1

I've created a CA, server and client certificates:

# set up CA
openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -out cacert.pem -outform PEM
touch index.txt
echo '01' > serial.txt

# create server CSR, cert
openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -out servercert.csr -outform PEM
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr

# create client CSR, cert
CLIENT_ID="01-test"
CLIENT_SERIAL=01

openssl genrsa -aes256 -passout pass:PasswordHere -out ${CLIENT_ID}.pass.key 4096
openssl rsa -passin pass:PasswordHere -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
rm ${CLIENT_ID}.pass.key
openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr
openssl x509 -req -days 1000 -in ${CLIENT_ID}.csr -CA cacert.pem -CAkey cakey.pem -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem

# combine into p12 files
openssl pkcs12 -export -out servercert.p12 -in servercert.pem -inkey serverkey.pem
openssl pkcs12 -export -out 01-test.p12 -in 01-test.pem -inkey 01-test.key

Basically, I've been following https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority/21340898#21340898 for the CA side. I'm looking to set up client and server certs, both signed by the same authority, for testing purposes.

I'm looking to understand how I can verify, from both a client and server perspective, that the remote certificate came from the same CA as the local one. The Issuers match, but I'm sure anyone could issue a cert with any Issuer.

I understand that there's a certificate chain involved - but (in .NET land at least) in the generated .pem files I don't see any reference to the root CA cert's public key, for instance.

What is it that I need to do, from a logical perspective, to validate the issuer of the cert. I could install the root CA cert in the local machine's cert store - but in lieu of that, what exactly does an SSL library do to check that the CA issued a particular certificate, if it's not just looking at the Issuer?

Edit: specifically, how can I validate the issuer, or that one cert has another higher in the chain?

Kieren Johnstone
  • 163
  • 6
  • @SteffenUllrich thanks, I think I'm looking for instructions about how I can validate the issuer with my specific setup. It's useful info in the others, but it doesn't quite wrap up my question. Should I post a separate question? – Kieren Johnstone Dec 03 '19 at 17:57
  • *"how can I validate the issuer, or that one cert has another higher in the chain?"* - You are not clear where you want to do such a verification. Do you want to implement it yourself in some application (why not use builtin libraries) or do you want to know the openssl command (see `openssl verify`) or what exactly do you want to know? – Steffen Ullrich Dec 03 '19 at 21:04
  • Any/all of those options. How can I as a human verify this, with OpenSSL, or some library, without installing the CA cert into a store? I.e. from first principles with the files? – Kieren Johnstone Dec 04 '19 at 08:11
  • 1
    See [Certicate verification with OpenSSL commandline](https://security.stackexchange.com/questions/138380/certicate-verification-with-openssl-commandline) – Steffen Ullrich Dec 04 '19 at 09:18
  • Thanks. For ref, in my case: `openssl verify -CAfile cacert.pem servercert.pem` validates the server cert – Kieren Johnstone Dec 04 '19 at 15:21

0 Answers0