OpenSSL - Certification Path and Validation
Part:
1
2
This chapter describes:
-
What Is a Certification Path?
-
Certification Path Validation
-
Certification Path Testing with OpenSSL
What Is a Certification Path?
Certification Path: Also called Certificate Chain. An ordered list of certificates where the subject entity
of one certificate is identical to the issuing entity of the next certificate.
A certification path can also be defined as an ordered list of certificates where the issuing entity of one certificate
can be identified as the subject entity of the previous certificate. But the first certificate has to be a special one,
because there is no previous certificate to identify the issuing entity. The first certificate must be a self-signed
certificate, where the issuing entity is the same as the subject entity.
For example, the following diagram shows you a certification path:
Certificate 1
Issuer: Herong Yang
Subject: Herong Yang
Certificate 2
Issuer: Herong Yang
Subject: John Smith
Certificate 3
Issuer: John Smith
Subject: Bill White
Certificate 4
Issuer: Bill White
Subject: Tom Bush
Certification Path Validation
A certification path needs to be validated. Here are the validation rules:
- The first certificate must be self-signed. Its issuer must be recognized as a certificate authority (CA).
- The issuer of any certificate, except the first one, must be "identical" to the subject of the previous certificate.
- "identical" means that issuer's digital signature can verified by the subject's public key in the previous certificate.
OpenSSL offers a nice tool, the "verify" command, to validate a certification path. Here is the syntax of the
"verify" command:
verify -CAfile first.crt -untrusted all_middle.crt last.crt
- "first.crt" is the first certificate of the path. It should be self-signed certificate.
- "last.crt" is the last certificate of the path.
- "all_middle.crt" is a collection of all middle certificates. If certificates are store in PEM format, you can
join them into a collection in any text editor.
Certification Path Testing with OpenSSL
Here is a testing scenario I followed to generate some certificates with different issuers and subjects.
See previous notes if you have trouble generating keys and signing certificates.
1. Generating a self-signed certificate for Herong, herong.crt:
>echo Generating keys for Herong
>openssl genrsa -des3 -out herong_rsa.key
...
>echo Generating a self-signed certificate for Herong
>openssl req -new -key herong_rsa.key -x509 -out herong.crt
-config openssl.cnf
...
(Continued on next part...)
Part:
1
2
|