User Tools

Site Tools


howtos:test_a_certificate_chain

With OpenSSL you start a server instance:

openssl s_server -accept 9000 -cert cert.pem -key cert.key -CAfile ca.pem
Enter pass phrase for cert.key:
Parameter Explanation
s_server Start a SSL server
-accept 9000 Make the server listen on port 9000
-cert cert.pem Use the certificate in the file cert.pem
-key cert.key Use the private key in the file cert.key
-CAfile ca.pem Use the CA chain file ca.pem

What this command does is start a SSL server instance where it sends the certificate (cert.pem) and to make the certificate verifiable the CA chain (ca.pem) is appended.

This process will show if the chain corresponds to the certificate.

To test run this:

openssl s_client -connect localhost:9000
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=thawte Trial Secure Server Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DK/ST=Copenhagen/L=Copenhagen/O=Medcom/OU=IT/OU=For Test Purposes Only.  No assurances./CN=test.domain.com
   i:/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=Thawte Trial Secure Server CA
 1 s:/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=Thawte Trial Secure Server CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=thawte Trial Secure Server Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=thawte Trial Secure Server Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=thawte Trial Secure Server Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIQGpdMvqOpRl0RRpfwudI5jTANBgkqhkiG9w0BAQUFADCB
qDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl
c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSYwJAYDVQQDEx1UaGF3
dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBDQTAeFw0xMDA5MDIwMDAwMDBaFw0xMDA5
MjMyMzU5NTlaMIGfMQswCQYDVQQGEwJESzETMBEGA1UECBMKQ29wZW5oYWdlbjET
MBEGA1UEBxQKQ29wZW5oYWdlbjEPMA0GA1UEChQGTWVkY29tMQswCQYDVQQLFAJJ
VDEwMC4GA1UECxQnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5j
ZXMuMRYwFAYDVQQDFA1ocy5rbXMubWVkY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDs0GceZbIumDfPLVhW9sDcRk6T5UwHAjor3r9HyTZLIF+Py8aF1Qcq
w/eZY8jaQWzqTqKj4LBS2RSTv+J0JmlUPDl+iOOQreMDl91F9+6nJi+py1RhchfP
13fC57cpeRhn5mBSxiRqbcpTtFgnxFdJzrn1fHc0RZySMAiupkWxQwIDAQABo2ww
ajAMBgNVHRMBAf8EAjAAMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwudGhh
d3RlLmNvbS9UaGF3dGVUcmlhbFNTTENBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBADHBJLNwiS5kPY6RA/Fsz82v
Tho5QH/TXlUhmcSxcfFMo4oD0kx3EPzv0cfIrm9aUtHsd9uehcbTEnhFZzM3VZdN
6xawfuS8oMVEjH4MS/GRyQHEQ/kAx4EZLXAAsbKzzHd+uOgZSOa595biGxVxiP8P
7TLXDKrV4/f7Y4h6VbkJH8k9p/qvDWZMqwA8K8Av348mR0Y3R5BphRtc9Rnq8tKF
JjNAks6UD0E9rGY/3ouslNKP++yHess8JHtM8BmeVPAev6GyXHz5EsaQmKnubo61
jlYa5t0ep8/9iyP00KPcdHwWwa6i9BGVp7s96vUD0nxhXvmYENeNT4/lYsKWzb8=
-----END CERTIFICATE-----
subject=/C=DK/ST=Copenhagen/L=Copenhagen/O=Medcom/OU=IT/OU=For Test Purposes Only.  No assurances./CN=test.domain.com
issuer=/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only.  No assurances./CN=Thawte Trial Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3642 bytes and written 255 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 0A2080D06C5FDCE6FDC51A25A6943D5EFC547F670350A6FE4AE9664CF0535EF7
    Session-ID-ctx: 
    Master-Key: 936154921AA8759400E1BE3B63B702B68954F13C4875777EAEF402C513AEAC932243B8B6138850F3AC10F342D95F998C
    Key-Arg   : None
    Start Time: 1283518640
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

howtos/test_a_certificate_chain.txt · Last modified: d/m/Y H:i (external edit)