<div dir="ltr">Well, the Certificate Authority made the certificate and I would like to know which chain it belongs with the local CA certificates. Maybe it requires many commands??</div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <span dir="ltr"><<a href="mailto:carl@carltm.com" target="_blank">carl@carltm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If I understand correctly, you're saying you want to<br>
know which installed CA certificate is used to verify<br>
the certificates which you create. Is that it? If<br>
so, just take a certificate that you created and run<br>
the commands on it.<br>
<span class="im HOEnZb"><br>
(create a file for each cert including the "BEGIN<br>
CERTIFICATE" and "END CERTIFICATE" lines)<br>
openssl x509 -noout -text -purpose -in onecert<br>
<br>
</span><span class="HOEnZb"><font color="#888888">c<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
Robert Steckroth wrote:<br>
> Yes, thank you for the response Carl. I need to know what certificate<br>
> corresponds with the installed CA certificates. It is not just the<br>
> browsers<br>
> which verify certificates with a CA-certificate, it is every platform that<br>
> uses https. Therefore, in order to manually verify a remotely served<br>
> certificate is trusted, I need to know which CA-certificate it was created<br>
> from on the local file system. It just seems like a simple terminal<br>
> command<br>
> would locate the CA-certificate for any given certificate, but research<br>
> has<br>
> proved time consuming.<br>
><br>
> On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>> wrote:<br>
><br>
>> When you connect to a website with a browser (or the<br>
>> openssl client) you get a copy of the certificate<br>
>> directly from the webserver. If you want to know where<br>
>> the certificate is stored locally, you'd have to look<br>
>> at the configuration of the webserver.<br>
>><br>
>> You also mentioned a CA hosted through namecheap. That<br>
>> would give you the ability to create certificates.<br>
>> You should be able to access the secret key file and<br>
>> the certificate file for any certificate you have created.<br>
>><br>
>> In addition to this, it is common for your browser to<br>
>> use certificates to verify well-known CAs. Look in your<br>
>> browser's configuration to manage to view and, perhaps,<br>
>> delete these certificates.<br>
>><br>
>> So...the first paragraph describes a certificate in use.<br>
>> The second describes a certificate which may or may not<br>
>> be in use. The third describes certificates which have<br>
>> been installed, and can verify a certificate in use.<br>
>><br>
>> My question to you...what certificate is it that you<br>
>> want to find? One you use currently, one that you<br>
>> created, or one that has been installed?<br>
>><br>
>> c<br>
>><br>
>><br>
>> Robert Steckroth wrote:<br>
>> > Well, I don't know then.. I am under the impression that when a remote<br>
>> > server sends a certificate, it needs to be verified against the<br>
>> > certificates in the local file system to ensure that there is no<br>
>> > middleman.<br>
>> > So, shouldn't openssl be able to return the local path the any certs<br>
>> which<br>
>> > correspond to the one sent by the remote?<br>
>> ><br>
>> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>><br>
>> wrote:<br>
>> ><br>
>> >> Hi Robert,<br>
>> >><br>
>> >> You can use openssl to retrieve and view the certificates on a<br>
>> >> webserver.<br>
>> >><br>
>> >> To retrieve all certs on a server:<br>
>> >> openssl s_client -connect <a href="http://www.carltm.com:443" rel="noreferrer" target="_blank">www.carltm.com:443</a> -showcerts | tee<br>
>> allcerts<br>
>> >><br>
>> >> To view each cert:<br>
>> >> (create a file for each cert including the "BEGIN CERTIFICATE" and<br>
>> >> "END CERTIFICATE" lines)<br>
>> >> openssl x509 -noout -text -purpose -in onecert<br>
>> >><br>
>> >> I hope this helps with your investigation.<br>
>> >><br>
>> >> c<br>
>> >><br>
>> >><br>
>> >> Robert Steckroth wrote:<br>
>> >> > Hello everyone, I have a interesting question for those of you with<br>
>> >> https<br>
>> >> > experience.<br>
>> >> > I have a certificate authority (through namecheap), chained to my<br>
>> ssl<br>
>> >> > key/certificate which is distributed by a Ubuntu server. The https<br>
>> >> content<br>
>> >> > server is nodejs and serves the ssl cert to three types of<br>
>> platforms:<br>
>> >> web<br>
>> >> > browsers, git repositories, and a qt desktop application. The https<br>
>> >> server<br>
>> >> > works find on browsers (with the green https uri text). The problem<br>
>> >> is, I<br>
>> >> > need to know where the CA certificate is kept on my local ubuntu<br>
>> file<br>
>> >> > system in order to add it to the qt application and to the git<br>
>> config.<br>
>> >> I<br>
>> >> > think maybe it is a cheap CA sense git does not already know about<br>
>> the<br>
>> >> CA<br>
>> >> > on the file system (it works if I add it manually via git config<br>
>> >> > http.sslCAInfo). Anyways, I still would like to know if there is a<br>
>> >> > terminal<br>
>> >> > command to find which CA my cert belongs to on the file system. It<br>
>> >> seems<br>
>> >> > that they are everywhere on it, jeesh.<br>
>> >> > ______________________________________________________<br>
>> >> > washlug mailing list washlug web site<br>
>> >> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >> ><br>
>> >><br>
>> >><br>
>> >> ______________________________________________________<br>
>> >> washlug mailing list washlug web site<br>
>> >> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > <surgemcgee><br>
>> > ______________________________________________________<br>
>> > washlug mailing list washlug web site<br>
>> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> ><br>
>><br>
>><br>
>> ______________________________________________________<br>
>> washlug mailing list washlug web site<br>
>> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> <surgemcgee><br>
> ______________________________________________________<br>
> washlug mailing list washlug web site<br>
> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
><br>
<br>
<br>
______________________________________________________<br>
washlug mailing list washlug web site<br>
<a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
<a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><surgemcgee><br><br><div><br></div><div><br></div></div></div>
</div>