OpenSSL verify certificate from own CA

Question

Hello all and thanks for your time reading this.

I need to verify certificates issued by my own CA, for which I have a certificate. How can I do the equivalent to openssl's

openssl verify -CAfile

in Ruby code? The RDoc for OpenSSL is not very helpful in this regard. I've tried:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca-cert.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('cert.pem'))

puts lic.verify( ca )

but I get:

test.rb:7:in `verify': wrong argument (OpenSSL::X509::Certificate)!
(Expected kind of OpenSSL::PKey::PKey) (TypeError)
  from test.rb:7

I can't even find "verify" in the OpenSSL Rdoc at http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/index.html.

Any help is appreciated. Thanks again!

score 8 · Accepted Answer · answered Mar 31 '09 at 21:11

8

You need to validate with

lic.verify(ca.public_key)

in addition before that you can verify certificate issuer with

lic.issuer.to_s == ca.subject.to_s

I used one Japanese help page to get the list of available methods :)

answered Mar 31 '09 at 21:11

Raimonds Simanovskis

2,948
1
21
17

score 2 · Answer 2 · edited Dec 23 '12 at 00:58

2

lic.verify() only verify the key from the certificate that signed lic. Ccommercial root CAs do not sign end user certificates directly. Usually there is one or 2 intermediate signing certificates involved.

So if CA -> signer -> user cert then

lic.verify( signer.public_key) and signer.verify( CA.public_key) will return true but lic.verify( CA.public_key ) will return false.

edited Dec 23 '12 at 00:58

Brett Gregson

5,867
3
42
60

answered May 10 '10 at 13:40

user337280

21
1

OpenSSL verify certificate from own CA

2 Answers2