wiki:manuals/Certs
Last modified 13 years ago Last modified on 01/21/08 18:40:17

How to check a Host Certificate

Verify that a host -certificate and -key match

Run the following two commands.

openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus | md5sum
openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus | md5sum

The output from these commands will be identical if the two files correspond.

Check the validity of a certificate

To check that a certificate is valid (that it hasn't expired yet, has been issued by a known Certificate Authority, and can be used for server-related activity), use the following command:

openssl verify -CApath /etc/grid-security/certificates -purpose sslserver /etc/grid-security/hostcert.pem

The following command will tell you when a certificate will expire:

openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate

View complete information about a certificate

The following command will show all information about a host certificate

openssl x509 -text -in /etc/grid-security/hostcert.pem 

The output of this test on an expired host certificate is shown below.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2600 (0xa28)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
        Validity
            Not Before: Sep 20 10:20:22 2006 GMT
            Not After : Oct 20 10:20:22 2007 GMT
        Subject: O=GermanGrid, OU=DESY, CN=host/cork.desy.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:db:d8:4f:ce:3e:e0:4f:76:29:49:b0:03:52:5f:
                    aa:59:46:11:35:72:2b:95:a5:9e:57:d6:42:0d:d1:
                    30:99:af:2a:4f:e6:c9:ff:8d:2d:40:7b:e5:33:12:
                    c0:ef:cd:89:f9:fa:f3:c2:f0:a5:4a:24:00:e2:7f:
                    c6:2b:38:33:ba:e7:23:60:ca:95:29:f8:aa:fe:3f:
                    25:b2:78:ed:c3:7b:d4:39:4a:ea:16:bc:b7:7a:6d:
                    ee:77:fb:bb:0e:30:0a:3e:84:f0:24:80:bf:a0:46:
                    1a:49:cd:e6:b5:3a:13:4e:d9:a6:b6:75:94:26:27:
                    05:84:b4:87:39:17:f7:d2:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Key Identifier: 
                D0:FA:68:44:33:6A:7B:8C:26:E3:C1:A2:56:2F:D9:41:FC:77:1D:18
            X509v3 Authority Key Identifier: 
                keyid:C6:75:C9:28:AC:D1:0B:FC:3C:FF:B9:B5:1E:D3:5F:3B:80:62:12:34
                DirName:/C=DE/O=GermanGrid/CN=GridKa-CA
                serial:00

            X509v3 Subject Alternative Name: 
                DNS:cork.desy.de
            X509v3 Issuer Alternative Name: 
                email:gridka-ca@iwr.fzk.de
            X509v3 CRL Distribution Points: 
                URI:http://grid.fzk.de/ca/gridka-crl.pem

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.2614.5548.1.1.1.3

            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                Certificate issued under CP/CPS v. 1.3 at http://grid.fzk.de/ca
            Netscape Base Url: 
                http://grid.fzk.de/ca
            Netscape CA Policy Url: 
                http://grid.fzk.de/ca/gridka-cps.pdf
            Netscape Revocation Url: 
                http://grid.fzk.de/ca/gridka-crl.pem
    Signature Algorithm: sha1WithRSAEncryption
        89:8f:47:81:f4:b2:97:b4:b6:d4:7d:ff:ea:03:dc:2e:c1:fa:
        65:69:90:a3:f4:97:dc:2a:36:34:80:91:21:0c:8b:5a:1b:42:
        44:19:fc:3c:fe:31:6e:7d:3d:6c:38:a7:f6:13:3b:0c:8c:ef:
        63:70:c9:fa:17:d4:ac:b5:de:6e:54:15:61:ce:3b:b5:a8:73:
        99:b0:24:74:46:a9:62:96:c4:87:dd:ce:62:4c:af:a0:de:ea:
        e5:9d:bd:26:aa:7f:79:1c:2d:c2:0b:b9:71:4d:04:48:90:ce:
        a9:62:b8:a3:8c:e4:93:e1:76:74:e1:cc:c2:cc:8c:89:f3:c1:
        47:34:de:2b:cd:4b:3e:28:4d:da:f2:b7:b9:12:16:96:9a:5c:
        0c:d2:9d:a4:01:01:de:ac:17:62:e2:3e:99:fb:d7:41:30:c1:
        69:6d:b4:ba:38:a4:2f:82:1e:3f:3c:6e:28:13:59:27:04:5e:
        88:72:82:a3:4b:2a:9d:40:b8:b5:bb:b6:57:fa:2c:49:ca:76:
        65:ea:bf:5e:7b:63:bb:fd:2b:95:27:0a:e4:8e:55:96:73:76:
        bd:a9:af:be:85:fb:75:c2:c9:07:6b:3a:d7:12:4f:8c:9e:6e:
        be:9f:25:d7:54:ab:f0:86:ce:d5:06:aa:6c:12:68:6f:27:0d:
        b0:bb:af:d2
-----BEGIN CERTIFICATE-----
MIIEkTCCA3mgAwIBAgICCigwDQYJKoZIhvcNAQEFBQAwNjELMAkGA1UEBhMCREUx
EzARBgNVBAoTCkdlcm1hbkdyaWQxEjAQBgNVBAMTCUdyaWRLYS1DQTAeFw0wNjA5
MjAxMDIwMjJaFw0wNzEwMjAxMDIwMjJaMEAxEzARBgNVBAoTCkdlcm1hbkdyaWQx
DTALBgNVBAsTBERFU1kxGjAYBgNVBAMTEWhvc3QvY29yay5kZXN5LmRlMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb2E/OPuBPdilJsANSX6pZRhE1ciuVpZ5X
1kIN0TCZrypP5sn/jS1Ae+UzEsDvzYn5+vPC8KVKJADif8YrODO65yNgypUp+Kr+
PyWyeO3De9Q5SuoWvLd6be53+7sOMAo+hPAkgL+gRhpJzea1OhNO2aa2dZQmJwWE
tIc5F/fS4wIDAQABo4ICITCCAh0wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
BPAwHQYDVR0OBBYEFND6aEQzanuMJuPBolYv2UH8dx0YMF4GA1UdIwRXMFWAFMZ1
ySis0Qv8PP+5tR7TXzuAYhI0oTqkODA2MQswCQYDVQQGEwJERTETMBEGA1UEChMK
R2VybWFuR3JpZDESMBAGA1UEAxMJR3JpZEthLUNBggEAMBcGA1UdEQQQMA6CDGNv
cmsuZGVzeS5kZTAfBgNVHRIEGDAWgRRncmlka2EtY2FAaXdyLmZ6ay5kZTA1BgNV
HR8ELjAsMCqgKKAmhiRodHRwOi8vZ3JpZC5memsuZGUvY2EvZ3JpZGthLWNybC5w
ZW0wGgYDVR0gBBMwETAPBg0rBgEEAZQ2qywBAQEDMBEGCWCGSAGG+EIBAQQEAwIG
QDBOBglghkgBhvhCAQ0EQRY/Q2VydGlmaWNhdGUgaXNzdWVkIHVuZGVyIENQL0NQ
UyB2LiAxLjMgYXQgaHR0cDovL2dyaWQuZnprLmRlL2NhMCQGCWCGSAGG+EIBAgQX
FhVodHRwOi8vZ3JpZC5memsuZGUvY2EwMwYJYIZIAYb4QgEIBCYWJGh0dHA6Ly9n
cmlkLmZ6ay5kZS9jYS9ncmlka2EtY3BzLnBkZjAzBglghkgBhvhCAQMEJhYkaHR0
cDovL2dyaWQuZnprLmRlL2NhL2dyaWRrYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUA
A4IBAQCJj0eB9LKXtLbUff/qA9wuwfplaZCj9JfcKjY0gJEhDItaG0JEGfw8/jFu
fT1sOKf2EzsMjO9jcMn6F9Sstd5uVBVhzju1qHOZsCR0RqlilsSH3c5iTK+g3url
nb0mqn95HC3CC7lxTQRIkM6pYrijjOST4XZ04czCzIyJ88FHNN4rzUs+KE3a8re5
EhaWmlwM0p2kAQHerBdi4j6Z+9dBMMFpbbS6OKQvgh4/PG4oE1knBF6IcoKjSyqd
QLi1u7ZX+ixJynZl6r9ee2O7/SuVJwrkjlWWc3a9qa++hft1wskHazrXEk+Mnm6+
nyXXVKvwhs7VBqpsEmhvJw2wu6/S
-----END CERTIFICATE-----