In the world of so many types and variations of available certificates it is sometimes difficult to be sure that the components of a certificate are fitting together. For this purposes here are some commands that will help.
Verifying the a certificate chain
Whether the certificates are WEB certificates or CA(Certificate of Authority) all the components starting from the root CA to the final web certificate must follow a certain order. Normally most browsers that are up-to-date the CA are not necessary to be configured in the web server. There is a risk though that if a browser is not kept up-to-date or that the site will bee seen as insecure although the certificate is valid. To remedy to that it is advised to add all the certificates involved starting with the main ROOT CA till the CA that was used to sign the web certificate. This known as a ‘CA chain’.
Since the certificates are in PEM format and are base64 encoded then how certify this?
Here is a method that will show the certificate chain where we can visually certify this:
Create a file where the first certificate in the file is the last in the chain(Web-Certificate).
Example of content:
------------- BEGIN CERTIFICATE -------------
Web-certificate
------------- END CERTIFICATE ---------------
------------- BEGIN CERTIFICATE -------------
intermediate CA
------------- END CERTIFICATE ---------------
------------- BEGIN CERTIFICATE -------------
root CA
------------- END CERTIFICATE ---------------
Command:
cat myCert.pem IntermCA.pem rootCA.pem > chain.pem
perl/openSSL method
Display the certficate chain in revers time sequence
perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");\
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' chain.pem
Example of output:
---
subject= /C=DE/ST=Berlin/L=Berlin/O=My Company GmbH/OU=Corp IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=my.website.com
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Note: The chain is valid, starting form the bottom to the top of the above example, when the subject= of the bottom one is the same as the issuer= of the one above.
The GnuTLS method:
Install the Debian package gnutls-cli:
apt-get install gnutls-bin
Issue the command:
certool --verify-chain --infile chain.pem
Example of output:
Certificate[0]: C=DE,ST=Berlin,L=Berlin,O=My Company GmbH,OU=Corp IT,OU=Terms of use at www.verisign.com/rpa (c)05,CN=my.website.com
Issued by: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3
Verifying against certificate[1].
Verification output: Verified.
.
Certificate[1]: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3
Issued by: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5
Verifying against certificate[2].
Verification output: Verified.
.
Certificate[2]: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5
certtool: the last certificate is not self signed
Verifying the validity period of a certificate
openssl x509 -in my.certificate.pem -noout -text | egrep 'Not Before:|Not After :'
Extracting (in .pem format) the CRT, CA and private KEY from a PCS#12 (.pfx or .p12)
+---> usercrt.pem CRT (Certificate)
|
user.pfx -------+---> cacrt.pem CA (humm...CA!)
user.p12 |
+---> userkey.pem KEY (Private key)
Extract the user certificate contained within the PKCS#12 file:
openssl pkcs12 -in user.pfx -nokeys -clcerts -out usercrt.pem
Extract the CA certificate(s) contained within the PKCS#12 file:
Note: If the PKCS#12 file is a .pfx exported from MSIE Browser then the resulting file might be empty.:-(
openssl pkcs12 -in user.pfx -nokeys -cacerts -out cacrt.pem
Extract the private key contained within the PKCS#12 file.
(Warning: the resulting file userkey.pem is not encrypted!
Don’t keep it around for longer than strictly needed!).
openssl pkcs12 -in user.pfx -nocerts -nodes -out userkey.pem
At this stage I assume you have three PEM files called:
– usercrt.pem (the user certificate)
– cacrt.pem (the CA certificate(s))
– userkey.pem (private key)
To check the certificate info run the following command:
openssl x509 -in usercrt.pem -noout -text
TESTING the matching between KEY – CSR – CRT files.
Reference: https://www.sslshopper.com/certificate-key-matcher.html
The Certificate Key Matcher simply compares an md5 hash of the private key modulus,
the certificate modulus, or the CSR modulus and tells you whether they match or not.
You can check whether a certificate matches private key,
or a CSR matches a certificate on your own computer by using the OpenSSL commands below:
eg.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
33c63cb62080fdf2bc06c47a59e02917
openssl rsa -noout -modulus -in privateKey.key | openssl md5
33c63cb62080fdf2bc06c47a59e02917
openssl req -noout -modulus -in CSR.csr | openssl md5
33c63cb62080fdf2bc06c47a59e02917
All above results should be the same
Generating a certificate for VSFTP
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem