Select Page

View And Verify SSL Certificate

by | 1-Sep-2020 | Computer Networking, The Protocols, The Tools

Applied version

  • CentOS 6.10 (Final)
    OpenSSL 1.0.1e-fips

View And Verify SSL Certificate

Created Custom-CA Signed Certificate

  • Root CA: TrustMe Root CA
  • Intermediate CA: TrustMe Intermediate CA L1M
  • Signed Server Certificate: www.xyz.com
  1. Viewing CSR, Private Key, and SSL Certificates
    • Viewing the CSR (Certificate Signing Request) (Figure 1)
      • openssl req -text -noout -verify -in www.xyz.com.csr
        • > Subject: (C, L, O, OU) CN=www.xyz.com
        • > Public Key Algorithm: RSA encryption
        • > Public key length: 2048-bit
        • > Signature Algorithm: SHA 256-bit with RSA Encryption
    • Viewing the Private Key (Figure 2)
      • openssl rsa -in www.xyz.com.key -check -text -noout
        • > Private key is encrypted with pass phrase
        • > Private key length: 2048-bit
        • > RSA key: OK
    • Viewing the server SSL certificate (Figure 3)
      • openssl x509 -in www.xyz.com.crt -text -noout
        • > Issuer: (C, L, O, OU) CN=TrustMe Intermediate CA L1M
        • > Subject: (C, L, O, OU) CN=www.xyz.com
        • > Validity: Not Before, Not After
        • > Public Key Algorithm: RSA encryption
        • > Public key length: 2048-bit
        • > Public key value: (…)
        • > X509v3 Extensions: Client/Server Auth, Subject Alternative Name
        • > Signature Algorithm: SHA 256-bit with RSA Encryption
        • > Signature value: (…)
    • Viewing the Intermediate CA certificate (Figure 4)
      • openssl x509 -in TrustMe_ICA.crt -text -noout
        • > Issuer: (C, L, O, OU) CN=TrustMe Root CA
        • > Subject: (C, L, O, OU) CN=TrustMe Intermediate CA L1M
        • > (… same as server SSL certificate)
    • Viewing the Root CA certificate (Figure 5)
      • openssl x509 -in TrustMe_RCA.crt -text -noout
        • > Issuer: (C, L, O, OU) CN=TrustMe Root CA
        • > Subject: (C, L, O, OU) CN=TrustMe Root CA
        • > (… same as server SSL certificate)
    • Viewing the CA certificate bundle (Root CA + Intermediate CA) (Figure 6)
      • openssl crl2pkcs7 -nocrl -certfile TrustMe_CA-bundle.crt | openssl pkcs7 -print_certs -text -noout
        • > Issuer: (C, L, O, OU) CN=TrustMe Root CA
        • > Subject: (C, L, O, OU) CN=TrustMe Root CA
        • > (… same as server SSL certificate)
        • > Issuer: (C, L, O, OU) CN=TrustMe Root CA
        • > Subject: (C, L, O, OU) CN=TrustMe Intermediate CA L1M
        • > (… same as server SSL certificate)
    • Viewing installed SSL certificate on a SSL server
      • echo | openssl s_client -showcerts -connect <IP:port> 2>/dev/null | openssl x509 -inform pem -noout -text
  2. Verifying SSL Certificates
      • Chain of Trust verification (Figure 7)
        • openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_ICA.crt /var/tmp/www.xyz.com.crt
          • > www.xyz.com.crt was signed by TrustMe_ICA.crt
          • > But verification is still failed, because it needs to build the chain of trust all the way to the Root CA
        • openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_RCA.crt /var/tmp/www.xyz.com.crt
          • > Verification is failed, because www.xyz.com.crt was NOT signed by TrustMe_RCA.crt
          • > And also, although TrustMe_RCA.crt is the Root CA, but it needs the Intermediate Certificate to build the chain of trust
        • openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_CA-bundle.crt /var/tmp/www.xyz.com.crt
          • > Verification is successful, because the the Intermediate CA and Root CA are inside the bundle certificate
          • > And it is able to build the chain of trust
        • openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_RCA.crt /var/tmp/TrustMe_ICA.crt
          • > Verification is successful, because TrustMe_ICA.crt was signed by TrustMe_RCA.crt
          • > And it is able to build the chain of trust
      • Certificate and Private Key verification (Figure 8)
        • The certificate matches the private key if the SHA256 sum is equal
          • openssl req -in www.xyz.com.csr -pubkey -noout -outform pem | sha256sum
          • openssl pkey -in www.xyz.com.key -pubout -outform pem | sha256sum
          • openssl x509 -in www.xyz.com.crt -pubkey -noout -outform pem | sha256sum
        • The certificate matches the private key if the MD5 sum is equal
          • openssl req -modulus -noout -in www.xyz.com.csr | openssl md5
          • openssl rsa -modulus -noout -in www.xyz.com.key | openssl md5
          • openssl x509 -modulus -noout -in www.xyz.com.crt | openssl md5
  3. Decrypting/Encrypting the Private Key (Figure 9)
    • Private Key decryption
      • openssl rsa -in www.xyz.com.key -out www.xyz.com.plain.key
    • Private Key encryption
      • openssl rsa -aes256 -in www.xyz.com.plain.key -out www.xyz.com2.key

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *