Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Verify a certificate chain using openssl verify

Tags:

certificate

openssl

I'm building a own certificate chain with following componenents:

Root Certificate - Intermediate Certificate - User Certificate

Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.

Now I want to verify if a User Certificate has its anchor by Root Certificate.

With

openssl verify -verbose -CAfile RootCert.pem Intermediate.pem

the validation is ok. In the next step I validate the User Cert with

openssl verify -verbose -CAfile Intermediate.pem UserCert.pem

and the validation shows

error 20 at 0 depth lookup:unable to get local issuer certificate

What is wrong?

like image 442
Indra Avatar asked Oct 05 '22 05:10

Indra

People also ask

How do I check my certificate chain?

Also, if you have the root and intermediate certs in your trusted certs on Windows, you can double-click the cert file, then go to the "Certification Path" tab to see the chain.

What does openssl verify do?

Checks the validity of all certificates in the chain by attempting to look up valid CRLs. Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificate is rejected (as required by RFC5280).

2 Answers

From verify documentation:

If a certificate is found which is its own issuer it is assumed to be the root CA.

In other words, root CA needs to be self signed for verify to work. This is why your second command didn't work. Try this instead:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

It will verify your entire chain in a single command.

like image 110
Priyadi Avatar answered Oct 07 '22 17:10

Priyadi

That's one of the few legitimate jobs for cat:

openssl verify -verbose -CAfile <(cat Intermediate.pem RootCert.pem) UserCert.pem

Update:

As Greg Smethells points out in the comments, this command implicitly trusts Intermediate.pem. I recommend reading the first part of the post Greg references (the second part is specifically about pyOpenSSL and not relevant to this question).

In case the post goes away I'll quote the important paragraphs:

Unfortunately, an "intermediate" cert that is actually a root / self-signed will be treated as a trusted CA when using the recommended command given above:

$ openssl verify -CAfile <(cat geotrust_global_ca.pem rogue_ca.pem) fake_sometechcompany_from_rogue_ca.com.pem fake_sometechcompany_from_rogue_ca.com.pem: OK

It seems openssl will stop verifying the chain as soon as a root certificate is encountered, which may also be Intermediate.pem if it is self-signed. In that case RootCert.pem is not considered. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above.

like image 45
Peter Avatar answered Oct 07 '22 16:10

Peter
Sign in to Comment

Related questions

SSL Error: unable to get local issuer certificate
Unable to load Private Key. (PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: ANY PRIVATE KEY) [closed]
OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE [closed]
What is the purpose of the -nodes argument in openssl?
Load RSA public key from file
How to generate an openSSL key using a passphrase from the command line?
Convert NSData to String?
You must enable the openssl extension to download files via https
How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
How can I transform between the two styles of public key format, one "BEGIN RSA PUBLIC KEY", the other is "BEGIN PUBLIC KEY"
OpenSSL and error in reading openssl.conf file
certificate verify failed: unable to get local issuer certificate
SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
How to extract public key using OpenSSL?
Proper use of the HsOpenSSL API to implement a TLS Server
Converting a Java Keystore into PEM Format
Converting pfx to pem using openssl
Can't open config file: /usr/local/ssl/openssl.cnf on Windows [duplicate]
Unable to find the wrapper "https" - did you forget to enable it when you configured PHP?
Homebrew refusing to link OpenSSL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!