[WLUG] Which CA does my ssl certificate belong to on the file system

Robert Steckroth robertsteckroth at gmail.com
Sat Jun 11 22:06:59 EDT 2016 

Well, the Certificate Authority made the certificate and I would like to
know which chain it belongs with the local CA certificates. Maybe it
requires many commands??

On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <carl at carltm.com> wrote:

> If I understand correctly, you're saying you want to
> know which installed CA certificate is used to verify
> the certificates which you create.  Is that it?  If
> so, just take a certificate that you created and run
> the commands on it.
>
> (create a file for each cert including the "BEGIN
> CERTIFICATE" and "END CERTIFICATE" lines)
> openssl x509 -noout -text -purpose -in onecert
>
> c
>
>
> Robert Steckroth wrote:
> > Yes, thank you for the response Carl. I need to know what certificate
> > corresponds with the installed CA certificates. It is not just the
> > browsers
> > which verify certificates with a CA-certificate, it is every platform
> that
> > uses https. Therefore, in order to manually verify a remotely served
> > certificate is trusted, I need to know which CA-certificate it was
> created
> > from on the local file system. It just seems like a simple terminal
> > command
> > would locate the CA-certificate for any given certificate, but research
> > has
> > proved time consuming.
> >
> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com> wrote:
> >
> >> When you connect to a website with a browser (or the
> >> openssl client) you get a copy of the certificate
> >> directly from the webserver.  If you want to know where
> >> the certificate is stored locally, you'd have to look
> >> at the configuration of the webserver.
> >>
> >> You also mentioned a CA hosted through namecheap.  That
> >> would give you the ability to create certificates.
> >> You should be able to access the secret key file and
> >> the certificate file for any certificate you have created.
> >>
> >> In addition to this, it is common for your browser to
> >> use certificates to verify well-known CAs.  Look in your
> >> browser's configuration to manage to view and, perhaps,
> >> delete these certificates.
> >>
> >> So...the first paragraph describes a certificate in use.
> >> The second describes a certificate which may or may not
> >> be in use.  The third describes certificates which have
> >> been installed, and can verify a certificate in use.
> >>
> >> My question to you...what certificate is it that you
> >> want to find?  One you use currently, one that you
> >> created, or one that has been installed?
> >>
> >> c
> >>
> >>
> >> Robert Steckroth wrote:
> >> > Well, I don't know then.. I am under the impression that when a remote
> >> > server sends a certificate, it needs to be verified against the
> >> > certificates in the local file system to ensure that there is no
> >> > middleman.
> >> > So, shouldn't openssl be able to return the local path the any certs
> >> which
> >> > correspond to the one sent by the remote?
> >> >
> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <carl at carltm.com>
> >> wrote:
> >> >
> >> >> Hi Robert,
> >> >>
> >> >> You can use openssl to retrieve and view the certificates on a
> >> >> webserver.
> >> >>
> >> >> To retrieve all certs on a server:
> >> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
> >> allcerts
> >> >>
> >> >> To view each cert:
> >> >> (create a file for each cert including the "BEGIN CERTIFICATE" and
> >> >> "END CERTIFICATE" lines)
> >> >> openssl x509 -noout -text -purpose -in onecert
> >> >>
> >> >> I hope this helps with your investigation.
> >> >>
> >> >> c
> >> >>
> >> >>
> >> >> Robert Steckroth wrote:
> >> >> > Hello everyone, I have a interesting question for those of you with
> >> >> https
> >> >> > experience.
> >> >> > I have a certificate authority (through namecheap), chained to my
> >> ssl
> >> >> > key/certificate which is distributed by a Ubuntu server. The https
> >> >> content
> >> >> > server is nodejs and serves the ssl cert to three types of
> >> platforms:
> >> >> web
> >> >> > browsers, git repositories, and a qt desktop application. The https
> >> >> server
> >> >> > works find on browsers (with the green https uri text). The problem
> >> >> is, I
> >> >> > need to know where the CA certificate is kept on my local ubuntu
> >> file
> >> >> > system in order to add it to the qt application and to the git
> >> config.
> >> >> I
> >> >> > think maybe it is a cheap CA sense git does not already know about
> >> the
> >> >> CA
> >> >> > on the file system (it works if I add it manually via git config
> >> >> > http.sslCAInfo). Anyways, I still would like to know if there is a
> >> >> > terminal
> >> >> > command to find which CA my cert belongs to on the file system. It
> >> >> seems
> >> >> > that they are everywhere on it, jeesh.
> >> >> > ______________________________________________________
> >> >> > washlug mailing list    washlug web site
> >> >> > washlug at washlug.org     www.washlug.org
> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >> >
> >> >>
> >> >>
> >> >> ______________________________________________________
> >> >> washlug mailing list    washlug web site
> >> >> washlug at washlug.org     www.washlug.org
> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > <surgemcgee>
> >> > ______________________________________________________
> >> > washlug mailing list    washlug web site
> >> > washlug at washlug.org     www.washlug.org
> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >
> >>
> >>
> >> ______________________________________________________
> >> washlug mailing list    washlug web site
> >> washlug at washlug.org     www.washlug.org
> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
> >>
> >
> >
> >
> > --
> > <surgemcgee>
> > ______________________________________________________
> > washlug mailing list    washlug web site
> > washlug at washlug.org     www.washlug.org
> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >
>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>



-- 
<surgemcgee>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20160611/4983cce7/attachment-0001.html

More information about the washlug mailing list