How to check if a SSL/TLS certificate is trusted by Red Hat Enterprise Linux?
Environment
- Red Hat Enterprise Linux
Issue
- Usually when investigating SSL related issues is useful to know if a certificate is trusted or not for the Operating System. And if it isn't which Issuer in the chain is the missing one.
Resolution
-
Get the trusted CA list and save it to
/tmp/trusted-list.awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt 2>&1 | sed 's/subject=//' > /tmp/trusted-list -
Save the the certificate to
/tmp/cert.pem.-
To save a remote certificate: (Replace example.com:443)
echo | openssl s_client -showcerts -connect example.com:443 > /tmp/cert.pem -
To save a local certificate file: (Replace $PATH_TO_PEM)
ISSUERS=$(openssl x509 -in $PATH_TO_PEM -text | grep -E "^ *Issuer:" | sed 's/ *Issuer: //')
-
-
Next code will iterate over all Issuers in the certificate and show if they are trusted or not.
CERTPATH=/tmp/cert.pem TRUSTED=$(cat /tmp/trusted-list | sed 's/subject=//') ISSUERS=$(cat ${CERTPATH} | grep issuer | sed 's/issuer=//') while IFS= read -r ISSUER; do if [[ "$TRUSTED" =~ "$ISSUER" ]]; then echo "Certificate issuer <$ISSUER> is Trusted" else echo "Certificate issuer <$ISSUER> is Not Trusted" fi done <<< "$ISSUERS" -
Note that depending on the Product services, some may rely on the Operating System while others on the Java keystore. In such case refer to How to check if a SSL/TLS certificate is trusted by a Java-based software on Red Hat Enterprise Linux?
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments