20 May 2010

Verify Server certificate

As the first real post I want to start with the basics. As a manager of a trusted CA the most common complain I receive is that the certificate "does not work". In 99% of the cases the root of the problem is that the administrator did not install the proper SubCA or SubCAs or it install them in the wrong CA store (if the server is a IIS).

I always provide the following possibilities in orded to verify the SubCAs sent by the server.

* openssl (http://www.openssl.org/) If you can have acess to it just run:
openssl s_client -connect SERVERNAME:443 

where SERVERNAME is the DNS name of the server you want to verify. Run the command and check the "Certificate chain" part. In most cases you´ll need to see the certifcates 0 (the server certificate) and 1 (the chain). There are cases you might even need an extra chain. It´s necessary that the Issuer (i:) of the last certificate is available on the client, otherwise you´ll have an error.

openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1765 bytes and written 313 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: B3E695F8FA99A262EC5916678E686907ABF5CC2EE5B85EE994A3CBE7360B0DBA
    Session-ID-ctx:
    Master-Key: FFA4CB2368CDAF125D1284CC0CA739C0A40E9E429B5CD07FAF7177546694D7448524242B513749CFE33C14DE0D129746
    Key-Arg   : None
    Start Time: 1274307867
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


* Online Tool. If you can't use openssl or you are afraid of using the command line there are plenty of online tools that will check the certificate for you. Find below a couple of links that work quite well:

http://jce.iaik.tugraz.at/sic/Products/Communication-Messaging-Security/iSaSiLk/demo
Although the page is in German, it´s quite simple to use. What I like is that it provides all information oyu need and more.

http://www.sslshopper.com/ssl-checker.html
Nice format and simpler to read but with less information.

19 May 2010

Here we are!

After several years crawling the Internet looking for pki related questions I think is time I feedback my own solutions. The idea is to post my finding on Code Signing, TLS, Document Signing, encryption and similar.
I hope you find it useful.