Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Jul 06, 2022 8:25 pm


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - How to check HTTPS site certificate chain with OpenSSL
Author Message
Post subject: How to check HTTPS site certificate chain with OpenSSL  |  Post Posted: Fri Oct 04, 2013 10:39 am
Some free Certificate Authorities on the internet are not root CAs, but are intermediate level. This means that they will sign one's SSL certificate, but they are not recognized by the browser because most of the browsers only recognize root CAs.

How to see certificate chain of a HTTPS website:
Code:
# openssl s_client -connect ivorde.ro:443 -tls1
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=mc70f5sU6H9LaX1x/C=NL/CN=webmail.ivorde.ro/emailAddress=postmaster@ivorde.ro
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority


Above chain can be interpreted as:
1 Certificate is issued for cn=webmail.ivorde.ro and is signed by CN=StartCom Class 1 Primary Intermediate Server CA
2 Certificate CN=StartCom Class 1 Primary Intermediate Server CA is signed by CN=StartCom Certification Authority
3 Certificate CN=StartCom Certification Authority is signed by itself CN=StartCom Certification Authority and is the top or last level, the root CA.

Checking your browser's incorporated CAs, you an see "StartCom Ltd." -> StartCom Certification Authority listed as recognized CAs (FFox).
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO