Gesendet: Mittwoch, 06. September 2017 um 18:06 Uhr
Von: "Jakob Bohm" <jb-openssl@xxxxxxxxxx>
An: openssl-users@xxxxxxxxxxx
Betreff: Re: openssl -check
Von: "Jakob Bohm" <jb-openssl@xxxxxxxxxx>
An: openssl-users@xxxxxxxxxxx
Betreff: Re: openssl -check
On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.
For certificates that are not self-signed, openssl x509 -verify should
do it.
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.
For certificates that are not self-signed, openssl x509 -verify should
do it.
Agreed. That would be exactly what I had in mind - but it's not working.
-verify only exists for "openssl req" to check a CSR?
I've created an example broken certificate from google:
-----BEGIN CERTIFICATE-----
MIIEhTCCA22gAwIBAgIIfWIk/Ev1U/YwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODE1MTYwNzUyWhcNMTcxMTA3MTYwNDAw
WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
b29nbGUuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbeswnWzb
cRDKvHNhuYkL/qTSSSTfEXZ86FSnK8hyNAoLvjZY/EV1kZKHpD/i7ZHxkwDLry/A
pAAzCBcndbZAEv4Y3GIWr5hmfO5pC6dgSoPmB/DEjmiZSq4fs++gcRbOpZJvctY4
XFp7r1pR3yHojoDVLDKpdVMduaeUzSEPhsFOycDPKKCziPGbfMIz8myOeIxlXkxi
0upGCXyMSyM9uw2XNQKZduknZHnFaG7ButMPcd/bcCIOU/7xwh+a9l6Qmi1Ss4Go
0kjL2B9nQ/q+0sXqi9f/W5g3KoR9GE4ho7bOU4iraFTVLo74O1zbjjTX1hU3UM4E
fbKjQz7sProFAgMBAAGjggFTMIIBTzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYXSCCWdvb2dsZS5hdDBoBggrBgEF
BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
c3AwHQYDVR0OBBYEFEzWPMkeG3KRZe8rEi5J0b3O22IPMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgor
BgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA6Ty7suanq
5/q7HWaF9dd0aZ1ay3mcTWj0ZqBE4R7UKAh8/dirAamb4Eo22fulHxWYeEdKnLhC
yyr//RuFiAMlkqySQcyBWO3kfEkG3l5GKMRokAEX31n7SSol9DA8+yfl1YmRxd79
7GC9HLwczgqdOzMNr40TMKAjIHcNL7S7UtLdynappkzvE7iA8ljZhymPabwYk3XU
TTr4if+Wt7uLNGqa+Vczur+jkywKXvUBoWukY9dCEsx67UoUyUkk4syGH19pVlDk
zHy4NC1X5b/4aw3XAH/IkgxFzPRiSXDwyEeea71xWEGpaRzGqaEMvU2mAghQIxYD
B2SERYFC9cRX
-----END CERTIFICATE-----
MIIEhTCCA22gAwIBAgIIfWIk/Ev1U/YwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODE1MTYwNzUyWhcNMTcxMTA3MTYwNDAw
WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
b29nbGUuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbeswnWzb
cRDKvHNhuYkL/qTSSSTfEXZ86FSnK8hyNAoLvjZY/EV1kZKHpD/i7ZHxkwDLry/A
pAAzCBcndbZAEv4Y3GIWr5hmfO5pC6dgSoPmB/DEjmiZSq4fs++gcRbOpZJvctY4
XFp7r1pR3yHojoDVLDKpdVMduaeUzSEPhsFOycDPKKCziPGbfMIz8myOeIxlXkxi
0upGCXyMSyM9uw2XNQKZduknZHnFaG7ButMPcd/bcCIOU/7xwh+a9l6Qmi1Ss4Go
0kjL2B9nQ/q+0sXqi9f/W5g3KoR9GE4ho7bOU4iraFTVLo74O1zbjjTX1hU3UM4E
fbKjQz7sProFAgMBAAGjggFTMIIBTzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYXSCCWdvb2dsZS5hdDBoBggrBgEF
BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
c3AwHQYDVR0OBBYEFEzWPMkeG3KRZe8rEi5J0b3O22IPMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgor
BgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA6Ty7suanq
5/q7HWaF9dd0aZ1ay3mcTWj0ZqBE4R7UKAh8/dirAamb4Eo22fulHxWYeEdKnLhC
yyr//RuFiAMlkqySQcyBWO3kfEkG3l5GKMRokAEX31n7SSol9DA8+yfl1YmRxd79
7GC9HLwczgqdOzMNr40TMKAjIHcNL7S7UtLdynappkzvE7iA8ljZhymPabwYk3XU
TTr4if+Wt7uLNGqa+Vczur+jkywKXvUBoWukY9dCEsx67UoUyUkk4syGH19pVlDk
zHy4NC1X5b/4aw3XAH/IkgxFzPRiSXDwyEeea71xWEGpaRzGqaEMvU2mAghQIxYD
B2SERYFC9cRX
-----END CERTIFICATE-----
At the command line, I won't see a difference from a correct to a broken certificate.
In comparison, when checking a key i get "RSA key ok".
Georg
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
