Cryptography Tutorials - Herong's Tutorial Examples - v5.42, by Herong Yang
Validating a Certificate Path with OpenSSL
This section provides a tutorial example on how to perform validation of a certificate path with the 'openssl verify' command.
With 4 certificates created in the previous section, we are ready to test the "openssl verify" command:
1. Verify the shortest certification path, one certificate only:
herong> openssl verify herong.crt herong.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Herong Yang error 18 at 0 depth lookup:self signed certificate OK herong> openssl verify -CAfile herong.crt herong.crt herong.crt: OK OK herong> openssl verify john.crt john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith error 20 at 0 depth lookup:unable to get local issuer certificate herong> openssl verify -CAfile john.crt john.crt john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith error 20 at 0 depth lookup:unable to get local issuer certificate
Note that:
2. Verify certification paths of two certificates:
herong> openssl verify -CAfile herong.crt john.crt john.crt: OK herong> openssl verify -CAfile herong.crt bill.crt bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill White error 20 at 0 depth lookup:unable to get local issuer certificate herong> openssl verify -CAfile john.crt bill.crt bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith error 2 at 1 depth lookup:unable to get issuer certificate
Note that:
3. Verify certification paths of many certificates:
herong> openssl verify -CAfile herong.crt -untrusted john.crt bill.crt bill.crt: OK herong> openssl verify -CAfile herong.crt -untrusted bill.crt tom.crt tom.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill Gate error 20 at 1 depth lookup:unable to get local issuer certificate herong> copy john.crt+bill.crt all.crt herong> openssl verify -CAfile herong.crt -untrusted all.crt tom.crt tom.crt: OK
Note that:
Table of Contents
Introduction to AES (Advanced Encryption Standard)
DES Algorithm - Illustrated with Java Programs
DES Algorithm Java Implementation
DES Algorithm - Java Implementation in JDK JCE
DES Encryption Operation Modes
PHP Implementation of DES - mcrypt
Blowfish - 8-Byte Block Cipher
Secret Key Generation and Management
Cipher - Secret Key Encryption and Decryption
RSA Implementation using java.math.BigInteger Class
Introduction of DSA (Digital Signature Algorithm)
Java Default Implementation of DSA
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Cipher - Public Key Encryption and Decryption
OpenSSL Introduction and Installation
OpenSSL Generating and Managing RSA Keys
OpenSSL Generating and Signing CSR
►OpenSSL Validating Certificate Path
Certification Path Validation Rules
Creating a Certificate Path with OpenSSL
►Validating a Certificate Path with OpenSSL
"keytool" and "keystore" from JDK
"OpenSSL" Signing CSR Generated by "keytool"
Migrating Keys from "keystore" to "OpenSSL" Key Files
Certificate X.509 Standard and DER/PEM Formats
Migrating Keys from "OpenSSL" Key Files to "keystore"