Recipe 4.4 Validating an SSL Certificate

4.4.1 Problem

You want to check that an SSL certificate is valid.

4.4.2 Solution

If your system's certificates are kept in a file (as in Red Hat):

$ openssl ... -CAfile file_of_CA_certificates ...

If they are kept in a directory (as in SuSE):

$ openssl ... -CAdir directory_of_CA_certificates ...

For example, to check the certificate for the secure IMAP server on mail.server.net against the system trusted certificate list on a Red Hat host:

$ openssl s_client -quiet -CAfile /usr/share/ssl/cert.pem \
                          -connect mail.server.net:993

To check the certificate of a secure web site https://www.yoyodyne.com/ from a SuSE host (recall HTTPS runs on port 443):

$ openssl s_client -quiet -CAdir /usr/share/ssl/certs -connect www.yoyodyne.com:443

If you happen to have a certificate in a file cert.pem, and you want to validate it, there is a separate validate command:

$ openssl validate -CA... -in cert.pem

Add -inform der if the certificate is in the binary DER format rather than PEM.

4.4.3 Discussion

Red Hat 8.0 comes with a set of certificates for some well-known Internet Certifying Authorities in the file /usr/share/ssl/cert.pem. SuSE 8.0 has a similar collection, but it is instead stored in a directory with a particular structure, a sort of hash table implemented using symbolic links. Under SuSE, the directory /usr/share/ssl/certs contains each certificate in a separate file, together with the links.

If the necessary root certificate is present in the given file, along with any necessary intermediate certificates not provided by the server, then openssl can validate the server certificate.

If a server certificate is invalid or cannot be checked, an SSL connection will not fail. openssl will simply print a warning and continue connecting.

4.4.4 See Also

openssl(1).