CODEWITHSUNDEEP
sslfedorasigning
Jeroen
Jeroen

Reputation: 2093

Problems verifying SSL certificate

For school we are currently studying SSL certificates.

For this week's assignment we had to install Fedora Workstation on VirtualBox and do some SSL-stuff.

One of the assignments was the following:

generate a public/private keypair and a CSR with the openssl command.

I generated a public/private keypair using the following command:

openssl genrsa -out Desktop/mykey.key 2048

After I generated the keypair I had to verify it. But how do you verify a key? What is really meant by that? Just get out the public key and check if it matches the private key? This is the first question.

I generated the CSR using the following command:

openssl req -new -key Desktop/mykey.key -out Desktop/myCSR.csr

This is the right way, right?

Checking/verifying the CSR file was done using this command:

openssl req -text -noout -verify -in Desktop/myCSR.csr

I think that's the right way too.

This was the "easy" part, now comes the harder part:

We had to use xca to create a database and a CA Root Certificate. Then we had to import the csr from above question and sign it. I signed it by right clicking on it and choosing sign. Then we had to export both the CA and the signed key and verify it. But what do they mean exactly? My guess is to verify that the certificate is signed by the CA, but I'm having problems with that. We have to use openssl x509 for that, but it just isn't working.

When I right click the signed key and export it as a PEM file, in that file is the following:

----- BEGIN CERTIFICATE REQUEST -----
MIIC6......
----- BEGIN CERTIFICATE REQUEST -----

while the assigment says: export the signed certificate. But is this even a certificate?

And how do I verify it?

I used many commands, like 

openssl x509 -in Desktop/exported.pem -text -noout

But the output I get is always something like this:

screenshot

I have tried all sorts of commands and read all google pages, but nothing helps. this is the second question

Hope you all can help, Thanks!

Upvotes: 1

Views: 634

Answers (1)

robert
robert

Reputation: 4867

When you verify a certificate, you are checking whether it's CA is recognised, and it matches the CA's fingerprint. It doesn't look like you are providing the CA cert to the openssl command. Try specifying -CA <your CA cert file:

 $ openssl x509 --help
...
 -CA arg         - set the CA certificate, must be PEM format.

Upvotes: 1

Related Questions