[WLUG] Which CA does my ssl certificate belong to on the file system

Robert Steckroth robertsteckroth at gmail.com
Sun Jun 12 12:01:55 EDT 2016 

corollarily ;)
It seems that git is not using the Comodo CA chain in its internal
workings. I need to switch registrars maybe..


On Sun, Jun 12, 2016 at 7:50 AM, Carl T. Miller <carl at carltm.com> wrote:

> Any certificate that is created for use on a server
> contains the info about the CA that can verify it.
> And if there is a chain, it will have info for each
> of the CAs.
>
> If you want, just a copy of the certificate and I'll
> run the commands and show you the output.
>
> c
>
>
> Robert Steckroth wrote:
> > Well, the Certificate Authority made the certificate and I would like to
> > know which chain it belongs with the local CA certificates. Maybe it
> > requires many commands??
> >
> > On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <carl at carltm.com> wrote:
> >
> >> If I understand correctly, you're saying you want to
> >> know which installed CA certificate is used to verify
> >> the certificates which you create.  Is that it?  If
> >> so, just take a certificate that you created and run
> >> the commands on it.
> >>
> >> (create a file for each cert including the "BEGIN
> >> CERTIFICATE" and "END CERTIFICATE" lines)
> >> openssl x509 -noout -text -purpose -in onecert
> >>
> >> c
> >>
> >>
> >> Robert Steckroth wrote:
> >> > Yes, thank you for the response Carl. I need to know what certificate
> >> > corresponds with the installed CA certificates. It is not just the
> >> > browsers
> >> > which verify certificates with a CA-certificate, it is every platform
> >> that
> >> > uses https. Therefore, in order to manually verify a remotely served
> >> > certificate is trusted, I need to know which CA-certificate it was
> >> created
> >> > from on the local file system. It just seems like a simple terminal
> >> > command
> >> > would locate the CA-certificate for any given certificate, but
> >> research
> >> > has
> >> > proved time consuming.
> >> >
> >> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com>
> >> wrote:
> >> >
> >> >> When you connect to a website with a browser (or the
> >> >> openssl client) you get a copy of the certificate
> >> >> directly from the webserver.  If you want to know where
> >> >> the certificate is stored locally, you'd have to look
> >> >> at the configuration of the webserver.
> >> >>
> >> >> You also mentioned a CA hosted through namecheap.  That
> >> >> would give you the ability to create certificates.
> >> >> You should be able to access the secret key file and
> >> >> the certificate file for any certificate you have created.
> >> >>
> >> >> In addition to this, it is common for your browser to
> >> >> use certificates to verify well-known CAs.  Look in your
> >> >> browser's configuration to manage to view and, perhaps,
> >> >> delete these certificates.
> >> >>
> >> >> So...the first paragraph describes a certificate in use.
> >> >> The second describes a certificate which may or may not
> >> >> be in use.  The third describes certificates which have
> >> >> been installed, and can verify a certificate in use.
> >> >>
> >> >> My question to you...what certificate is it that you
> >> >> want to find?  One you use currently, one that you
> >> >> created, or one that has been installed?
> >> >>
> >> >> c
> >> >>
> >> >>
> >> >> Robert Steckroth wrote:
> >> >> > Well, I don't know then.. I am under the impression that when a
> >> remote
> >> >> > server sends a certificate, it needs to be verified against the
> >> >> > certificates in the local file system to ensure that there is no
> >> >> > middleman.
> >> >> > So, shouldn't openssl be able to return the local path the any
> >> certs
> >> >> which
> >> >> > correspond to the one sent by the remote?
> >> >> >
> >> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <carl at carltm.com>
> >> >> wrote:
> >> >> >
> >> >> >> Hi Robert,
> >> >> >>
> >> >> >> You can use openssl to retrieve and view the certificates on a
> >> >> >> webserver.
> >> >> >>
> >> >> >> To retrieve all certs on a server:
> >> >> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
> >> >> allcerts
> >> >> >>
> >> >> >> To view each cert:
> >> >> >> (create a file for each cert including the "BEGIN CERTIFICATE" and
> >> >> >> "END CERTIFICATE" lines)
> >> >> >> openssl x509 -noout -text -purpose -in onecert
> >> >> >>
> >> >> >> I hope this helps with your investigation.
> >> >> >>
> >> >> >> c
> >> >> >>
> >> >> >>
> >> >> >> Robert Steckroth wrote:
> >> >> >> > Hello everyone, I have a interesting question for those of you
> >> with
> >> >> >> https
> >> >> >> > experience.
> >> >> >> > I have a certificate authority (through namecheap), chained to
> >> my
> >> >> ssl
> >> >> >> > key/certificate which is distributed by a Ubuntu server. The
> >> https
> >> >> >> content
> >> >> >> > server is nodejs and serves the ssl cert to three types of
> >> >> platforms:
> >> >> >> web
> >> >> >> > browsers, git repositories, and a qt desktop application. The
> >> https
> >> >> >> server
> >> >> >> > works find on browsers (with the green https uri text). The
> >> problem
> >> >> >> is, I
> >> >> >> > need to know where the CA certificate is kept on my local ubuntu
> >> >> file
> >> >> >> > system in order to add it to the qt application and to the git
> >> >> config.
> >> >> >> I
> >> >> >> > think maybe it is a cheap CA sense git does not already know
> >> about
> >> >> the
> >> >> >> CA
> >> >> >> > on the file system (it works if I add it manually via git config
> >> >> >> > http.sslCAInfo). Anyways, I still would like to know if there is
> >> a
> >> >> >> > terminal
> >> >> >> > command to find which CA my cert belongs to on the file system.
> >> It
> >> >> >> seems
> >> >> >> > that they are everywhere on it, jeesh.
> >> >> >> > ______________________________________________________
> >> >> >> > washlug mailing list    washlug web site
> >> >> >> > washlug at washlug.org     www.washlug.org
> >> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >> ______________________________________________________
> >> >> >> washlug mailing list    washlug web site
> >> >> >> washlug at washlug.org     www.washlug.org
> >> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > <surgemcgee>
> >> >> > ______________________________________________________
> >> >> > washlug mailing list    washlug web site
> >> >> > washlug at washlug.org     www.washlug.org
> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >> >
> >> >>
> >> >>
> >> >> ______________________________________________________
> >> >> washlug mailing list    washlug web site
> >> >> washlug at washlug.org     www.washlug.org
> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > <surgemcgee>
> >> > ______________________________________________________
> >> > washlug mailing list    washlug web site
> >> > washlug at washlug.org     www.washlug.org
> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >> >
> >>
> >>
> >> ______________________________________________________
> >> washlug mailing list    washlug web site
> >> washlug at washlug.org     www.washlug.org
> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
> >>
> >
> >
> >
> > --
> > <surgemcgee>
> > ______________________________________________________
> > washlug mailing list    washlug web site
> > washlug at washlug.org     www.washlug.org
> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >
>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>



-- 
<surgemcgee>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20160612/f0cf10f1/attachment.html

More information about the washlug mailing list