Saminnet-Search Article Wiki Forum Blog SNS Cloud
OpenSSL verify

  • Data-Articles
    • Slower CKD stage (3) Wed12,16:41pm

      Having your kidneys work 窶 even a little 窶 can help you feel better and live longer. If you can slow your CKD, you can delay the need for treatment of kidney failure. The types of changes you might make to help your heart or the rest of your body will help your kidneys, too. Here are some things you can do 窶 or avoid 窶 to protect your kidneys: r Blood Sugar In The Target Range.…

      Read More...

OpenSSL verify

Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format thanツ.keyツorツ.crt:

Notes

  • For these examples, assume thatツcertificate.crtツis the certificate to be uploaded,ツcertificate.keyツis the private key for that certificate, and that the certificate chain information is found inツcertificate-chain.crt.
  • This article assumes you have OpenSSL installed in a place you can test with it.
  • For full details on the OpenSSL flags, see theツOpenSSL man page.
  1. Open a command prompt window andツcdツto the location of your existing certificate, and then verify the certificate chain by using the following command:
    openssl verify -CAfile certificate-chain.crt certificate.crt
    

    If the response isツOK, the check is valid.

  2. Verify that the public keys contained in the private key file and the certificate are the same:
    openssl x509 -in certificate.crt -noout -pubkey
    openssl rsa -in certificate.key -pubout

    The output of these two commands should be exactly the same.

  3. Verify that the private key and public key are a key pair that match:
    openssl rsa -noout -modulus -in certificate.key | openssl md5
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    

    The output of these two commands must be exactly the same.

  4. Check the dates that the certificate is valid:
    openssl x509 -noout -in certificate.crt -dates

    Ensure that the current date is between the certificate's start and end dates.

  5. Check the order of your certificates.

    The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout

    Your output should look similar to this:

    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
    subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/CN=acquia-sites.com
    issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
    ツ
    subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
    issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    ツ
    subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

    These need to conclude with the root certificate or cert most proximate to the root.

Other checks and format conversions

You may have a key or a certificate in a different format than the standard. You can readツWhat is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?ツfor more information on different key formats. Here are some checks you can use:

  • Check to see if your Test Key is in PEM format:

    openssl rsa -inform PEM -in /tmp/certificate.key
  • Check to see if your Test Certificate is in PEM format:

    openssl x509 -inform PEM -in /tmp/certificate.crt
  • View the entire contents of the certificate:

    openssl x509 -in certificate.crt -noout -text
  • Check to see if your Test Certificate is in DER format:

    openssl x509 -in certificate.crt -inform DER -text -noout
  • Convert a certificate in crt format to PEM:

    openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  • Convert a DER format to PEM:

    openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Add comment


Articles by Date

TweetTweet Share on LinkedInShare on LinkedIn Share on Google+Google+ Submit to RedditReddit Publish on WordPress WordPress Send emailSend email