With OpenSSL you start a server instance:
openssl s_server -accept 9000 -cert cert.pem -key cert.key -CAfile ca.pem Enter pass phrase for cert.key:
Parameter | Explanation |
---|---|
s_server | Start a SSL server |
-accept 9000 | Make the server listen on port 9000 |
-cert cert.pem | Use the certificate in the file cert.pem |
-key cert.key | Use the private key in the file cert.key |
-CAfile ca.pem | Use the CA chain file ca.pem |
What this command does is start a SSL server instance where it sends the certificate (cert.pem) and to make the certificate verifiable the CA chain (ca.pem) is appended.
This process will show if the chain corresponds to the certificate.
To test run this:
openssl s_client -connect localhost:9000 CONNECTED(00000003) depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=thawte Trial Secure Server Root CA verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DK/ST=Copenhagen/L=Copenhagen/O=Medcom/OU=IT/OU=For Test Purposes Only. No assurances./CN=test.domain.com i:/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=Thawte Trial Secure Server CA 1 s:/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=Thawte Trial Secure Server CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=thawte Trial Secure Server Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=thawte Trial Secure Server Root CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=thawte Trial Secure Server Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIQGpdMvqOpRl0RRpfwudI5jTANBgkqhkiG9w0BAQUFADCB qDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSYwJAYDVQQDEx1UaGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBDQTAeFw0xMDA5MDIwMDAwMDBaFw0xMDA5 MjMyMzU5NTlaMIGfMQswCQYDVQQGEwJESzETMBEGA1UECBMKQ29wZW5oYWdlbjET MBEGA1UEBxQKQ29wZW5oYWdlbjEPMA0GA1UEChQGTWVkY29tMQswCQYDVQQLFAJJ VDEwMC4GA1UECxQnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5j ZXMuMRYwFAYDVQQDFA1ocy5rbXMubWVkY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDs0GceZbIumDfPLVhW9sDcRk6T5UwHAjor3r9HyTZLIF+Py8aF1Qcq w/eZY8jaQWzqTqKj4LBS2RSTv+J0JmlUPDl+iOOQreMDl91F9+6nJi+py1RhchfP 13fC57cpeRhn5mBSxiRqbcpTtFgnxFdJzrn1fHc0RZySMAiupkWxQwIDAQABo2ww ajAMBgNVHRMBAf8EAjAAMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwudGhh d3RlLmNvbS9UaGF3dGVUcmlhbFNTTENBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBADHBJLNwiS5kPY6RA/Fsz82v Tho5QH/TXlUhmcSxcfFMo4oD0kx3EPzv0cfIrm9aUtHsd9uehcbTEnhFZzM3VZdN 6xawfuS8oMVEjH4MS/GRyQHEQ/kAx4EZLXAAsbKzzHd+uOgZSOa595biGxVxiP8P 7TLXDKrV4/f7Y4h6VbkJH8k9p/qvDWZMqwA8K8Av348mR0Y3R5BphRtc9Rnq8tKF JjNAks6UD0E9rGY/3ouslNKP++yHess8JHtM8BmeVPAev6GyXHz5EsaQmKnubo61 jlYa5t0ep8/9iyP00KPcdHwWwa6i9BGVp7s96vUD0nxhXvmYENeNT4/lYsKWzb8= -----END CERTIFICATE----- subject=/C=DK/ST=Copenhagen/L=Copenhagen/O=Medcom/OU=IT/OU=For Test Purposes Only. No assurances./CN=test.domain.com issuer=/C=US/O=Thawte, Inc./OU=Certification Services Division/OU=For Test Purposes Only. No assurances./CN=Thawte Trial Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3642 bytes and written 255 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 0A2080D06C5FDCE6FDC51A25A6943D5EFC547F670350A6FE4AE9664CF0535EF7 Session-ID-ctx: Master-Key: 936154921AA8759400E1BE3B63B702B68954F13C4875777EAEF402C513AEAC932243B8B6138850F3AC10F342D95F998C Key-Arg : None Start Time: 1283518640 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---