<div dir="ltr"><br>corollarily ;)<div>It seems that git is not using the Comodo CA chain in its internal workings. I need to switch registrars maybe..</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 12, 2016 at 7:50 AM, Carl T. Miller <span dir="ltr"><<a href="mailto:carl@carltm.com" target="_blank">carl@carltm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Any certificate that is created for use on a server<br>
contains the info about the CA that can verify it.<br>
And if there is a chain, it will have info for each<br>
of the CAs.<br>
<br>
If you want, just a copy of the certificate and I'll<br>
run the commands and show you the output.<br>
<div class="HOEnZb"><div class="h5"><br>
c<br>
<br>
<br>
Robert Steckroth wrote:<br>
> Well, the Certificate Authority made the certificate and I would like to<br>
> know which chain it belongs with the local CA certificates. Maybe it<br>
> requires many commands??<br>
><br>
> On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>> wrote:<br>
><br>
>> If I understand correctly, you're saying you want to<br>
>> know which installed CA certificate is used to verify<br>
>> the certificates which you create. Is that it? If<br>
>> so, just take a certificate that you created and run<br>
>> the commands on it.<br>
>><br>
>> (create a file for each cert including the "BEGIN<br>
>> CERTIFICATE" and "END CERTIFICATE" lines)<br>
>> openssl x509 -noout -text -purpose -in onecert<br>
>><br>
>> c<br>
>><br>
>><br>
>> Robert Steckroth wrote:<br>
>> > Yes, thank you for the response Carl. I need to know what certificate<br>
>> > corresponds with the installed CA certificates. It is not just the<br>
>> > browsers<br>
>> > which verify certificates with a CA-certificate, it is every platform<br>
>> that<br>
>> > uses https. Therefore, in order to manually verify a remotely served<br>
>> > certificate is trusted, I need to know which CA-certificate it was<br>
>> created<br>
>> > from on the local file system. It just seems like a simple terminal<br>
>> > command<br>
>> > would locate the CA-certificate for any given certificate, but<br>
>> research<br>
>> > has<br>
>> > proved time consuming.<br>
>> ><br>
>> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>><br>
>> wrote:<br>
>> ><br>
>> >> When you connect to a website with a browser (or the<br>
>> >> openssl client) you get a copy of the certificate<br>
>> >> directly from the webserver. If you want to know where<br>
>> >> the certificate is stored locally, you'd have to look<br>
>> >> at the configuration of the webserver.<br>
>> >><br>
>> >> You also mentioned a CA hosted through namecheap. That<br>
>> >> would give you the ability to create certificates.<br>
>> >> You should be able to access the secret key file and<br>
>> >> the certificate file for any certificate you have created.<br>
>> >><br>
>> >> In addition to this, it is common for your browser to<br>
>> >> use certificates to verify well-known CAs. Look in your<br>
>> >> browser's configuration to manage to view and, perhaps,<br>
>> >> delete these certificates.<br>
>> >><br>
>> >> So...the first paragraph describes a certificate in use.<br>
>> >> The second describes a certificate which may or may not<br>
>> >> be in use. The third describes certificates which have<br>
>> >> been installed, and can verify a certificate in use.<br>
>> >><br>
>> >> My question to you...what certificate is it that you<br>
>> >> want to find? One you use currently, one that you<br>
>> >> created, or one that has been installed?<br>
>> >><br>
>> >> c<br>
>> >><br>
>> >><br>
>> >> Robert Steckroth wrote:<br>
>> >> > Well, I don't know then.. I am under the impression that when a<br>
>> remote<br>
>> >> > server sends a certificate, it needs to be verified against the<br>
>> >> > certificates in the local file system to ensure that there is no<br>
>> >> > middleman.<br>
>> >> > So, shouldn't openssl be able to return the local path the any<br>
>> certs<br>
>> >> which<br>
>> >> > correspond to the one sent by the remote?<br>
>> >> ><br>
>> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <<a href="mailto:carl@carltm.com">carl@carltm.com</a>><br>
>> >> wrote:<br>
>> >> ><br>
>> >> >> Hi Robert,<br>
>> >> >><br>
>> >> >> You can use openssl to retrieve and view the certificates on a<br>
>> >> >> webserver.<br>
>> >> >><br>
>> >> >> To retrieve all certs on a server:<br>
>> >> >> openssl s_client -connect <a href="http://www.carltm.com:443" rel="noreferrer" target="_blank">www.carltm.com:443</a> -showcerts | tee<br>
>> >> allcerts<br>
>> >> >><br>
>> >> >> To view each cert:<br>
>> >> >> (create a file for each cert including the "BEGIN CERTIFICATE" and<br>
>> >> >> "END CERTIFICATE" lines)<br>
>> >> >> openssl x509 -noout -text -purpose -in onecert<br>
>> >> >><br>
>> >> >> I hope this helps with your investigation.<br>
>> >> >><br>
>> >> >> c<br>
>> >> >><br>
>> >> >><br>
>> >> >> Robert Steckroth wrote:<br>
>> >> >> > Hello everyone, I have a interesting question for those of you<br>
>> with<br>
>> >> >> https<br>
>> >> >> > experience.<br>
>> >> >> > I have a certificate authority (through namecheap), chained to<br>
>> my<br>
>> >> ssl<br>
>> >> >> > key/certificate which is distributed by a Ubuntu server. The<br>
>> https<br>
>> >> >> content<br>
>> >> >> > server is nodejs and serves the ssl cert to three types of<br>
>> >> platforms:<br>
>> >> >> web<br>
>> >> >> > browsers, git repositories, and a qt desktop application. The<br>
>> https<br>
>> >> >> server<br>
>> >> >> > works find on browsers (with the green https uri text). The<br>
>> problem<br>
>> >> >> is, I<br>
>> >> >> > need to know where the CA certificate is kept on my local ubuntu<br>
>> >> file<br>
>> >> >> > system in order to add it to the qt application and to the git<br>
>> >> config.<br>
>> >> >> I<br>
>> >> >> > think maybe it is a cheap CA sense git does not already know<br>
>> about<br>
>> >> the<br>
>> >> >> CA<br>
>> >> >> > on the file system (it works if I add it manually via git config<br>
>> >> >> > http.sslCAInfo). Anyways, I still would like to know if there is<br>
>> a<br>
>> >> >> > terminal<br>
>> >> >> > command to find which CA my cert belongs to on the file system.<br>
>> It<br>
>> >> >> seems<br>
>> >> >> > that they are everywhere on it, jeesh.<br>
>> >> >> > ______________________________________________________<br>
>> >> >> > washlug mailing list washlug web site<br>
>> >> >> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> >> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >> >> ><br>
>> >> >><br>
>> >> >><br>
>> >> >> ______________________________________________________<br>
>> >> >> washlug mailing list washlug web site<br>
>> >> >> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> >> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >> >><br>
>> >> ><br>
>> >> ><br>
>> >> ><br>
>> >> > --<br>
>> >> > <surgemcgee><br>
>> >> > ______________________________________________________<br>
>> >> > washlug mailing list washlug web site<br>
>> >> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >> ><br>
>> >><br>
>> >><br>
>> >> ______________________________________________________<br>
>> >> washlug mailing list washlug web site<br>
>> >> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> >> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> >><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > <surgemcgee><br>
>> > ______________________________________________________<br>
>> > washlug mailing list washlug web site<br>
>> > <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> > <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>> ><br>
>><br>
>><br>
>> ______________________________________________________<br>
>> washlug mailing list washlug web site<br>
>> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
>> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> <surgemcgee><br>
> ______________________________________________________<br>
> washlug mailing list washlug web site<br>
> <a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
> <a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
><br>
<br>
<br>
______________________________________________________<br>
washlug mailing list washlug web site<br>
<a href="mailto:washlug@washlug.org">washlug@washlug.org</a> <a href="http://www.washlug.org" rel="noreferrer" target="_blank">www.washlug.org</a><br>
<a href="http://linux.marcdatabase.com/mailman/listinfo/washlug" rel="noreferrer" target="_blank">http://linux.marcdatabase.com/mailman/listinfo/washlug</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><surgemcgee><br><br><div><br></div><div><br></div></div></div>
</div>