0

Is there a way to check the issuer of subject hash of some server's SSL certificate?

I know that curl or wget search for the matching root certificate in /var/lib/ca-certificates/openssl or /etc/ssl/certs (or some other distribution specific location) according to a specific hash.

The reason I'm asking is that sometimes a certificate gets expired, and I need to know which of my certificate files got expired so I could download a new one. But I can't seem to find a way (except for using strace) to see which on of the certificates I need to update.

When I run a command (either curl or get) through strace, I can see which root certificate it opens:

$ strace -e trace=open /usr/bin/curl https://git.kernel.org ... open("/var/lib/ca-certificates/openssl/4042bcee.0", O_RDONLY) = 7 ...

And I can get the information about the root certificate:

$ readlink -f /var/lib/ca-certificates/openssl/4042bcee.0 /var/lib/ca-certificates/openssl/ISRG_Root_X1.pem $ openssl x509 -noout -issuer -subject -hash -in /var/lib/ca-certificates/openssl/ISRG_Root_X1.pem issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 4042bcee

I see the certificate from the server was issued by "Let's Encrypt", but it doesn't seem to contain any information that could help me find my relevant root certificate.

curl -sv https://git.kernel.org 2>&1 > /dev/null |sed -n '/SSL/,/SSL/p' * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=ams.source.kernel.org * start date: Jan 15 18:02:38 2023 GMT * expire date: Apr 15 18:02:37 2023 GMT * subjectAltName: host "git.kernel.org" matched cert's "git.kernel.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok.

I've also tried to check the subject hash through the following command (my environment is behind a proxy), and it doesn't match what I see.

$ openssl s_client -proxy myproxy:myport -connect git.kernel.org:443 -servername git.kernel.org < /dev/null 2>/dev/null | openssl x509 -noout -issuer -subject -hash issuer=C = US, O = Let's Encrypt, CN = R3 subject=CN = ams.source.kernel.org 1c27cb82

The hash of the server's certificate (1c27cb82) doesn't match the hash of my own certificate (4042bcee).

So how do curl and wget know the hash of the root certificate it should look for? And how can I do the same using a command line?

Improve this question

1 Answer 1

Reset to default
0

I've found the answer. I only checked the certificate of the site, but I haven't checked the entire certificate chain, most importantly the root CA certificate.

To solve this, I first I had to use the -showcerts flag to the openssl s_client command to show the entire certificate chain.

Then I ran openssl in a loop to check all the certificate provided. I also checked the -issuer_hash in addition to -hash (which is a synonym for -subject_hash).

openssl s_client -showcerts -proxy myproxy:myport -connect git.kernel.org:443 -servername git.kernel.org < /dev/null 2>/dev/null | (while openssl x509 -noout -issuer -subject -subject_hash -issuer_hash 2>/dev/null; do true; done) issuer=C = US, O = Let's Encrypt, CN = R3 subject=CN = ams.source.kernel.org 1c27cb82 8d33f237 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 subject=C = US, O = Let's Encrypt, CN = R3 8d33f237 4042bcee issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 4042bcee 2e5ac55d

Then I could see the expected hash (4042bcee) as the subject hash of the third certificate, and the issuer hash of the second certificate in the chain.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.