Saturday, January 2, 2016

howto validate a user certfiicate that's signed from a CA root or intermediate in a chain

Have you ever had a user certificate for a vpn ( ssl/ipsec/openvpn ) and wondered if the user certificate is chained to the the corresponding signing cert?

Here's a quick dirty down method for verifying certificate chaining  & by using openssl against a self signed user-certificates.

Take these certificates;



As you can see, they are okay'd  against the  CA certificate  myopenvpn.crt  but all have expired


Now here's 3 users certificates named user1 2 3 ;




btw: all of these 3 of these users have a different size key as indicated here. The keysize has no bearing on verification.

( see below )




Here's a few certificates not in the trust chain  & that fails (certificates   myuser1 and 2 )




So in my private CAinternal these keys checked out against the CAroot certificate named "MYCAPFSENSE.crt" This is a good way to validate  certificate in a certificate in a trust-chain.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment