How to verify online certificates with openssl?
by ychaouche from LinuxQuestions.org on (#6EPCR)
Hello LQ,
When I use s_client,
validation fails with error code 20 unable to get local issuer certificate.
Code:16:07:29 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=*.radioalgerie.dz
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
...
However,
if I pipe the output of s_client to the verify command,
AND manually download the CA certificate beforehand to add it to the -untrusted flag,
verification works fine.
Code:16:11:10 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null 2>/dev/null | openssl verify -untrusted ~/DATA/CERTIFICATS/sectigo.pem
stdin: OK
16:11:23 ~/TMP/MUSIC -1- $Isn't there a more straightforward way to validate online certificates,
like browsers do I guess,
without manually downloading the intermediate CA?
I can't help but make a parallel to the helpful dig +trace flag for example,
which kind of debugs the DNS query by requesting each name server for its specific zone information
starting from the root servers,
instead of just querying the locally configured name server.
When I use s_client,
validation fails with error code 20 unable to get local issuer certificate.
Code:16:07:29 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=*.radioalgerie.dz
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
...
However,
if I pipe the output of s_client to the verify command,
AND manually download the CA certificate beforehand to add it to the -untrusted flag,
verification works fine.
Code:16:11:10 ~/TMP/MUSIC -1- $ openssl s_client -connect radioalgerie.dz:443 </dev/null 2>/dev/null | openssl verify -untrusted ~/DATA/CERTIFICATS/sectigo.pem
stdin: OK
16:11:23 ~/TMP/MUSIC -1- $Isn't there a more straightforward way to validate online certificates,
like browsers do I guess,
without manually downloading the intermediate CA?
I can't help but make a parallel to the helpful dig +trace flag for example,
which kind of debugs the DNS query by requesting each name server for its specific zone information
starting from the root servers,
instead of just querying the locally configured name server.