
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div> </div>


<div>

<div> 

<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">

<div style="margin:0 0 10px 0;"><b>Gesendet:</b> Mittwoch, 06. September 2017 um 18:06 Uhr<br/>

<b>Von:</b> "Jakob Bohm" <jb-openssl@wisemo.com><br/>

<b>An:</b> openssl-users@openssl.org<br/>

<b>Betreff:</b> Re: [openssl-users] openssl -check</div>


<div name="quoted-content">On 06/09/2017 16:18, "Georg Höllrigl" wrote:<br/>

> Hello,<br/>

> Is there a way to verifiy a cert?<br/>

> I'm thinking about some equivalent to<br/>

> openssl rsa -noout -in example.key -check<br/>

> but for the public part.<br/>

> I found some broken certifiate (lines in the PEM encoding got swapped)<br/>

> openssl x509 -in broken.cer but see no way to verify...<br/>

> compareing with the original cert shows different thumbprint... but<br/>

> shouldn't there be some kind of checksum to verify?<br/>

The signature on a certificate is a very strong checksum.<br/>

<br/>

For certificates that are not self-signed, openssl x509 -verify should<br/>

do it.<br/>

 </div>

</div>

</div>

</div>


<div>Agreed. That would be exactly what I had in mind - but it's not working. </div>


<div>-verify only exists for "openssl req" to check a CSR?</div>


<div> </div>


<div>I've created an example broken certificate from google:</div>


<div> </div>


<div>-----BEGIN CERTIFICATE-----<br/>

MIIEhTCCA22gAwIBAgIIfWIk/Ev1U/YwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE<br/>

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl<br/>

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODE1MTYwNzUyWhcNMTcxMTA3MTYwNDAw<br/>

WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN<br/>

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n<br/>

b29nbGUuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbeswnWzb<br/>

cRDKvHNhuYkL/qTSSSTfEXZ86FSnK8hyNAoLvjZY/EV1kZKHpD/i7ZHxkwDLry/A<br/>

pAAzCBcndbZAEv4Y3GIWr5hmfO5pC6dgSoPmB/DEjmiZSq4fs++gcRbOpZJvctY4<br/>

XFp7r1pR3yHojoDVLDKpdVMduaeUzSEPhsFOycDPKKCziPGbfMIz8myOeIxlXkxi<br/>

0upGCXyMSyM9uw2XNQKZduknZHnFaG7ButMPcd/bcCIOU/7xwh+a9l6Qmi1Ss4Go<br/>

0kjL2B9nQ/q+0sXqi9f/W5g3KoR9GE4ho7bOU4iraFTVLo74O1zbjjTX1hU3UM4E<br/>

fbKjQz7sProFAgMBAAGjggFTMIIBTzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB<br/>

BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYXSCCWdvb2dsZS5hdDBoBggrBgEF<br/>

BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH<br/>

Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j<br/>

c3AwHQYDVR0OBBYEFEzWPMkeG3KRZe8rEi5J0b3O22IPMAwGA1UdEwEB/wQCMAAw<br/>

HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgor<br/>

BgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp<br/>

Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA6Ty7suanq<br/>

5/q7HWaF9dd0aZ1ay3mcTWj0ZqBE4R7UKAh8/dirAamb4Eo22fulHxWYeEdKnLhC<br/>

yyr//RuFiAMlkqySQcyBWO3kfEkG3l5GKMRokAEX31n7SSol9DA8+yfl1YmRxd79<br/>

7GC9HLwczgqdOzMNr40TMKAjIHcNL7S7UtLdynappkzvE7iA8ljZhymPabwYk3XU<br/>

TTr4if+Wt7uLNGqa+Vczur+jkywKXvUBoWukY9dCEsx67UoUyUkk4syGH19pVlDk<br/>

zHy4NC1X5b/4aw3XAH/IkgxFzPRiSXDwyEeea71xWEGpaRzGqaEMvU2mAghQIxYD<br/>

B2SERYFC9cRX<br/>

-----END CERTIFICATE-----<br/>

 </div>


<div> </div>


<div>

<div>At the command line, I won't see a difference from a correct to a broken certificate.</div>


<div>In comparison, when checking a key i get "<span style="white-space: pre-wrap;">RSA key ok".</span></div>

</div>


<div> </div>


<div>Georg</div>


<div> </div>


<div>

<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"> 

<div name="quoted-content"> </div>

</div>

</div></div></body></html>