If your system’s certificates are kept in a file (as in Red Hat):
$ openssl ... -CAfile file_of_CA_certificates ...If they are kept in a directory (as in SuSE):
$ openssl ... -CAdir directory_of_CA_certificates ...For example, to check the certificate for the secure IMAP server on mail.server.net against the system trusted certificate list on a Red Hat host:
$ openssl s_client -quiet -CAfile /usr/share/ssl/cert.pem \
-connect mail.server.net:993To check the certificate of a secure web site https://www.yoyodyne.com/ from a SuSE host (recall HTTPS runs on port 443):
$ openssl s_client -quiet -CAdir /usr/share/ssl/certs -connect www.yoyodyne.com:443
If you happen to have a certificate in a file cert.pem , and you want to validate it, there is a separate validate command:
$ openssl validate -CA... -in cert.pem
Add -inform der if the certificate is in the binary DER format rather than PEM.
Red Hat 8.0 comes with a set of certificates for some well-known Internet Certifying Authorities in the file /usr/share/ssl/cert.pem. SuSE 8.0 has a similar collection, but it is instead stored in a directory with a particular structure, a sort of hash table implemented using symbolic links. Under SuSE, the directory /usr/share/ssl/certs contains each certificate in a separate file, together with the links.
If the necessary root certificate is present in the given file, along with any necessary intermediate certificates not provided by the server, then openssl can validate the server certificate.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
