I have an end-entity/server certificate which have an intermediate and root certificate. When I cat on the end-entity certificate, I see only a single BEGIN and END tag. It's the only end-entity certificate

What does it take to view the content of intermediate and root certificates? I need only the content of BEGIN and END tag.

I can see the full cert chain from the certification path in windows Below is the example for the stack exchange certificate

enter image description here

From there I can perform a View Certificate and export them. I can do this in both root and intermediate windows I'm looking for this same method in linux

enter image description here

Best Answer


You can do it on a web site

openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null

This will show the certificate chain and all the certificates presented by the server

Now, if I save those two certificates to files, I can use openssl verify .

$ openssl verify -show_chain -untrusted dc-sha2.crt se.crt
se.crt: OK
Chain:
depth=0: C = US, ST = NY, L = New York, O = "Stack Exchange, Inc.", CN = *.stackexchange.com (untrusted)
depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA (untrusted)
depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA

The -untrusted option is used to give the intermediate certificate(s); se.crt is the certificate to verify. The depth2 result came from the trusted ca system

If you don't have intermediate certificates you can't validate it That's just how X.509 works.

Depending on the certificate, it may contain a uri to get the intermediate from. As an example, openssl x509 -in se.crt -noout -text contains.

        Authority Information Access:
            OCSP - URI:http://ocsp.digicert.com
            CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

That "CA Issuers" URI points to the intermediate cert (in DER format, so you need to use openssl x509 -inform der -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem to convert it for further use by OpenSSL).

If you run openssl x509 -in /tmp/DigiCertSHA2HighAssuranceServerCA.pem -noout -issuer_hash you get 244b5494 , which you can look for in the system root CA store at /etc/ssl/certs/244b5494.0 (just append .0 to the name).

I don't think there's any simple openssl command you can execute