From: W. Trevor King Date: Thu, 27 Sep 2012 20:22:25 +0000 (-0400) Subject: posts:x.509: add certificate verification examples for OpenSSL and GnuTLS. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=28361fc425ea7019d7a0012c2f0fe1ad1febcd38;p=blog.git posts:x.509: add certificate verification examples for OpenSSL and GnuTLS. --- diff --git a/posts/X.509_certificates.mdwn b/posts/X.509_certificates.mdwn index 9e30ac7..ad3b77b 100644 --- a/posts/X.509_certificates.mdwn +++ b/posts/X.509_certificates.mdwn @@ -44,6 +44,16 @@ names][SAN]. Just add more `dns_name` entries to your template: $ echo 'dns_name = other.gnutls.org' >> server.tmpl $ certtool --generate-certificate … +You can verify a certificate if you can supply the whole certificate +chain. + + $ certtool --verify-chain --infile x509-server.pem --infile x509-ca.pem + +With versions of GnuTLS since 2.99.0 (released 2011-04-09), you can +verify against the global list of trusted CAs. + + $ certtool --verify --load-ca-certificate /etc/ssl/certs/ca-certificates.crt --infile x509-server.pem + OpenSSL ======= @@ -92,6 +102,11 @@ You can also print certificates with [x509][]. $ openssl x509 -in cert.pem -noout -text +You can verify a certificate if you can supply the whole certificate +chain with [verify][]. + + $ openssl verify cert.pem + PEM === @@ -210,6 +225,7 @@ time. [req]: http://www.openssl.org/docs/apps/req.html [x509v3_config]: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ [x509]: http://www.openssl.org/docs/apps/x509.html +[verify]: http://www.openssl.org/docs/apps/verify.html [Debian]: http://debian.org/ [ca-certificates]: http://packages.debian.org/sid/ca-certificates [.pem]: http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions