You can perform this with the following command: sudo update-ca-certificates. To install your own root certificate in Debian, copy or move the relevant root certificate into the following directory: /usr/local/share/ca-certificates.Īfter you have copied the certificate to the correct directory you will need to refresh the installed certificates and hashes. The importing of certificates varies per Linux distribution - we have included instructions on how to install a certificate for common distro's used by our partners below. You can verify the serial number and fingerprint of a certificate using OpenSSL, and running the following command to return the serial number and SHA1 fingerprint: openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in RootCertificateHere.crtīelow is an example run against the DigiCertglobalRootG2 certificate file: $ openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in DigiCertGlobalRootG2.crt It is important to check the serial number and fingerprint of each certificate before installation. * TLSv1.2 (OUT), TLS alert, Client hello (1): < Cache-Control: no-cache, no-store, must-revalidate * issuer: C=US O=DigiCert Inc OU=CN=Thawte TLS RSA CA G1 * subjectAltName: host "" matched cert's "" * subject: C=GB L=Bristol O=Creditcall Ltd OU=Infrastructure CN= * ALPN, server did not agree to a protocol * SSL connection using TLSv1.2 / AES256-GCM-SHA384 * TLSv1.2 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * successfully set certificate verify locations: * Connected to (xx.xx.xx.xx) port 443 (#0) Please note the line * SSL certificate verify ok. If the connection is successful and verified by the root certificate, you will see the following entry below. You can check if the correct root certificate is installed by querying our platform using the following cURL command: curl -verbose. Please review this article for information on our current live root certificate. Please note, the certificate installation displayed below is used as an example. This article describes how to check if the correct root certificate is installed, the certificate serial number and fingerprint, and how to import missing certificates.ĭepending on the age of the distribution, the correct root certificate could already be installed pending regular updates however, it is possible to manually check the correct certificates are installed utilising OpenSSL and cURL. Certificate Serial Number & Fingerprint.The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. The TBS certificate is the body of the actual certificate it contains all the naming and key information held in the certificate. Openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path Notes # if they match, the certificate was sign with the provided rootCa # Other way to validate the certificate: # Since the CA signed the DER format of the TBSCertificate, you can just # verify the signature of the certificate with the public key of the root # passing the TBSCertificate as a param # If everything its fine you'll get a 'Verified OK' message or a 'Verification Failure' instead. Openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate. Get the sha1 (or whatever algorithm was used) of the TBS Certificate Openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin Get the fingerprint of the signature with the root key # Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them # 1. Openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4 Openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path # Extract the TBSCertificate # Almost always -strparse param is 4 Openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos # Extract the public key of the root CA # Extract signature from certificate # run the following and get the last bit position Root_pub_key_path=intermediate_ca.key.pem
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |