60:05:bf:01:f8:ec:b2:4b:c1:4f:60:dc:9e:8e: c5:bb:f3:22:c7:72:64:e8:2f:df:9c:05:1a:b6:20:03:47:18: 85:63:bb:23:a8:97:9b:ec:65:30:d7:aa:e9:c4:39:d2:79:6d: cb:98:8f:b3:eb:b8:d2:ee:1e:ce:96:fc:b2:c6:c0:57:8e:3a: c4:1b:e1:c4:ce:5f:f4:61:95:cd:8c:31:c3:5a:7f:23:d3:1c: 30:b8:92:68:ba:5c:7d:5c:30:07:00:bd:f6:d8:dc:3b:7a:39: d1:ce:7c:4d:ae:8a:f6:ae:70:d5:7f:9b:1a:7e:f5:07:41:81: 05:ac:7c:ce:be:19:a6:27:ed:3a:ea:70:c9:3a:3a:84:68:42: d7:a0:34:ef:26:ce:89:8d:5a:de:e4:13:b1:ef:83:94:e7:37: 6e:94:04:a3:8b:87:8b:c5:d4:e0:d9:5e:e0:c3:39:35:df:8f: b8:dc:1e:f9
To check the certs in a chain of trust
The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. All CAs should have the CA flag set to true.
If the basicConstraints extension is absent then the certificate is considered to be a “possible CA” other extensions are checked according to the intended use of the certificate. A warning is given in this case because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software.
Usage can be seen in the basic constraints section of the certificate:
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:http://crl.verisign.com/pca3.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign
Running the following command (with -showcerts) will show all of the certs in the chain.
$ openssl s_client -showcerts -host secure.footprint.net -port 443 CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 ---Certificate chain 0 s:/C=US/ST=Colorado/L=Broomfield/O=Level 3 Communications, Inc./OU=CDN/CN=secure.footprint.net i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA -----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIQHV06B3++6+7zyS8D96IJ0TANBgkqhkiG9w0BAQUFADA8 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U aGF3dGUgU1NMIENBMB4XDTEyMDIxNTAwMDAwMFoXDTE1MDIxNDIzNTk1OVowgYkx CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xvcmFkbzETMBEGA1UEBxQKQnJvb21m aWVsZDElMCMGA1UEChQcTGV2ZWwgMyBDb21tdW5pY2F0aW9ucywgSW5jLjEMMAoG A1UECxQDQ0ROMR0wGwYDVQQDFBRzZWN1cmUuZm9vdHByaW50Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMneyF8N9AWEX7Apie5rUqlrs8u94AQK 3Cd39R+cy3+ZHas+bhy69+lhi45eQf+0sL8y+0D9hSqvQibdWhobNCAggEugF1Ky rVSkIbKozMLxEiYT4Ig+oYjIWZPlHPU3nob1a/QgyT9S6RodZu02FFyDaVtw5Xo0 LZks4dIyN4dg6ZndjRfVPyGEcY+Xeu0/Hi8XyCpeemMf0Q+NRvxcS7Ie+1m0EMQz JAdrz1eaQc1N9mTfSk7RGv2ARGQ5irMF1sRKkU7DPDtiMOhF2exlnsq0VysbX1NZ OVLFVJzXAhaoG5wQzz6Q36NchWj/C8XS7xM3pGrJqB+Yj71PQ9XXS+ECAwEAAaOB oDCBnTAMBgNVHRMBAf8EAjAAMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnIt b3YtY3JsLnRoYXd0ZS5jb20vVGhhd3RlT1YuY3JsMB0GA1UdJQQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6 Ly9vY3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADggEBAGBkdtZxCr9BLpkl LuCPOFeB33cxLyn+s8/Elu89jhccFS/h9T1HXUq/jHXVgjDrbXRGnI4FaQOuR4RH LDC9DNKxgcXWoJ8x6fcwrKhgBb8B+OyyS8FPYNyejsW78yLHcmToL9+cBRq2IANH GIVjuyOol5vsZTDXqunEOdJ5bcuYj7PruNLuHs6W/LLGwFeOOsQb4cTOX/Rhlc2M McNafyPTHDC4kmi6XH1cMAcAvfbY3Dt6OdHOfE2uivaucNV/mxp+9QdBgQWsfM6+ GaYn7TrqcMk6OoRoQtegNO8mzomNWt7kE7Hvg5TnN26UBKOLh4vF1ODZXuDDOTXf j7jcHvk= -----END CERTIFICATE----- 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA -----BEGIN CERTIFICATE----- MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX 7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD 7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38 1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq 2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y 3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4= -----END CERTIFICATE----- 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com -----BEGIN CERTIFICATE----- MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68 0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB /wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq 95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA= -----END CERTIFICATE----- ...
Copying the whole:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
into a file and running the previous command will give details on each specified cert
Verifying them
(gbrown@linux1-SysOps)-(12:00:13)-(June2012Issue) $openssl verify -verbose -CAfile PaypalIssuerDepth1.pem Paypal.pem Paypal.pem: OK (gbrown@linux1-SysOps)-(12:00:25)-(June2012Issue) $ (gbrown@linux1-SysOps)-(12:00:34)-(June2012Issue) $openssl verify -verbose -CAfile PaypalIssuerDepth2.pem PaypalIssuerDepth1.pem PaypalIssuerDepth1.pem: OK (gbrown@linux1-SysOps)-(12:00:42)-(June2012Issue) $openssl verify -verbose -CApath /etc/ssl/certs PaypalIssuerDepth2.pem PaypalIssuerDepth2.pem: OK
Verify their purpose
(gbrown@linux1-SysOps)-(12:12:05)-(June2012Issue) $openssl verify -purpose sslserver -verbose -CAfile PaypalIssuerDepth1.pem Paypal.pem Paypal.pem: OK
There is no verify sslserverca option but checking the certificate can be used to sign CRLs can be done:
(gbrown@linux1-SysOps)-(12:13:42)-(June2012Issue) $openssl verify -purpose crlsign -verbose -CAfile PaypalIssuerDepth2.pem PaypalIssuerDepth1.pem PaypalIssuerDepth1.pem: OK
Convert standard PEM to a DER for import into keystore
openssl x509 -in /tmp/di.pem -inform PEM -out /tmp/omniphone2.der -outform DER
swap x509 to crl (or some other type) for different certs
CRLs
Certificate Revocation Lists are lists of certificates that have been revoked for some reason (Not because of date expiry).
Certificates contain a link to the most recent list as part of a X509v3 extension and can be seen under the section “X509v3 CRL Distribution Points” seen here.
Using wget or curl to get a copy of this DER formatted file.
View contents of CRL
$openssl crl -text -noout -inform DER -in ThawtePremiumServerCA.crl Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com Last Update: Jun 13 01:40:53 2012 GMT Next Update: Jun 23 01:40:53 2012 GMT Revoked Certificates: Serial Number: 0118DB8646E7AA2EFEF738AD5298C1F5 Revocation Date: Mar 19 21:18:45 2012 GMT Serial Number: 014BD5B0A8E7F5AD35A512B45A47220D Revocation Date: Jun 26 15:18:35 2010 GMT Serial Number: 01530BCD42A51FBBA5784432A0BF34F9
Verifying the CRL file
To verify the CRL file, it must be checked against its signer. I.e. The following won’t work:
$openssl crl -noout -inform DER -in Paypal.crl -CAfile Paypal.pem Error getting CRL issuer certificate
Nor will:
$openssl crl -noout -inform DER -in Paypal.crl -CAfile PaypalIssuerDepth2.pem Error getting CRL issuer certificate
However, all the following will:
$openssl crl -noout -inform DER -in Paypal.crl -CAfile PaypalIssuerDepth1.pem verify OK $openssl crl -noout -inform DER -in PaypalIssuerDepth1.crl -CAfile PaypalIssuerDepth2.pem verify OK $openssl crl -noout -inform DER -in PaypalIssuerDepth2.crl -CApath /etc/ssl/certs verify OK
The last one is the Root CA so needs the certificate that comes bundled in openssl
Checking Pulic and Private Keys match
The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
x509 is a pulic key check and rsa is a private key check
$ openssl x509 -noout -text -in server.crt $ openssl rsa -noout -text -in server.key
The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it’s bothering comparing long modulus you can use the following approach:
$ openssl x509 -noout -modulus -in server.crt | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5
And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner:
$ openssl x509 -noout -modulus -in server.pem | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5
And with auto-magic comparison (If more than one hash is displayed, they don’t match):
$ openssl x509 -noout -modulus -in server.pem | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5) | uniq
BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
$ openssl req -noout -modulus -in server.csr | openssl md5
NSS (Network Security Services) Keystores
cerutil
used to manage certificate in the NSS style keystore database
list all certs
certutil -L -d /etc/openldap/cacerts/
print a specific certificate details
certutil -L -d /etc/openldap/cacerts/ -n "Certificate Nickname"
Add a new certificate
certutil -A -i /path/to/cert.file -n "Nickname in keystore" -d /path/to/nssdb/directory/ -t CT