How to view certificate chain using openssl

certificate openssl

I use a mixture of Windows, Linux, and Macs and have noticed big differences in how each OS shows certificate details using the default tools available in each.

The way Windows displays certificate details is very succinct. Specifically, the certificate chain. See screenshot as an example. Windows certificate view And here it is again in Windows, but using the certutil tool. (okay it's inspecting a pfx but you get the point). Windows certutil view However on a Mac, this is how it shows the same cert in Keychain Access. Mac Keychain Access view As you can see, it doesn't have a nice hierarchical view that makes it easy to identify the certificate chain that Windows or certutil shows - at least not to my (possibly) untrained eyes. I also haven't figured out a way to show the certificate chain using openssl either, for example, the following command openssl x509 -in certificate.crt -text does not show a hierarchical chain - only the issuer. So is there a way to view a certificate's chain whether it be text or an image using openssl or native Mac tools?

[Edit]: I often create PFX files with the entire certificate chain (bar the root) for distribution within the company I work for. As part of the process I double check that the certs I've downloaded from the issuing CA are correct and that they're in the right order before passing it to openssl to mint the PFX. So to be clear, I'm questioning how to view the chain of a certificate I am working on locally on my computer.


Use showcerts:

openssl s_client -showcerts -connect www.serverfault.com:443

Output with some information removed for brevity:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1
---
Certificate chain
 0 s:/CN=*.stackexchange.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.stackexchange.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits

I can't help for other Mac tools including native. OpenSSL is a pure commandline product with no GUI, although of course you could use the library part (libcrypto) and write your own GUI.

From commandline, openssl verify will if possible build (and validate) a chain from the/each leaf cert you give it, plus intermediate(s) from -untrusted (which can be repeated), and possibly more intermediate(s) to a root (or anchor) in -trusted or -CAfile and/or -CApath or the default truststore, which is usually determined by your system or build but can be overridden with envvars. If this fails it gives an error. In 1.1.0 up if it succeeds and you also specify -show_chain, it displays the subject names of each cert -- which may or may not be enough to identify them. If you only have one cert per subject, that's fairly easy. If you have certs for the same subject from different issuers, looking at the next cert's name (except on the last, which is selfsigned unless you also use -partial_chain) is enough. If you have multiple certs for the same subject and issuer it's harder.

I often create PFX files with the entire certificate chain (bar the root) for distribution within the company I work for. As part of the process I double check that the certs I've downloaded from the issuing CA are correct and that they're in the right order before passing it to openssl to mint the PFX.

Except for the 'bar the root' part, you could reverse this workflow. Instead of manually building and checking the chain and then using it, you could use openssl pkcs12 -export -chain and provide the possible chain certs as (or in) -CAfile and/or -CApath. That would build the chain (actually validating it also as a side-effect) and create a PKCS12 containing only the privatekey and leaf plus valid chain if successful, but give an error and create no output if unsuccessful -- i.e. if you don't have a valid chain.


Just building upon Dave Thompson's answer, this is what you need to verify a certificate bundle/chain consisting of a intermediate and your own leaf:

# split your certificate chain into individual certificates
$ csplit -z -f individual- bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
1977
1850

# verify the chain and show the info in the chain
$ openssl verify -show_chain -untrusted individual-01 individual-00
individual-00: OK
Chain:
depth=0: CN = foobar.example.com (untrusted)
depth=1: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 CA 2 (untrusted)
depth=2: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA

Related

Pull network or power? (for contianing a rooted server)
When Google DNS (or Open DNS) is a good fit [closed]
Can NetApp Snapshots be used as Backups?
Can't get rsync to work in daemon-over-ssh mode
How often do Snorlax appear in Pokemon X/Y?
As the Commando, how can I effectively combat large groups of children?
How do I access my legacy games using the Battle.net desktop app?
How do I go up staircases?
Counterspell and Spellbender together: which one is triggered first?
How do you set a default song to play in the helicopter?
What determines when base troops are discarded?
Where are the entrances to all the set dungeons?