Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

openSSL certificate-verification on Linux [closed]

Tags:

openssl

JKJS

I have this chain of certificates: rcert.pem(self-signed) -->scert.pem -->ccert.pem

All three certificates are generated by me.No internet connection is used anywhere.This is perfect offline work. Now,below are some commands and their output:

hari@harikrishna:~/hari$ openssl verify rcert.pem
rcert.pem: C = IN, ST = OM, L = OM, O = HARI, OU = HARI, CN = OM, emailAddress = OM
error 18 at 0 depth lookup:self signed certificate
OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem scert.pem
scert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem rcert.pem
rcert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem
ccert.pem: C = IN, ST = HARI, L = HARI, O = HARI, OU = HARI, CN = HARI, emailAddress = HARI
error 24 at 1 depth lookup:invalid CA certificate
OK

Why is error 24 created.How to remove it?Is it something like trusted or untrusted?

Thank you.

like image 501
harihardik Avatar asked Nov 08 '12 18:11

harihardik

1 Answers

JKJS

Got answer of my own question:

1)Created root CA certificate by these commands:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

2)Installed CA certificate as trusted certificate by following commands:

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

3)Created intermediate certificate signed by root CA by following commands:

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

4)Created client certificate signed by intermediate CA by following commands:

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem

Now, Chain Of Trust is working fine:

1)verification of root CA

openssl verify rootcert.pem 
rootcert.pem: OK

2)verification of intermediate CA

openssl verify scert.pem 
scert.pem: OK

3)verification of client certificate

openssl verify -CAfile scert.pem ccert.pem
ccert.pem: OK
like image 76
harihardik Avatar answered Sep 29 '22 11:09

harihardik
Sign in to Comment

Related questions

SSL certificate generated with OpenSSL not working on NSS
SSL_library_init cause SIGILL when running under gdb
How do I extract the pre-master secret using an OpenSSL-based client?
Qt and OpenSSL incompatible version on Ubuntu
Ansible: Create a Self-Signed SSL Certificate and Key
How to install more then one SSL on Windows 2008/IIS7?
Does OpenSSL automatically handle CRLs (Certificate Revocation Lists) now?
Clarifying OpenSSL 0.9.8L Concurrency Support - Can SSL Instances Be Used By Multiple Threads If Done Non-Concurrently?
ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib? (installing python 2.7 on ubuntu 18.04)
Can I use TLS version 1.1 or 1.2 in python 2?
rails encryption/decryption
How to build OpenSSL in VS2015: x86cpuid.asm is an empty file
Openssl ECDSA : private key passphrase
Could NOT find OpenSSL, try to set the path to OpenSSL root folder
Issue: No package 'libcrypto' found
OpenSSL 1.0.1 handshake workaround in Ubuntu? [closed]
"openssl verify" gives OK for bad certificate chain
Extract PEM Public Key from X.509 Certificate
Do I need multiple EVP_CIPHER_CTX structures?
What's the difference between linking against libeay32MD.lib and libeay32MT.lib?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!