Skip to content
This repository has been archived by the owner on May 6, 2021. It is now read-only.

icadsistemi/icadsistemipki

gh-pages
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

ICAD SISTEMI

ICAD SISTEMI PKI

GitHub Pages repository for ICAD Sistemi Public Key Infrastructure

Contents

Purpose

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment instruction under "Running the tests" section for notes on how to deploy the project on a live system.

Prerequisites

Installing

There is no need to install any component because all checks can be done from your local command line. You can use OpenSSL in order to execute all necessary steps.

Running the tests

Get a certificate with a CRL

Note that I'll be using <host_ip> and <host_port> in order to indicate the remote server and port that you want to test during the entire procedure.

First we will need the server certificate from our remote TLS server. Save this output to a file, for example, server.pem. We can retreive this certificate with the following OpenSSL command:

openssl s_client -connect <host_ip>:<host_port> 2>&1 < /dev/null | \
  sed -n '/-----BEGIN/,/-----END/p' > server.pem

Now, check if this certificate has a CRL URI:

openssl x509 -noout -text -in server.pem | \
  grep -A 4 'X509v3 CRL Distribution Points'

Download the CRL:

wget -O crl.pem "http://crl.icadsistemi.com/intermediate.crl.pem"

Note that our CRL downloaded is already in PEM format (base64 encoded DER) so you don't need to do any conversion. In case the CRL will be in DER format (binary) you need to run this OpenSSL command:

openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

Getting the certificate chain

Save all the certificates in the same order with which OpenSSL sends them (as in, first the one which directly issued your server certificate, then the one that issues that certificate and so on, with the root or most-root at the end of the file) to a file, named chain.pem.

To do so you can use the following command:

OLDIFS=$IFS; \
  IFS=':' certificates=$(openssl s_client -connect <host_ip>:<host_port>  \
  -showcerts -tlsextdebug -tls1_2 2>&1 </dev/null |  \
  sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}');  \
  for certificate in ${certificates#:}; do echo $certificate |  \
  tee -a chain.pem ; done; IFS=$OLDIFS 

Combining the CRL and the Chain

The Openssl command needs both the certificate chain and the CRL, in PEM format concatenated together for the validation to work. You can omit the CRL, but then the CRL check will not work, it will just validate the certificate against the chain. To concatenate chain.pem and crl.pem you can use the following command in order to obtain the concatenated crl_chain.pem:

cat chain.pem crl.pem > crl_chain.pem

OpenSSL Verify

We now have all the data we need in order validate the certificate using this command:

openssl verify -crl_check -CAfile crl_chain.pem server.pem 

If output will return you OK than it shows a good certificate status.

You can test this procedure using the certificate and chain on the Verisign revoked certificate test page.

Contributing

This is an internal project, so this repository will not accept external PR. For any change or issue please discuss via "issues", email or any other method with the owners of this repository instead of open a PR.

Authors

About

ICAD Sistemi Public Key Infrastructure

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages