|
OpenSSL - Certification Path and Validation
Part:
1
2
(Continued from previous part...)
2. Generating a certificate for John and signed by Herong, john.crt:
>echo Generating keys for John
>openssl genrsa -des3 -out john_rsa.key
...
>echo Generating a certificate signing request for John
>openssl req -new -key john_rsa.key -out john.csr -config openssl.cnf
...
>echo Signing a John's request by Herong's key
>openssl x509 -req -in john.csr -CA herong.crt -CAkey herong_rsa.key
-out john.crt -set_serial 3
...
3. Generating a certificate for Bill and signed by John, bill.crt:
>echo Generating keys for Bill
>openssl genrsa -des3 -out bill_rsa.key
...
>echo Generating a certificate signing request for Bill
>openssl req -new -key bill_rsa.key -out bill.csr -config openssl.cnf
...
>echo Signing a Bill's request by John's key
>openssl x509 -req -in bill.csr -CA john.crt -CAkey john_rsa.key
-out bill.crt -set_serial 7
...
4. Generating a certificate for Tom and signed by Bill, tom.crt:
>echo Generating keys for Tom
>openssl genrsa -des3 -out tom_rsa.key
...
>echo Generating a certificate signing request for Bill
>openssl req -new -key tom_rsa.key -out tom.csr -config openssl.cnf
...
>echo Signing a Tom's request by Bill's key
>openssl x509 -req -in tom.csr -CA bill.crt -CAkey bill_rsa.key
-out tom.crt -set_serial 11
...
Ok. 4 certificates are enough to do some interesting tests with the "verify" command:
5. Verify the shortest certification path, one certificate only:
>openssl verify herong.crt
herong.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Herong Yang
error 18 at 0 depth lookup:self signed certificate
OK
>openssl verify -CAfile herong.crt herong.crt
herong.crt: OK
OK
>openssl verify john.crt
john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 20 at 0 depth lookup:unable to get local issuer certificate
>openssl verify -CAfile john.crt john.crt
john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 20 at 0 depth lookup:unable to get local issuer certificate
Note that:
- You will get an OK with an error, when validating a self-signed certificate without specifying it as the CA certificate.
- You will get a perfect OK, when validating a self-signed certificate with the CA certificate specified as itself.
- You will get an error, when validating a non self-signed certificate with or without specifying it as the CA certificate.
6. Verify certification paths of two certificates:
>openssl verify -CAfile herong.crt john.crt
john.crt: OK
>openssl verify -CAfile herong.crt bill.crt
bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill White
error 20 at 0 depth lookup:unable to get local issuer certificate
>openssl verify -CAfile john.crt bill.crt
bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 2 at 1 depth lookup:unable to get issuer certificate
Note that:
- Test 1: Perfect.
- Test 2: Path broken at 0 depth. Could not find the issuer on bill.crt.
- Test 3: Path broken at 1 depth. Could not find the issuer on john.crt.
7. Verify certification paths of many certificates:
>openssl verify -CAfile herong.crt -untrusted john.crt bill.crt
bill.crt: OK
>openssl verify -CAfile herong.crt -untrusted bill.crt tom.crt
tom.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill Gate
error 20 at 1 depth lookup:unable to get local issuer certificate
>copy john.crt+bill.crt all.crt
>openssl verify -CAfile herong.crt -untrusted all.crt tom.crt
tom.crt: OK
Note that:
- Test 1: Perfect.
- Test 2: Path broken at 1 depth. Could not find the issuer on bill.crt.
- Test 3: Perfect. Look at how I join two certificates file together with the DOS command "copy".
Conclusion
The certification path concept is simple. Just remember that the previous certificate identifies the issuer of the next certificate.
OpenSSL "verify" tool is cool. It needs only two command options: -CAfile and -untrusted.
Part:
1
2
| 