[WLUG] Which CA does my ssl certificate belong to on the file system

James Stroehmann jaymz at jaymz.org
Sun Jun 12 13:45:57 EDT 2016 

Can you include the git command you are running and the error you see?  


------

> On Jun 12, 2016, at 12:01 PM, Robert Steckroth <robertsteckroth at gmail.com> wrote:
> 
> 
> corollarily ;)
> It seems that git is not using the Comodo CA chain in its internal workings. I need to switch registrars maybe..
> 
> 
>> On Sun, Jun 12, 2016 at 7:50 AM, Carl T. Miller <carl at carltm.com> wrote:
>> Any certificate that is created for use on a server
>> contains the info about the CA that can verify it.
>> And if there is a chain, it will have info for each
>> of the CAs.
>> 
>> If you want, just a copy of the certificate and I'll
>> run the commands and show you the output.
>> 
>> c
>> 
>> 
>> Robert Steckroth wrote:
>> > Well, the Certificate Authority made the certificate and I would like to
>> > know which chain it belongs with the local CA certificates. Maybe it
>> > requires many commands??
>> >
>> > On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <carl at carltm.com> wrote:
>> >
>> >> If I understand correctly, you're saying you want to
>> >> know which installed CA certificate is used to verify
>> >> the certificates which you create.  Is that it?  If
>> >> so, just take a certificate that you created and run
>> >> the commands on it.
>> >>
>> >> (create a file for each cert including the "BEGIN
>> >> CERTIFICATE" and "END CERTIFICATE" lines)
>> >> openssl x509 -noout -text -purpose -in onecert
>> >>
>> >> c
>> >>
>> >>
>> >> Robert Steckroth wrote:
>> >> > Yes, thank you for the response Carl. I need to know what certificate
>> >> > corresponds with the installed CA certificates. It is not just the
>> >> > browsers
>> >> > which verify certificates with a CA-certificate, it is every platform
>> >> that
>> >> > uses https. Therefore, in order to manually verify a remotely served
>> >> > certificate is trusted, I need to know which CA-certificate it was
>> >> created
>> >> > from on the local file system. It just seems like a simple terminal
>> >> > command
>> >> > would locate the CA-certificate for any given certificate, but
>> >> research
>> >> > has
>> >> > proved time consuming.
>> >> >
>> >> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com>
>> >> wrote:
>> >> >
>> >> >> When you connect to a website with a browser (or the
>> >> >> openssl client) you get a copy of the certificate
>> >> >> directly from the webserver.  If you want to know where
>> >> >> the certificate is stored locally, you'd have to look
>> >> >> at the configuration of the webserver.
>> >> >>
>> >> >> You also mentioned a CA hosted through namecheap.  That
>> >> >> would give you the ability to create certificates.
>> >> >> You should be able to access the secret key file and
>> >> >> the certificate file for any certificate you have created.
>> >> >>
>> >> >> In addition to this, it is common for your browser to
>> >> >> use certificates to verify well-known CAs.  Look in your
>> >> >> browser's configuration to manage to view and, perhaps,
>> >> >> delete these certificates.
>> >> >>
>> >> >> So...the first paragraph describes a certificate in use.
>> >> >> The second describes a certificate which may or may not
>> >> >> be in use.  The third describes certificates which have
>> >> >> been installed, and can verify a certificate in use.
>> >> >>
>> >> >> My question to you...what certificate is it that you
>> >> >> want to find?  One you use currently, one that you
>> >> >> created, or one that has been installed?
>> >> >>
>> >> >> c
>> >> >>
>> >> >>
>> >> >> Robert Steckroth wrote:
>> >> >> > Well, I don't know then.. I am under the impression that when a
>> >> remote
>> >> >> > server sends a certificate, it needs to be verified against the
>> >> >> > certificates in the local file system to ensure that there is no
>> >> >> > middleman.
>> >> >> > So, shouldn't openssl be able to return the local path the any
>> >> certs
>> >> >> which
>> >> >> > correspond to the one sent by the remote?
>> >> >> >
>> >> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <carl at carltm.com>
>> >> >> wrote:
>> >> >> >
>> >> >> >> Hi Robert,
>> >> >> >>
>> >> >> >> You can use openssl to retrieve and view the certificates on a
>> >> >> >> webserver.
>> >> >> >>
>> >> >> >> To retrieve all certs on a server:
>> >> >> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
>> >> >> allcerts
>> >> >> >>
>> >> >> >> To view each cert:
>> >> >> >> (create a file for each cert including the "BEGIN CERTIFICATE" and
>> >> >> >> "END CERTIFICATE" lines)
>> >> >> >> openssl x509 -noout -text -purpose -in onecert
>> >> >> >>
>> >> >> >> I hope this helps with your investigation.
>> >> >> >>
>> >> >> >> c
>> >> >> >>
>> >> >> >>
>> >> >> >> Robert Steckroth wrote:
>> >> >> >> > Hello everyone, I have a interesting question for those of you
>> >> with
>> >> >> >> https
>> >> >> >> > experience.
>> >> >> >> > I have a certificate authority (through namecheap), chained to
>> >> my
>> >> >> ssl
>> >> >> >> > key/certificate which is distributed by a Ubuntu server. The
>> >> https
>> >> >> >> content
>> >> >> >> > server is nodejs and serves the ssl cert to three types of
>> >> >> platforms:
>> >> >> >> web
>> >> >> >> > browsers, git repositories, and a qt desktop application. The
>> >> https
>> >> >> >> server
>> >> >> >> > works find on browsers (with the green https uri text). The
>> >> problem
>> >> >> >> is, I
>> >> >> >> > need to know where the CA certificate is kept on my local ubuntu
>> >> >> file
>> >> >> >> > system in order to add it to the qt application and to the git
>> >> >> config.
>> >> >> >> I
>> >> >> >> > think maybe it is a cheap CA sense git does not already know
>> >> about
>> >> >> the
>> >> >> >> CA
>> >> >> >> > on the file system (it works if I add it manually via git config
>> >> >> >> > http.sslCAInfo). Anyways, I still would like to know if there is
>> >> a
>> >> >> >> > terminal
>> >> >> >> > command to find which CA my cert belongs to on the file system.
>> >> It
>> >> >> >> seems
>> >> >> >> > that they are everywhere on it, jeesh.
>> >> >> >> > ______________________________________________________
>> >> >> >> > washlug mailing list    washlug web site
>> >> >> >> > washlug at washlug.org     www.washlug.org
>> >> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >> ______________________________________________________
>> >> >> >> washlug mailing list    washlug web site
>> >> >> >> washlug at washlug.org     www.washlug.org
>> >> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > <surgemcgee>
>> >> >> > ______________________________________________________
>> >> >> > washlug mailing list    washlug web site
>> >> >> > washlug at washlug.org     www.washlug.org
>> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >
>> >> >>
>> >> >>
>> >> >> ______________________________________________________
>> >> >> washlug mailing list    washlug web site
>> >> >> washlug at washlug.org     www.washlug.org
>> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > <surgemcgee>
>> >> > ______________________________________________________
>> >> > washlug mailing list    washlug web site
>> >> > washlug at washlug.org     www.washlug.org
>> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >
>> >>
>> >>
>> >> ______________________________________________________
>> >> washlug mailing list    washlug web site
>> >> washlug at washlug.org     www.washlug.org
>> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >>
>> >
>> >
>> >
>> > --
>> > <surgemcgee>
>> > ______________________________________________________
>> > washlug mailing list    washlug web site
>> > washlug at washlug.org     www.washlug.org
>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >
>> 
>> 
>> ______________________________________________________
>> washlug mailing list    washlug web site
>> washlug at washlug.org     www.washlug.org
>> http://linux.marcdatabase.com/mailman/listinfo/washlug
> 
> 
> 
> -- 
> <surgemcgee>
> 
> 
> 
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20160612/be981be5/attachment-0001.html

More information about the washlug mailing list