How to extract the Root CA and Subordinate CA from a certificate chain in Linux

certificatesopensslssl

I have an end-entity/server certificate which have an intermediate and root certificate. When I cat on the end-entity certificate, I see only a single BEGIN and END tag. It is the only the end-entity certificate.

Is there any way I can view the intermediate and root certificate content. I need only the content of BEGIN and END tag.

In Windows I can see the full cert chain from the "Certification Path". Below is the example for the Stack Exchange's certificate.

From there I can perform a View Certificate and export them. I can do that for both root and intermediate in Windows. I am looking for this same method in Linux.

Best Answer

From a web site, you can do:

openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null

That will show the certificate chain and all the certificates the server presented.

Now, if I save those two certificates to files, I can use openssl verify:

$ openssl verify -show_chain -untrusted dc-sha2.crt se.crt 
se.crt: OK
Chain:
depth=0: C = US, ST = NY, L = New York, O = "Stack Exchange, Inc.", CN = *.stackexchange.com (untrusted)
depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA (untrusted)
depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA

The -untrusted option is used to give the intermediate certificate(s); se.crt is the certificate to verify. The depth=2 result came from the system trusted CA store.

If you don't have the intermediate certificate(s), you can't perform the verify. That's just how X.509 works.

Depending on the certificate, it may contain a URI to get the intermediate from. As an example, openssl x509 -in se.crt -noout -text contains:

        Authority Information Access: 
            OCSP - URI:http://ocsp.digicert.com
            CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

That "CA Issuers" URI points to the intermediate cert (in DER format, so you need to use openssl x509 -inform der -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem to convert it for further use by OpenSSL).

If you run openssl x509 -in /tmp/DigiCertSHA2HighAssuranceServerCA.pem -noout -issuer_hash you get 244b5494, which you can look for in the system root CA store at /etc/ssl/certs/244b5494.0 (just append .0 to the name).

I don't think there is a nice, easy OpenSSL command to do all that for you.

Related Solutions

Linux equivalent of “Trusted Root Certification Authorities” on Windows

I don't personally use Arch Linux, but this procedure works on most distributions.

First, you need to extract the CA certificate from your bundle. p12 files are basically a bundle of several components of a certificate.

openssl pkcs12 -nokeys -cacerts -in bundle.p12

You'll get one or more certificates dumped to your console. If you get more than one, find the one where the subject is the same as the issuer. This is your root certificate.

Take your root certificate (everything between, and including, the BEGIN CERTIFICATE and END CERTIFICATE lines), and save it in a file in /etc/ssl/certs with the extension .pem.

Then do the following:

cd /etc/ssl/certs
c_rehash

Openssl is not creating certificates with expected expiration date

The certificate validity should be specified in the last step as in:

openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -sha256 -days 365

Otherwise, while you are requesting 365 days while creating the CSR, when you sign it the signing default configuration overrides the days of the CSR request.

Best Answer

Related Solutions

Linux equivalent of “Trusted Root Certification Authorities” on Windows

Openssl is not creating certificates with expected expiration date

Related Question