Problem
You need to extract the topmost root CA certificate from the certificate chain of a web resource
Solution
First identify the certificate chain:
$ openssl s_client -connect google.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
The topmost root CA will be the one with highest depth (depth=3 in the case above), but it will probably be missing on the displayed chain of certificates, the last displayed certificate is for depth=2 in the case above:
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Save content of the last certificate in a temp file and issue the command against it:
$ openssl x509 -in /tmp/cert2.cert -text
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/gsr1
CA Issuers - URI:http://pki.goog/gsr1/gsr1.crt
Download the root CA certificate file (in this case gsr1.crt) and verify that certificate matches the root CA reported in the first output above (with depth=3):
$ wget http://pki.goog/gsr1/gsr1.crt
$ openssl x509 -in gsr1.crt -text -inform DER
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
The certificates matches
Optionally save the certificate in a PEM format file (the data block enclosed with BEGIN CERTIFICATE and END CERTIFICATE lines)
No comments:
Post a Comment