Verify a SSL certificate
- By SSL verification web site: https://www.ssllabs.com/ssltest/index.html
- By openssl:
$ openssl s_client -showcerts -connect test.domain.net:443
How to create pfx file that includes private key, certificate and certification chain?
$openssl pkcs12 -export -out test.domain.net_2012.pfx -inkey test.domain.net_2012.key -in test.domain.net_2012.crt -certfile thawtesecca.crt -certfile thawteprimca.crt
]How to see information inside CSR?
Normaly CSR looks like:
$cat test.domain.net_2012.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAP
BgNVBAcTCE1vbnRyZWFsMSIwIAYDVQQKExlSYWRpYWxwb2ludCBTYWZlQ2FyZSBJ
bmMuMQwwCgYDVQQLEwNOT0MxGjAYBgNVBAMUESoucmFkaWFscG9pbnQubmV0MSIw
IAYJKoZIhvcNAQkBFhNub2NAcmFkaWFscG9pbnQuY29tMIIBIjANBgkqhkiG9w0B
OZrroiuiouorpro[pooooo[orrjjjggoipoioZY2toSHheDDEtHga35cPDJUfl1W
ITBFs9G+fji+i0GrS1WmRYUGCeI1+5+48k6rIGim2WwcxYfBofVgZUSaFTydf1nH icCM8aMi39jWtNCLxlWfBKNNLkNj0zPEPgXmYJIQRE0dUXfCBi68o+7s2pRyCJ7V H9D8wV9OaBugaOMuPGM8vFtVTGRuC/waFuH/0Avr8SKs4U3Io6ZiViikopgfipii dCeW6KZzJnAlBmrEuzv0POty5NDvnr2iZYUct15dNN8CheG36pXXrjFgqF6siBXs lVBU023hBFsCu6foF3pflEmq9zVoVdUBruoepVbaIGziYyXes85C4Iokha9Ym8hE YG0C/Nd4vp1ICB1gXBf88JoT7c2bgJWFSWpLVHU= -----END NEW CERTIFICATE REQUEST-----
But if you do the trick:
$ openssl req -in test.domain.net_2012.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=CA, ST=Quebec, L=Montreal, O=USer Inc., OU=SOC, CN=test.domain.net/emailAddress=soc@test.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1: 47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55: a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68: a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c: 8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e: bd:dd Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 7a:90:48:34:cb:70:47:af:54:a2:c2:f4:5e:5a:4c:57:a3:44: 9b:6d:04:ec:b8:11:59:fb:32:c9:86:f4:a4:2f:5c:ad:df:cb: 9d:48:08:1d:60:5c:17:fc:f0:9a:13:ed:cd:9b:80:95:85:49: 6a:4b:54:75
You can get whole information about CSR you going to send for signature
Check CSR if certificate corresponds to private key
$ diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl req -in test.domain.net_2012.csr -noout -modulus)
if you get nothing, everything is OK.
Check what inside certificate you got from CA (certificate authority)
$ openssl x509 -in test.domain.net_2012.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 73:68:b7:62:11:51 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA Validity Not Before: Aug 20 00:00:00 2012 GMT Not After : Oct 19 23:59:59 2014 GMT Subject: C=CA, ST=Quebec, L=Montreal, O=User Inc., CN=test.domain.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1: 47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55: a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68: a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c: 8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e: bd:dd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS test.domain.net X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: https://www.thawte.com/cps/
X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Authority Key Identifier: keyid:A7:A2:83:BB:34:45:40:3D:A1:01:9F:F6:DB
X509v3 CRL Distribution Points:
Full Name: URI:http://svr-ov-crl.thawte.com/ThawteOV.crl
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Authority Information Access: OCSP - URI:http://ocsp.thawte.com CA Issuers - URI:http://svr-ov-aia.thawte.com/ThawteOV.cer
Signature Algorithm: sha1WithRSAEncryption 34:3f:66:4f:7b:3e:44:f6:88:d8:de:62:3f:93:34:55:fd:7e: 20:94:60:f8:6e:99:88:73:8f:86:6b:55:38:31:a1:0a:e2:c0: f9:22:0f:e7
Verify if certificate you got corresponds to correct private key
diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl x509 -in test.domain.net_2012.crt -noout -modulus)
if you get nothing, everything is OK.