1

I'm looking at the example on this page:

$ openssl verify -verbose -CAfile cacert.pem  server.crt
server.crt: OK

What I'm using as my cacert.pem is my (professionally signed) root certificate concatenated with my intermediate certificate.

What's not clear to me is what server.crt is or where I'm supposed to get it.

Jason Swett
  • 1,458
  • 4
  • 23
  • 37
  • When you get a certificate signed, you give the CA a certificate signing request file (usually with a `.csr` extension) and they give you back a certificate file and optionally an intermediate certificate. They often both have `.crt` extensions. Does this describe your experience? It would be very unusual for a CA to send you their root certificate as these are distributed with operating systems and browsers and are not needed when configuring a web server. – Ladadadada Mar 16 '14 at 15:23
  • What do you mean "my (professionally signed) root certificate"? You need the Certificate Authority's (Verisign, etc.) root certificate, as cacert.pem, and your SSL certificate as server.crt. The command verifies that server.crt was correctly signed by the certificate authority. – TessellatingHeckler Mar 16 '14 at 15:25
  • @Ladadadada Yes, that describes my experience. I think my "root" label is probably wrong. In the DreamHost UI the thing I was referring to as the root certificate is simply labeled "Certificate." – Jason Swett Mar 16 '14 at 15:26
  • @TessellatingHeckler Okay, I think we've revealed a hole in my understanding. My certificate vendor is DreamHost, and they provide in my "panel" area three things: Certificate, Private Key and Intermediate Certificate. Would any of these things be the "root certificate"? Would any of them be "my" certificate? – Jason Swett Mar 16 '14 at 15:29
  • Certificate is probably _your_ SSL certificate, specific to your server e.g `server.example.org` and keeps encryption to your server unique. Dreamhost will have a root certificate which is shared with everyone which is used for digital signing authenticity to verify your unique certificate came from a 'trusted' big company. I can't quickly find out what name that would have. That root combined with the Intermediate Certificate would be cacert.pem. Private Key is the password that keeps your certificate secret, and is outside the SSL chain. – TessellatingHeckler Mar 16 '14 at 15:35
  • Okay, thanks. DreamHost resells Comodo certificates. So I need to somehow get my hands on the root certificate? – Jason Swett Mar 16 '14 at 15:37
  • Yes. Probably one of these: https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0 one that matches the product name you bought. – TessellatingHeckler Mar 16 '14 at 15:38

1 Answers1

4

server.crt is your trusted server certificate, delivered once the request has been signed by a Certification Authority.

So, you are supposed to get this file when you have send a signing request (csr) to your CA. Then, once signed, they will send you back a trusted crt certificate.

krisFR
  • 12,830
  • 3
  • 31
  • 40
  • Okay, I think I understand. In my DreamHost panel they show me three values: Certificate, Private Key and Intermediate Certificate. DreamHost also emailed me my certificate with a value that exactly matches the value under Certificate in the panel UI. So this value would be the trusted server certificate, the `server.crt`? – Jason Swett Mar 16 '14 at 15:34
  • And if so, what does that make `cacert.pem`? – Jason Swett Mar 16 '14 at 15:34
  • You are right. So `cacert.pem` is the bundle of trusted root CA used to verify the authenticity of your signed certificate (including intermediate certificates). Have a look in here http://serverfault.com/questions/241046/what-is-the-cacert-pem-and-for-what-to-use-that or here http://stackoverflow.com/questions/14987857/what-exactly-is-cacert-pem-for – krisFR Mar 16 '14 at 15:45