I have an end-entity/server certificate which have an intermediate and root certificate. When I cat
on the end-entity certificate, I see only a single BEGIN
and END
tag. It is the only the end-entity certificate.
Is there any way I can view the intermediate and root certificate content. I need only the content of BEGIN
and END
tag.
In Windows I can see the full cert chain from the "Certification Path". Below is the example for the Stack Exchange's certificate.
From there I can perform a View Certificate and export them. I can do that for both root and intermediate in Windows. I am looking for this same method in Linux.
Best Answer
From a web site, you can do:
That will show the certificate chain and all the certificates the server presented.
Now, if I save those two certificates to files, I can use
openssl verify
:The
-untrusted
option is used to give the intermediate certificate(s);se.crt
is the certificate to verify. The depth=2 result came from the system trusted CA store.If you don't have the intermediate certificate(s), you can't perform the verify. That's just how X.509 works.
Depending on the certificate, it may contain a URI to get the intermediate from. As an example,
openssl x509 -in se.crt -noout -text
contains:That "CA Issuers" URI points to the intermediate cert (in DER format, so you need to use
openssl x509 -inform der -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem
to convert it for further use by OpenSSL).If you run
openssl x509 -in /tmp/DigiCertSHA2HighAssuranceServerCA.pem -noout -issuer_hash
you get244b5494
, which you can look for in the system root CA store at/etc/ssl/certs/244b5494.0
(just append.0
to the name).I don't think there is a nice, easy OpenSSL command to do all that for you.