LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] [OpenSSL] Check validity of x509 certificate signature chain
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-17-2012, 04:31 PM   #1
martvefun
Member
 
Registered: Apr 2010
Location: Belgium
Distribution: Archlinux
Posts: 53

Rep: Reputation: 1
Question [OpenSSL] Check validity of x509 certificate signature chain

Hello,

With my electronic id, I have a x509 certificate and I would like to check the validity of this certificate.

I exported and inspect the certificate using
Code:
$ pkcs15-tool --read-certificate 02 > mykey.crt
$ openssl x509 -in mykey.crt -issuer -noout
issuer= /C=BE/CN=Citizen CA/serialNumber=200801
I went to the official certificate repository website and downloaded the citizen200801.crt (cf serial number) file and the Belgium Root CA file (actually exporting them into PEM files using firefox).

I'm able to verify the CitizenCA certificate
Code:
$ openssl verify -CAfile BelgiumRootCA CitizenCA 
CitizenCA: OK
but I don't understand how to check my certificate
Code:
$ openssl verify -CAfile CitizenCA mykey.crt 
mykey.crt: C = BE, CN = Citizen CA, serialNumber = 200801
error 2 at 1 depth lookup:unable to get issuer certificate
Any idea ? Thank you
Last edited by martvefun; 02-17-2012 at 05:18 PM.
 
Old 02-18-2012, 02:59 AM   #2
War3zWad|0
Member
 
Registered: Sep 2011
Location: Houston, TX
Distribution: openSuSE, Fedora, CentOS, Debian,, and others
Posts: 84

Rep: Reputation: Disabled
If I recall correctly openSSL will not verify a Slef-Signed Certificate. But to test you would only use the following to verify a Certificate:
Code:
openssl verify mycert.pem
for some examples please refer to the following sites:
http://www.madboa.com/geek/openssl/#verify-standard

http://www.cyberciti.biz/faq/test-ss...l-certificate/



If you have you are using the certificate for a web server you could always put the certificate into place and then use the following website to check the certificate:

http://www.sslshopper.com/ssl-checker.html

hope this information helps
 
Old 02-18-2012, 04:57 AM   #3
martvefun
Member
 
Registered: Apr 2010
Location: Belgium
Distribution: Archlinux
Posts: 53

Original Poster
Rep: Reputation: 1
Ok I have found the solution, it was easy. I just needed to put the two certificates in the same file.

Code:
$ cat BelgiumRootCA CitizenCA > CAChain
$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: OK
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
curlftpfs and x509 client certificate Al_ Linux - Server 1 10-25-2012 10:46 AM
OpenSSL x509: Expecting: CERTIFICATE REQUEST chakkerz Linux - Networking 5 06-10-2010 11:28 AM
ssh with DER x509 certificate umarzuki Linux - Security 3 09-14-2009 08:15 PM
Building a certificate chain from the certificate using openSSL aravinda78 Linux - Security 1 11-10-2008 01:51 AM
Help with x509 certificate and freeswan cmisip Linux - Security 3 08-18-2003 11:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:09 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration