I have an end-entity/server certificate which have an intermediate and root certificate. When I
cat on the end-entity certificate, I see only a single
END tag. It's the only end-entity certificate
What does it take to view the content of intermediate and root certificates? I need only the content of
I can see the full cert chain from the certification path in windows Below is the example for the stack exchange certificate
From there I can perform a View Certificate and export them. I can do this in both root and intermediate windows I'm looking for this same method in linux
You can do it on a web site
openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null
This will show the certificate chain and all the certificates presented by the server
Now, if I save those two certificates to files, I can use
openssl verify .
$ openssl verify -show_chain -untrusted dc-sha2.crt se.crt se.crt: OK Chain: depth=0: C = US, ST = NY, L = New York, O = "Stack Exchange, Inc.", CN = *.stackexchange.com (untrusted) depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA (untrusted) depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
-untrusted option is used to give the intermediate certificate(s);
se.crt is the certificate to verify. The depth2 result came from the trusted ca system
If you don't have intermediate certificates you can't validate it That's just how X.509 works.
Depending on the certificate, it may contain a uri to get the intermediate from. As an example,
openssl x509 -in se.crt -noout -text contains.
Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
That "CA Issuers" URI points to the intermediate cert (in DER format, so you need to use
openssl x509 -inform der -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem to convert it for further use by OpenSSL).
If you run
openssl x509 -in /tmp/DigiCertSHA2HighAssuranceServerCA.pem -noout -issuer_hash you get
244b5494 , which you can look for in the system root CA store at
/etc/ssl/certs/244b5494.0 (just append
.0 to the name).
I don't think there's any simple openssl command you can execute