0

For example - let's take jks which contains Comodo CA root cert, few intermediate certs and own server signed cert:

 # keytool -list -keystore akira.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

comodoutnsgcca, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): C7:1E:D8:79:91:4C:01:AC:ED:ED:00:30:4C:47:F0:E4
akira, Jan 16, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): A6:90:2D:8A:0E:4B:A3:0A:B5:50:9A:E3:F9:B8:E5:AC
essentialsslca_2, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): B5:1A:6D:2D:44:CC:72:D6:C6:2A:1B:97:5A:18:3D:91
utnaddtrust, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
addtrustexternalcaroot, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F

How can I see exactly viewing cert's entry - that it require other cert in chain?

If I run -list with -v option - I see a lot of info like "Extensions", "#1: ObjectId" and so on.

So - which one line there describes the dependencies?

Joe
  • 41,484
  • 20
  • 104
  • 125
setevoy
  • 4,374
  • 11
  • 50
  • 87
  • 1
    It's determined by the issuer of each cert in the chain. Your cert was issued by a specific issuer; that issuer was in turn issued by another, etc. up to a trusted root. You have to walk the chain of cert to cert. – Joe Jan 20 '14 at 14:52

1 Answers1

0

So, here is an answer:

# openssl s_client -connect localhost:8443
CONNECTED(00000003)
depth=4 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by LeaderTelecom Ltd./OU=Free     SSL/CN=akira.setevoy.kiev.ua
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 4 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Here is full chain - from local signed cert (CN=akira.setevoy.kiev.ua) till root CA - (CN=AddTrust External CA Root).

s here is "subject" - "name" of cert and i is issuer - who issued this cert.

So Root have name AddTrust External CA Root and it's issued by AddTrust External CA Root.

Other way - use online tools like SSL Checker.

setevoy
  • 4,374
  • 11
  • 50
  • 87