= How to check a Host Certificate = == Verify that a host -certificate and -key match == Run the following two commands. {{{ openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus | md5sum openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus | md5sum }}} The output from these commands will be identical if the two files correspond. == Check the validity of a certificate == To check that a certificate is valid (that it hasn't expired yet, has been issued by a known Certificate Authority, and can be used for server-related activity), use the following command: {{{ openssl verify -CApath /etc/grid-security/certificates -purpose sslserver /etc/grid-security/hostcert.pem }}} The following command will tell you when a certificate will expire: {{{ openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate }}} == View complete information about a certificate == The following command will show all information about a host certificate {{{ openssl x509 -text -in /etc/grid-security/hostcert.pem }}} The output of this test on an expired host certificate is shown below. {{{ Certificate: Data: Version: 3 (0x2) Serial Number: 2600 (0xa28) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, O=GermanGrid, CN=GridKa-CA Validity Not Before: Sep 20 10:20:22 2006 GMT Not After : Oct 20 10:20:22 2007 GMT Subject: O=GermanGrid, OU=DESY, CN=host/cork.desy.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:db:d8:4f:ce:3e:e0:4f:76:29:49:b0:03:52:5f: aa:59:46:11:35:72:2b:95:a5:9e:57:d6:42:0d:d1: 30:99:af:2a:4f:e6:c9:ff:8d:2d:40:7b:e5:33:12: c0:ef:cd:89:f9:fa:f3:c2:f0:a5:4a:24:00:e2:7f: c6:2b:38:33:ba:e7:23:60:ca:95:29:f8:aa:fe:3f: 25:b2:78:ed:c3:7b:d4:39:4a:ea:16:bc:b7:7a:6d: ee:77:fb:bb:0e:30:0a:3e:84:f0:24:80:bf:a0:46: 1a:49:cd:e6:b5:3a:13:4e:d9:a6:b6:75:94:26:27: 05:84:b4:87:39:17:f7:d2:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Key Identifier: D0:FA:68:44:33:6A:7B:8C:26:E3:C1:A2:56:2F:D9:41:FC:77:1D:18 X509v3 Authority Key Identifier: keyid:C6:75:C9:28:AC:D1:0B:FC:3C:FF:B9:B5:1E:D3:5F:3B:80:62:12:34 DirName:/C=DE/O=GermanGrid/CN=GridKa-CA serial:00 X509v3 Subject Alternative Name: DNS:cork.desy.de X509v3 Issuer Alternative Name: email:gridka-ca@iwr.fzk.de X509v3 CRL Distribution Points: URI:http://grid.fzk.de/ca/gridka-crl.pem X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.2614.5548.1.1.1.3 Netscape Cert Type: SSL Server Netscape Comment: Certificate issued under CP/CPS v. 1.3 at http://grid.fzk.de/ca Netscape Base Url: http://grid.fzk.de/ca Netscape CA Policy Url: http://grid.fzk.de/ca/gridka-cps.pdf Netscape Revocation Url: http://grid.fzk.de/ca/gridka-crl.pem Signature Algorithm: sha1WithRSAEncryption 89:8f:47:81:f4:b2:97:b4:b6:d4:7d:ff:ea:03:dc:2e:c1:fa: 65:69:90:a3:f4:97:dc:2a:36:34:80:91:21:0c:8b:5a:1b:42: 44:19:fc:3c:fe:31:6e:7d:3d:6c:38:a7:f6:13:3b:0c:8c:ef: 63:70:c9:fa:17:d4:ac:b5:de:6e:54:15:61:ce:3b:b5:a8:73: 99:b0:24:74:46:a9:62:96:c4:87:dd:ce:62:4c:af:a0:de:ea: e5:9d:bd:26:aa:7f:79:1c:2d:c2:0b:b9:71:4d:04:48:90:ce: a9:62:b8:a3:8c:e4:93:e1:76:74:e1:cc:c2:cc:8c:89:f3:c1: 47:34:de:2b:cd:4b:3e:28:4d:da:f2:b7:b9:12:16:96:9a:5c: 0c:d2:9d:a4:01:01:de:ac:17:62:e2:3e:99:fb:d7:41:30:c1: 69:6d:b4:ba:38:a4:2f:82:1e:3f:3c:6e:28:13:59:27:04:5e: 88:72:82:a3:4b:2a:9d:40:b8:b5:bb:b6:57:fa:2c:49:ca:76: 65:ea:bf:5e:7b:63:bb:fd:2b:95:27:0a:e4:8e:55:96:73:76: bd:a9:af:be:85:fb:75:c2:c9:07:6b:3a:d7:12:4f:8c:9e:6e: be:9f:25:d7:54:ab:f0:86:ce:d5:06:aa:6c:12:68:6f:27:0d: b0:bb:af:d2 -----BEGIN CERTIFICATE----- MIIEkTCCA3mgAwIBAgICCigwDQYJKoZIhvcNAQEFBQAwNjELMAkGA1UEBhMCREUx EzARBgNVBAoTCkdlcm1hbkdyaWQxEjAQBgNVBAMTCUdyaWRLYS1DQTAeFw0wNjA5 MjAxMDIwMjJaFw0wNzEwMjAxMDIwMjJaMEAxEzARBgNVBAoTCkdlcm1hbkdyaWQx DTALBgNVBAsTBERFU1kxGjAYBgNVBAMTEWhvc3QvY29yay5kZXN5LmRlMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb2E/OPuBPdilJsANSX6pZRhE1ciuVpZ5X 1kIN0TCZrypP5sn/jS1Ae+UzEsDvzYn5+vPC8KVKJADif8YrODO65yNgypUp+Kr+ PyWyeO3De9Q5SuoWvLd6be53+7sOMAo+hPAkgL+gRhpJzea1OhNO2aa2dZQmJwWE tIc5F/fS4wIDAQABo4ICITCCAh0wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC BPAwHQYDVR0OBBYEFND6aEQzanuMJuPBolYv2UH8dx0YMF4GA1UdIwRXMFWAFMZ1 ySis0Qv8PP+5tR7TXzuAYhI0oTqkODA2MQswCQYDVQQGEwJERTETMBEGA1UEChMK R2VybWFuR3JpZDESMBAGA1UEAxMJR3JpZEthLUNBggEAMBcGA1UdEQQQMA6CDGNv cmsuZGVzeS5kZTAfBgNVHRIEGDAWgRRncmlka2EtY2FAaXdyLmZ6ay5kZTA1BgNV HR8ELjAsMCqgKKAmhiRodHRwOi8vZ3JpZC5memsuZGUvY2EvZ3JpZGthLWNybC5w ZW0wGgYDVR0gBBMwETAPBg0rBgEEAZQ2qywBAQEDMBEGCWCGSAGG+EIBAQQEAwIG QDBOBglghkgBhvhCAQ0EQRY/Q2VydGlmaWNhdGUgaXNzdWVkIHVuZGVyIENQL0NQ UyB2LiAxLjMgYXQgaHR0cDovL2dyaWQuZnprLmRlL2NhMCQGCWCGSAGG+EIBAgQX FhVodHRwOi8vZ3JpZC5memsuZGUvY2EwMwYJYIZIAYb4QgEIBCYWJGh0dHA6Ly9n cmlkLmZ6ay5kZS9jYS9ncmlka2EtY3BzLnBkZjAzBglghkgBhvhCAQMEJhYkaHR0 cDovL2dyaWQuZnprLmRlL2NhL2dyaWRrYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUA A4IBAQCJj0eB9LKXtLbUff/qA9wuwfplaZCj9JfcKjY0gJEhDItaG0JEGfw8/jFu fT1sOKf2EzsMjO9jcMn6F9Sstd5uVBVhzju1qHOZsCR0RqlilsSH3c5iTK+g3url nb0mqn95HC3CC7lxTQRIkM6pYrijjOST4XZ04czCzIyJ88FHNN4rzUs+KE3a8re5 EhaWmlwM0p2kAQHerBdi4j6Z+9dBMMFpbbS6OKQvgh4/PG4oE1knBF6IcoKjSyqd QLi1u7ZX+ixJynZl6r9ee2O7/SuVJwrkjlWWc3a9qa++hft1wskHazrXEk+Mnm6+ nyXXVKvwhs7VBqpsEmhvJw2wu6/S -----END CERTIFICATE----- }}}