<div dir="ltr">Yes, thank you for the response Carl. I need to know what certificate corresponds with the installed CA certificates. It is not just the browsers which verify certificates with a CA-certificate, it is every platform that uses https. Therefore, in order to manually verify a remotely served certificate is trusted, I need to know which CA-certificate it was created from on the local file system. It just seems like a simple terminal command would locate the CA-certificate for any given certificate, but research has proved time consuming. </div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <span dir="ltr"><<a href="mailto:carl@carltm.com" target="_blank">carl@carltm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">When you connect to a website with a browser (or the<br>
openssl client) you get a copy of the certificate<br>
directly from the webserver. If you want to know where<br>
the certificate is stored locally, you'd have to look<br>
at the configuration of the webserver.<br>
<br>
You also mentioned a CA hosted through namecheap. That<br>
would give you the ability to create certificates.<br>
You should be able to access the secret key file and<br>
the certificate file for any certificate you have created.<br>
<br>
In addition to this, it is common for your browser to<br>
use certificates to verify well-known CAs. Look in your<br>
browser's configuration to manage to view and, perhaps,<br>
delete these certificates.<br>
<br>
So...the first paragraph describes a certificate in use.<br>
The second describes a certificate which may or may not<br>
be in use. The third describes certificates which have<br>
been installed, and can verify a certificate in use.<br>
<br>
My question to you...what certificate is it that you<br>
want to find? One you use currently, one that you<br>
created, or one that has been installed?<br>
<span class="HOEnZb"><font color="#888888"><br>
c<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
Robert Steckroth wrote:<br>
> Well, I don't know then.. I am under the impression that when a remote<br>
> server sends a certificate, it needs to be verified against the<br>
> certificates in the local file system to ensure that there is no<br>
> middleman.<br>
> So, shouldn't openssl be able to return the local path the any certs which<br>
> correspond to the one sent by the remote?<br>
><br>
> On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>> wrote:<br>
><br>
>> Hi Robert,<br>
>><br>
>> You can use openssl to retrieve and view the certificates on a<br>
>> webserver.<br>
>><br>
>> To retrieve all certs on a server:<br>
>> openssl s_client -connect <a href="http://www.carltm.com:443" rel="noreferrer" target="_blank">www.carltm.com:443</a> -showcerts | tee allcerts<br>
>><br>
>> To view each cert:<br>
>> (create a file for each cert including the "BEGIN CERTIFICATE" and<br>
>> "END CERTIFICATE" lines)<br>
>> openssl x509 -noout -text -purpose -in onecert<br>
>><br>
>> I hope this helps with your investigation.<br>
>><br>
>> c<br>
>><br>
>><br>
>> Robert Steckroth wrote:<br>
>> > Hello everyone, I have a interesting question for those of you with<br>
>> https<br>
>> > experience.<br>
>> > I have a certificate authority (through namecheap), chained to my ssl<br>
>> > key/certificate which is distributed by a Ubuntu server. The https<br>
>> content<br>
>> > server is nodejs and serves the ssl cert to three types of platforms:<br>
>> web<br>
>> > browsers, git repositories, and a qt desktop application. The https<br>
>> server<br>
>> > works find on browsers (with the green https uri text). The problem<br>
>> is, I<br>
>> > need to know where the CA certificate is kept on my local ubuntu file<br>
>> > system in order to add it to the qt application and to the git config.<br>
>> I<br>
>> > think maybe it is a cheap CA sense git does not already know about the<br>
>> CA<br>
>> > on the file system (it works if I add it manually via git config<br>
>> > http.sslCAInfo). Anyways, I still would like to know if there is a<br>
>> > terminal<br>
>> > command to find which CA my cert belongs to on the file system. It<br>
>> seems<br>
>> > that they are everywhere on it, jeesh.<br>
>> > ______________________________________________________<br>
>> > washlug mailing list washlug web site<br>
>> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> ><br>
>><br>
>><br>
>> ______________________________________________________<br>
>> washlug mailing list washlug web site<br>
>> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> <surgemcgee><br>
> ______________________________________________________<br>
> washlug mailing list washlug web site<br>
> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
><br>
<br>
<br>
______________________________________________________<br>
washlug mailing list washlug web site<br>
<a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
<a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><surgemcgee><br><br><div><br></div><div><br></div></div></div>
</div>