Last modified 4 years ago
How to check a Host Certificate
Verify that a host -certificate and -key match
Run the following two commands.
openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus | md5sum openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus | md5sum
The output from these commands will be identical if the two files correspond.
Check the validity of a certificate
To check that a certificate is valid (that it hasn't expired yet, has been issued by a known Certificate Authority, and can be used for server-related activity), use the following command:
openssl verify -CApath /etc/grid-security/certificates -purpose sslserver /etc/grid-security/hostcert.pem
The following command will tell you when a certificate will expire:
openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate
View complete information about a certificate
The following command will show all information about a host certificate
openssl x509 -text -in /etc/grid-security/hostcert.pem
The output of this test on an expired host certificate is shown below.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2600 (0xa28)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
Validity
Not Before: Sep 20 10:20:22 2006 GMT
Not After : Oct 20 10:20:22 2007 GMT
Subject: O=GermanGrid, OU=DESY, CN=host/cork.desy.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:d8:4f:ce:3e:e0:4f:76:29:49:b0:03:52:5f:
aa:59:46:11:35:72:2b:95:a5:9e:57:d6:42:0d:d1:
30:99:af:2a:4f:e6:c9:ff:8d:2d:40:7b:e5:33:12:
c0:ef:cd:89:f9:fa:f3:c2:f0:a5:4a:24:00:e2:7f:
c6:2b:38:33:ba:e7:23:60:ca:95:29:f8:aa:fe:3f:
25:b2:78:ed:c3:7b:d4:39:4a:ea:16:bc:b7:7a:6d:
ee:77:fb:bb:0e:30:0a:3e:84:f0:24:80:bf:a0:46:
1a:49:cd:e6:b5:3a:13:4e:d9:a6:b6:75:94:26:27:
05:84:b4:87:39:17:f7:d2:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
D0:FA:68:44:33:6A:7B:8C:26:E3:C1:A2:56:2F:D9:41:FC:77:1D:18
X509v3 Authority Key Identifier:
keyid:C6:75:C9:28:AC:D1:0B:FC:3C:FF:B9:B5:1E:D3:5F:3B:80:62:12:34
DirName:/C=DE/O=GermanGrid/CN=GridKa-CA
serial:00
X509v3 Subject Alternative Name:
DNS:cork.desy.de
X509v3 Issuer Alternative Name:
email:gridka-ca@iwr.fzk.de
X509v3 CRL Distribution Points:
URI:http://grid.fzk.de/ca/gridka-crl.pem
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.2614.5548.1.1.1.3
Netscape Cert Type:
SSL Server
Netscape Comment:
Certificate issued under CP/CPS v. 1.3 at http://grid.fzk.de/ca
Netscape Base Url:
http://grid.fzk.de/ca
Netscape CA Policy Url:
http://grid.fzk.de/ca/gridka-cps.pdf
Netscape Revocation Url:
http://grid.fzk.de/ca/gridka-crl.pem
Signature Algorithm: sha1WithRSAEncryption
89:8f:47:81:f4:b2:97:b4:b6:d4:7d:ff:ea:03:dc:2e:c1:fa:
65:69:90:a3:f4:97:dc:2a:36:34:80:91:21:0c:8b:5a:1b:42:
44:19:fc:3c:fe:31:6e:7d:3d:6c:38:a7:f6:13:3b:0c:8c:ef:
63:70:c9:fa:17:d4:ac:b5:de:6e:54:15:61:ce:3b:b5:a8:73:
99:b0:24:74:46:a9:62:96:c4:87:dd:ce:62:4c:af:a0:de:ea:
e5:9d:bd:26:aa:7f:79:1c:2d:c2:0b:b9:71:4d:04:48:90:ce:
a9:62:b8:a3:8c:e4:93:e1:76:74:e1:cc:c2:cc:8c:89:f3:c1:
47:34:de:2b:cd:4b:3e:28:4d:da:f2:b7:b9:12:16:96:9a:5c:
0c:d2:9d:a4:01:01:de:ac:17:62:e2:3e:99:fb:d7:41:30:c1:
69:6d:b4:ba:38:a4:2f:82:1e:3f:3c:6e:28:13:59:27:04:5e:
88:72:82:a3:4b:2a:9d:40:b8:b5:bb:b6:57:fa:2c:49:ca:76:
65:ea:bf:5e:7b:63:bb:fd:2b:95:27:0a:e4:8e:55:96:73:76:
bd:a9:af:be:85:fb:75:c2:c9:07:6b:3a:d7:12:4f:8c:9e:6e:
be:9f:25:d7:54:ab:f0:86:ce:d5:06:aa:6c:12:68:6f:27:0d:
b0:bb:af:d2
-----BEGIN CERTIFICATE-----
MIIEkTCCA3mgAwIBAgICCigwDQYJKoZIhvcNAQEFBQAwNjELMAkGA1UEBhMCREUx
EzARBgNVBAoTCkdlcm1hbkdyaWQxEjAQBgNVBAMTCUdyaWRLYS1DQTAeFw0wNjA5
MjAxMDIwMjJaFw0wNzEwMjAxMDIwMjJaMEAxEzARBgNVBAoTCkdlcm1hbkdyaWQx
DTALBgNVBAsTBERFU1kxGjAYBgNVBAMTEWhvc3QvY29yay5kZXN5LmRlMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb2E/OPuBPdilJsANSX6pZRhE1ciuVpZ5X
1kIN0TCZrypP5sn/jS1Ae+UzEsDvzYn5+vPC8KVKJADif8YrODO65yNgypUp+Kr+
PyWyeO3De9Q5SuoWvLd6be53+7sOMAo+hPAkgL+gRhpJzea1OhNO2aa2dZQmJwWE
tIc5F/fS4wIDAQABo4ICITCCAh0wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
BPAwHQYDVR0OBBYEFND6aEQzanuMJuPBolYv2UH8dx0YMF4GA1UdIwRXMFWAFMZ1
ySis0Qv8PP+5tR7TXzuAYhI0oTqkODA2MQswCQYDVQQGEwJERTETMBEGA1UEChMK
R2VybWFuR3JpZDESMBAGA1UEAxMJR3JpZEthLUNBggEAMBcGA1UdEQQQMA6CDGNv
cmsuZGVzeS5kZTAfBgNVHRIEGDAWgRRncmlka2EtY2FAaXdyLmZ6ay5kZTA1BgNV
HR8ELjAsMCqgKKAmhiRodHRwOi8vZ3JpZC5memsuZGUvY2EvZ3JpZGthLWNybC5w
ZW0wGgYDVR0gBBMwETAPBg0rBgEEAZQ2qywBAQEDMBEGCWCGSAGG+EIBAQQEAwIG
QDBOBglghkgBhvhCAQ0EQRY/Q2VydGlmaWNhdGUgaXNzdWVkIHVuZGVyIENQL0NQ
UyB2LiAxLjMgYXQgaHR0cDovL2dyaWQuZnprLmRlL2NhMCQGCWCGSAGG+EIBAgQX
FhVodHRwOi8vZ3JpZC5memsuZGUvY2EwMwYJYIZIAYb4QgEIBCYWJGh0dHA6Ly9n
cmlkLmZ6ay5kZS9jYS9ncmlka2EtY3BzLnBkZjAzBglghkgBhvhCAQMEJhYkaHR0
cDovL2dyaWQuZnprLmRlL2NhL2dyaWRrYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUA
A4IBAQCJj0eB9LKXtLbUff/qA9wuwfplaZCj9JfcKjY0gJEhDItaG0JEGfw8/jFu
fT1sOKf2EzsMjO9jcMn6F9Sstd5uVBVhzju1qHOZsCR0RqlilsSH3c5iTK+g3url
nb0mqn95HC3CC7lxTQRIkM6pYrijjOST4XZ04czCzIyJ88FHNN4rzUs+KE3a8re5
EhaWmlwM0p2kAQHerBdi4j6Z+9dBMMFpbbS6OKQvgh4/PG4oE1knBF6IcoKjSyqd
QLi1u7ZX+ixJynZl6r9ee2O7/SuVJwrkjlWWc3a9qa++hft1wskHazrXEk+Mnm6+
nyXXVKvwhs7VBqpsEmhvJw2wu6/S
-----END CERTIFICATE-----
