Use the openssl verify function to verify a certificate chain.
openssl verify certificate chain
To verify a certificate and its chain for a given website, run the following command:
openssl verify -CAfile chain.pem www.example.org.pem
Where -CAfile chain.pem is the downloaded certificate chain installed at the site and www.example.org.pem is the downloaded end entity server cert. You can download the certificate chain by visiting the website and using your browser tools to export the chain. Alternatively, you can use the examples at openssl_s_client to get the chain from the command line.
You can also add the -x509_strict flag for strict compliance.
To verify the intermediates and root separately, use the -untrusted flag. Note that -untrusted can be used once for a certificate chain bundle of intermediates, or can be used more than once for each intermediate in a separate file.
openssl verify -CAfile root.pem -untrusted intermediate.pem www.example.org.pem
Add the -show_chain flag to output the certificate chain and corresponding depth of each certificate in the chain.
openssl verify -show_chain -CAfile chain.pem www.example.org.pem
openssl verify certificate and CRL
To verify a certificate with it’s CRL, download the certificate and get its CRL Distribution Point.
openssl x509 -noout -text -in www.example.org.pem | grep -A 4 'X509v3 CRL Distribution Points'
In the output you should see the CRL url.
Next, download the CRL with the wget function. It will be in der format, so we will be converting it to pem format for the openssl verify function to work.
wget -O crl.der http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
Next, convert the crl to pem format with the openssl crl function:
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem
Next, concatenate the the chain and the crl into one file:
cat chain.pem crl.pem > crl_chain.pem
Finally, verify the certificate with its CRL:
openssl verify -crl_check -CAfile crl_chain.pem www.example.org.pem
You should see an OK message. If the certificate has been revoked, you will see a lookup:certificate revoked message.
Java verify certificate
You may find it useful to programmatically verify a certificate, a certificate chain, or a certificate path with Java. For this, you can use the java security package.
Here is a Java code sample for verifying a certificate chain with java security. For the complete example with the ability to build a jar artifact to run locally for the certificate validation, view the GitHub repository.
public static boolean validateCertificateChain(final List<X509Certificate> certificates) {
for (int i = 0; i < certificates.size(); i++) {
try {
if (i == certificates.size() - 1) {
if (isSelfSigned(certificates.get(i))) {
certificates.get(i).verify(certificates.get(i).getPublicKey());
}
} else {
certificates.get(i).verify(certificates.get(i + 1).getPublicKey());
}
} catch (Exception e) {
return false;
}
}
return true;
}To follow along in this piece of code:
- pass in an ordered list of certificates as a parameter, starting from the leaf and ending with the root, to be validated.
- Loop through the list of certificates.
- If the certificate is the last in the list, check if it is self-signed. If it is not self signed, do nothing and stop validation (this will pass even though it’s an incomplete chain). If it is, verify the signature of the certificate with its own public key.
- If the certificate was not last in the list, verify the signature of the certificate with the public key of the next certificate in the list.
- If at any point verification fails an exception will be caught and the method will return false. Else, the method will return true.
To verify a certificate path these steps can be followed programmatically with code or by hand using the openssl commands above.
Leave a Reply