LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   [OpenSSL] Check validity of x509 certificate signature chain (http://www.linuxquestions.org/questions/linux-security-4/%5Bopenssl%5D-check-validity-of-x509-certificate-signature-chain-929960/)

martvefun 02-17-2012 04:31 PM

[OpenSSL] Check validity of x509 certificate signature chain
 
Hello,

With my electronic id, I have a x509 certificate and I would like to check the validity of this certificate.

I exported and inspect the certificate using
Code:

$ pkcs15-tool --read-certificate 02 > mykey.crt
$ openssl x509 -in mykey.crt -issuer -noout
issuer= /C=BE/CN=Citizen CA/serialNumber=200801

I went to the official certificate repository website and downloaded the citizen200801.crt (cf serial number) file and the Belgium Root CA file (actually exporting them into PEM files using firefox).

I'm able to verify the CitizenCA certificate
Code:

$ openssl verify -CAfile BelgiumRootCA CitizenCA
CitizenCA: OK

but I don't understand how to check my certificate
Code:

$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: C = BE, CN = Citizen CA, serialNumber = 200801
error 2 at 1 depth lookup:unable to get issuer certificate

Any idea ? Thank you

War3zWad|0 02-18-2012 02:59 AM

If I recall correctly openSSL will not verify a Slef-Signed Certificate. But to test you would only use the following to verify a Certificate:
Code:

openssl verify mycert.pem
for some examples please refer to the following sites:
http://www.madboa.com/geek/openssl/#verify-standard

http://www.cyberciti.biz/faq/test-ss...l-certificate/



If you have you are using the certificate for a web server you could always put the certificate into place and then use the following website to check the certificate:

http://www.sslshopper.com/ssl-checker.html

hope this information helps

martvefun 02-18-2012 04:57 AM

Ok I have found the solution, it was easy. I just needed to put the two certificates in the same file.

Code:

$ cat BelgiumRootCA CitizenCA > CAChain
$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: OK



All times are GMT -5. The time now is 07:49 PM.