Verify a certificate

Yassine Chaouche a.chaouche at algerian-radio.dz
Tue Sep 12 15:38:33 UTC 2023


Le 1/5/21 à 14:11, Bernhard Fröhlich a écrit :
> Hello,
> 
> just in case you want to check a webserver installation (which is not explicitly mentioned in Viktor's answer) I want to add this...
> 
> In this case (IMHO) the s_client tool of openssl can do what you need. Try
> 
>      openssl s_client -connect yourhost.example.org:443 -CAfile SpecialCAFile.pem
> 
> where "SpecialCAFile.pem" only contains the root certificate of your "Root X" CA. This gives quite a bit of text as output. Look for a line "Verification: OK" in this output (usually after the PEM-encoded server certificate), if you can find it the certificate chain should be OK. Otherwise you'll find something like "Verification error: unable to get local issuer certificate"
> 
> Hope this helps,
> Ted
> ;)
> 
> On 2021-01-05 13:43, Yassine Chaouche wrote:
>> Dear list,
>>
>> I would like to learn how to use openssl tools to make sure
>> a chained certificate is valid ?
>>
>> example :
>>
>> Let's say I got the Cert certificate signed by Intermdiate
>> X, but by making the full chain certificate I inadvertly
>> inserted Intermediate Y instead of X. The (broken)
>> certificate chain inside Cert would be :
>>
>> Cert < Intermediate Y < Root X
>>
>> How do I detect this error with openssl tools ? are there
>> tools that print issuer and subject of each certificate in
>> a chain ?
>>
>> Thanks for your guidance.
> 
> 

Thank you Bernhard,
thank you Viktor,

When I use s_client,
validation fails with error code 20 unable to get local issuer certificate.

-----------------------------------
16:07:29 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 s:/CN=*.radioalgerie.dz
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
    i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
...
----------------------------------



However,
if I pipe the output of s_client to the verify command,
AND manually download the CA certificate beforehand to add it to the -untrusted flag,
verification works fine.

----------------------------------
16:11:10 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null 2>/dev/null  | openssl verify -untrusted ~/DATA/CERTIFICATS/sectigo.pem
stdin: OK
16:11:23 ~/TMP/MUSIC -1- $
----------------------------------

Without that flag,
verification fails
----------------------------------
16:11:23 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null 2>/dev/null  | openssl verify
stdin: CN = *.radioalgerie.dz
error 20 at 0 depth lookup:unable to get local issuer certificate
16:37:48 ~/TMP/MUSIC -1- $
----------------------------------


Isn't there a more straightforward way to validate online certificates,
like browsers do I guess,
without manually downloading the intermediate CA?

I can't help but make a parallel to the helpful dig +trace flag for example,
which kind of debugs the DNS query by requesting each name server for its specific zone information
starting from the root servers,
instead of just querying the locally configured name server.

-- 
Yassine -- sysadm
57 33


More information about the openssl-users mailing list