[WLUG] Which CA does my ssl certificate belong to on the file system

Carl T. Miller carl at carltm.com
Sat Jun 11 20:59:15 EDT 2016 

If I understand correctly, you're saying you want to
know which installed CA certificate is used to verify
the certificates which you create.  Is that it?  If
so, just take a certificate that you created and run
the commands on it.

(create a file for each cert including the "BEGIN
CERTIFICATE" and "END CERTIFICATE" lines)
openssl x509 -noout -text -purpose -in onecert

c


Robert Steckroth wrote:
> Yes, thank you for the response Carl. I need to know what certificate
> corresponds with the installed CA certificates. It is not just the
> browsers
> which verify certificates with a CA-certificate, it is every platform that
> uses https. Therefore, in order to manually verify a remotely served
> certificate is trusted, I need to know which CA-certificate it was created
> from on the local file system. It just seems like a simple terminal
> command
> would locate the CA-certificate for any given certificate, but research
> has
> proved time consuming.
>
> On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com> wrote:
>
>> When you connect to a website with a browser (or the
>> openssl client) you get a copy of the certificate
>> directly from the webserver.  If you want to know where
>> the certificate is stored locally, you'd have to look
>> at the configuration of the webserver.
>>
>> You also mentioned a CA hosted through namecheap.  That
>> would give you the ability to create certificates.
>> You should be able to access the secret key file and
>> the certificate file for any certificate you have created.
>>
>> In addition to this, it is common for your browser to
>> use certificates to verify well-known CAs.  Look in your
>> browser's configuration to manage to view and, perhaps,
>> delete these certificates.
>>
>> So...the first paragraph describes a certificate in use.
>> The second describes a certificate which may or may not
>> be in use.  The third describes certificates which have
>> been installed, and can verify a certificate in use.
>>
>> My question to you...what certificate is it that you
>> want to find?  One you use currently, one that you
>> created, or one that has been installed?
>>
>> c
>>
>>
>> Robert Steckroth wrote:
>> > Well, I don't know then.. I am under the impression that when a remote
>> > server sends a certificate, it needs to be verified against the
>> > certificates in the local file system to ensure that there is no
>> > middleman.
>> > So, shouldn't openssl be able to return the local path the any certs
>> which
>> > correspond to the one sent by the remote?
>> >
>> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <carl at carltm.com>
>> wrote:
>> >
>> >> Hi Robert,
>> >>
>> >> You can use openssl to retrieve and view the certificates on a
>> >> webserver.
>> >>
>> >> To retrieve all certs on a server:
>> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
>> allcerts
>> >>
>> >> To view each cert:
>> >> (create a file for each cert including the "BEGIN CERTIFICATE" and
>> >> "END CERTIFICATE" lines)
>> >> openssl x509 -noout -text -purpose -in onecert
>> >>
>> >> I hope this helps with your investigation.
>> >>
>> >> c
>> >>
>> >>
>> >> Robert Steckroth wrote:
>> >> > Hello everyone, I have a interesting question for those of you with
>> >> https
>> >> > experience.
>> >> > I have a certificate authority (through namecheap), chained to my
>> ssl
>> >> > key/certificate which is distributed by a Ubuntu server. The https
>> >> content
>> >> > server is nodejs and serves the ssl cert to three types of
>> platforms:
>> >> web
>> >> > browsers, git repositories, and a qt desktop application. The https
>> >> server
>> >> > works find on browsers (with the green https uri text). The problem
>> >> is, I
>> >> > need to know where the CA certificate is kept on my local ubuntu
>> file
>> >> > system in order to add it to the qt application and to the git
>> config.
>> >> I
>> >> > think maybe it is a cheap CA sense git does not already know about
>> the
>> >> CA
>> >> > on the file system (it works if I add it manually via git config
>> >> > http.sslCAInfo). Anyways, I still would like to know if there is a
>> >> > terminal
>> >> > command to find which CA my cert belongs to on the file system. It
>> >> seems
>> >> > that they are everywhere on it, jeesh.
>> >> > ______________________________________________________
>> >> > washlug mailing list    washlug web site
>> >> > washlug at washlug.org     www.washlug.org
>> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >
>> >>
>> >>
>> >> ______________________________________________________
>> >> washlug mailing list    washlug web site
>> >> washlug at washlug.org     www.washlug.org
>> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >>
>> >
>> >
>> >
>> > --
>> > <surgemcgee>
>> > ______________________________________________________
>> > washlug mailing list    washlug web site
>> > washlug at washlug.org     www.washlug.org
>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >
>>
>>
>> ______________________________________________________
>> washlug mailing list    washlug web site
>> washlug at washlug.org     www.washlug.org
>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>
>
>
>
> --
> <surgemcgee>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>

More information about the washlug mailing list