List all available ssl ca certificates
That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?
8 Answers 8
It’s not SSL keys you want, it’s certificate authorities, and more precisely their certificates.
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/;' < /etc/ssl/certs/ca-certificates.crt To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt (this works because openssl exits after reading an individual cert block, but awk relaunches openssl on the next print | cmd call).
Beware that sometimes, you get that error when SSL servers forget to provide the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.
Note that the pathname of the certificates bundle may differ depending on operating system. The directory holding the certs sub-directory is given by the command openssl version -d . The actual certificates file in that directory may additionally have a different name.
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
@F.Hauri, The command I gave should work in bash or any shell of the Bourne, rc, or fish families. If put on one line, it would work in any shell that I know, even csh, even the Unix V6 shell.
I agree, your solution is correct and efficient, I've just posted an alternative, using bash's arrays and some pretty output formatting, showing some usefull bash features
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs .
- Key files go into /etc/ssl/private
- System-provided actual files are located at /usr/share/ca-certificates
- Custom certificates go into /usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.
It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep "\.pem$" | xargs -I<> openssl x509 -issuer -enddate -noout -in <> Note that openssl x509 format expects only a single cert in a pem file. Multiple certs if present need to follow some parsing given unix.stackexchange.com/questions/17744/…
A quick way to list all currently trusted CA certificates by openssl (with Ubuntu default directories):
find /etc/ssl/certs -type l -iname "*.0" -exec cat "<>" \; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "\n" " " ; echo' '/BEGIN/;;/END/' | sed -r 's:^subject=::' | sort -u openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep subject Most of the times, when examining ca certificates, you will want (and should) grep with fingerprint . You can also pass the output to less for searching/matching manually.
In general verifying the certificate fingerprint rather than just its name/issuer name/date e.t.c is very important.
# By piping to less you can manually search by hitting '/' cat /etc/ssl/certs/ca-certificates.crt | keytool -printcert 2>/dev/null | grep "^Certificate\[" -A11 | less Certificate[1]: Owner: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1 Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1 Serial number: 5ec3b7a6437fa4e0 Valid from: Thu May 05 12:37:37 EEST 2011 until: Tue Dec 31 11:37:37 EET 2030 Certificate fingerprints: SHA1: 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17 SHA256: 9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 4096-bit RSA key Version: 3 -- Certificate[2]: Owner: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES Issuer: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES Serial number: 5d938d306736c8061d1ac754846907 Valid from: Wed Oct 29 17:59:56 EET 2008 until: Tue Jan 01 02:00:00 EET 2030 Certificate fingerprints: SHA1: EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20 SHA256: EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 -- . . And since the above command prints also a sequential number for each certificate ( e.g. Certificate[3] ) you can then pick the actual certificate with:
# Let's say you want to pick certificate number 3 awk -v n=3 '/BEGIN CERTIFICATE/ && ++k == n, /END CERTIFICATE/' /etc/ssl/certs/ca-certificates.crt -----BEGIN CERTIFICATE----- MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5 MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy v+c= -----END CERTIFICATE----- проверка SSL сертификата на соответствие корневому
Итак, у нас, например, имеется сертификат для установки, выданный кем-то, кто не предоставил корневой сертификат.
Нам нужно, чтоб при использовании этого сертификата не было ошибок. Таких, например, как эта:
error 20 at 0 depth lookup:unable to get local issuer certificate
Нам не хватает правильно сформированной цепочки корневых сертификатов.
Исходный сертификат проверяется по первому сертификату в этой цепочке, а далее тот первый проверяется по второму в цепочке и т.д., пока не упремся в доверенный корневой сертификат, хранящийся в локальном хранилище сертификатов (для Debian это /etc/ssl/certs/).
Для начала, узнаем, кто выдал наш сертификат:
openssl x509 -in -text -noout | grep -i issuer Для примера возьмем групповой серификат *.google.com.
Можно скачать его вот так или же другим путем:
echo -n | openssl s_client -connect google.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > wildcard.google.crt openssl x509 -in wildcard.google.com.crt -text -noout | grep -i issuer Issuer: C=US, O=Google Inc, CN=Google Internet Authority CA Issuers - URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt Проверим только что скачанный сертификат:
openssl verify wildcard.google.com.crt wildcard.google.com.crt: C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com.ph error 20 at 0 depth lookup:unable to get local issuer certificate Пройдем по ссылке эмитента и получим первый сертификат в будущей цепочке:
wget http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt openssl verify GoogleInternetAuthority.crt GoogleInternetAuthority.crt: OK Значит второго сертификата в цепочке не будет. Кто же выдал сертификат эмитенту?
openssl x509 -in GoogleInternetAuthority.crt -text -noout | grep -i issuer Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Ага, значит этот корневой сертификат должен лежать в нашем хранилище. Проверим:
ll /etc/ssl/certs/578d5c04.0 lrwxrwxrwx 1 root root 21 Sep 3 06:27 /etc/ssl/certs/578d5c04.0 -> Equifax_Secure_CA.pem ls -la /etc/ssl/certs/Equifax_Secure_CA.pem lrwxrwxrwx 1 root root 56 Sep 3 06:26 /etc/ssl/certs/Equifax_Secure_CA.pem -> /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt Попробуем проверить с директивой CApath на текущую директорию, чтобы убедиться, что это именно тот сертификат:
openssl verify -CApath ./ GoogleInternetAuthority.crt GoogleInternetAuthority.crt: C = US, O = Google Inc, CN = Google Internet Authority error 20 at 0 depth lookup:unable to get local issuer certificate Ожидаемая, ошибка. Ну что ж, воссоздадим кусочек хранилища:
cp /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt . Посчитаем hash и сделаем символьную ссылку на него:
openssl x509 -noout -hash -in Equifax_Secure_CA.crt 578d5c04 ln -s Equifax_Secure_CA.crt 578d5c04.0 openssl verify -CApath ./ GoogleInternetAuthority.crt GoogleInternetAuthority.crt: OK Теперь мы убедились, что это тот самый самый корневой сертификат.
Теперь проверим наш исходный групповой сертификат на соответствие цепочке.
openssl verify -CAfile GoogleInternetAuthority.crt wildcard.google.com.crt wildcard.google.com.crt: OK Всё отлично, можно устанавливать, если, конечно, ключ имеется 🙂