msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

12 Dec 14 Verifying a SSL certificate chain

In order to see if an SSL web site has the proper SSL Certificate chain, this simple command can help:
echo "" | openssl s_client -showcerts -servername web.site.com -connect web.site.com:443 -CApath /etc/ssl/certs/
Example:
echo " " | openssl s_client -showcerts -servername tipstricks.itmatrix.eu -connect tipstricks.itmatrix.eu:443 -CApath /etc/ssl/certs
Result:(most important extract from full result)
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.itmatrix.eu
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.itmatrix.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...............

Explanation:
As seen in the above chain check result, each certificate in the chain involved has an Issuer(i:) line and a Subject(s:) line. The idea to have a full valid certificate chain, is to have the Issuer(i:) line of a certificate the same as the Subject(s:) line of the depth below, and the last (root certificate) has both Issuer and Subject lies the same.
Same example again:
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.itmatrix.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
.
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
.
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Verifying the certificate chain using certificate files only(no web request)

Commands using openssl and the certificate & CA files locally can also be used to verify the certificate chain. One possibility is to use the openssl ‘verify’ command as follows:
openssl verify -verbose -purpose sslserver -CAfile {CA_bundlefile.pem} {signed_certificate.pem}

Example:
openssl verify -verbose -purpose sslserver -CAfile Symantec_CA_G4_Bundle.pem my.certificate.com.CRT.pem
The results will be:
If it FAILS:
my.certificate.com.CRT.pem: C = DE, ST = Berlin, L = Berlin, O = my-company, OU = IT DEP, CN = my.company.com
error 20 at 0 depth lookup:unable to get local issuer certificate

OR if it succeeds:
my.certificate.com.CRT.pem: OK

Important note:
In case the CA bundle file contains more than one Intermediate Certificates the lowest level CA must be at the bottom of the file.
eg.
-----BEGIN CERTIFICATE-----
......Intermediate CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
......Root CA
-----END CERTIFICATE-----

Another method is to run this script:

CA_Chain_check.sh {CA_bundlefile.pem} {signed_certificate.pem}
eg.
CA_Chain_check.sh Symantec_CA_G4_Bundle.pem my.certificate.com.CRT.pem
Content of the script CA_Chain_check.sh:
#!/bin/bash
# Displays the issuers and Subject of each certificate file
for file in $@ ; do
openssl x509 -in $file -noout -text | egrep 'Issuer:|Subject:'
done

In order for the CA chain validation to succeed the result should be so that the Subject: line of the first(CA Bundle) should match the Issuer: line of the second(web certificate)
eg.
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Subject: C=DE, ST=Berlin, L=Berlin, O = my-company, OU = IT DEP, CN = my.company.com

How do I verify that a private key matches a certificate

Ref: //ssl.comodo.com/support/ssl-technical-faqs/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl.php
To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.
Please follow the below command to view the modulus of the certificate.
openssl x509 -noout -modulus -in server.crt | openssl md5
Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96
Please follow the below command to view the modulus of the private key.
openssl rsa -noout -modulus -in myserver.key | openssl md5
If the certificate and the key file are matching, you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: