Thursday, October 31, 2013

understanding certificate chaining

Help - WebSphere MQ

http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10600_.htm

Illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins

Intel(R) AMT SDK Implementation and Reference Guide

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fcertificatechainsforhostbasedconfiguration.htm

Certificate chains may be included with a public key by simply including the rfc blocks in pem format. Their inclusion order is important, though. Consider using cat so that no extra whitespace gets introduced.

-----BEGIN CERTIFICATE-----
Body of the leaf certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the first intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the second intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the root certificate
-----END CERTIFICATE-----

OpenSSL - User - check certificate chain in a pem file

http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

It is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:

#Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

#see html reference for more

check certificate chain in a pem file

https://www.sslshopper.com/ssl-converter.html

Concatenate all the previous certificates and the root certificate to one temporary file (This example is for when you are checking the third certifate from the bottom, having already checked cert1.pem and cert2.pem

Thus for the first round through the commands would be

   Unix:     cat root.pem > root-chain.pem
   Windows:  copy /A root.pem root-chain.pem
   Both:     openssl verify -CAfile root-chain.pem cert1.pem

And the second round would be

   Unix:     cat cert1.pem root.pem > cert1-chain.pem
   Windows:  copy /A cert1.pem+root.pem cert1-chain.pem
   Both:     openssl verify -CAfile cert1-chain.pem cert2.pem

Etc.

"keytool -export/import" - Exporting and Importing Certificates

http://www.herongyang.com/JDK/keytool-export-import-Certificates.html
  • The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
  • The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
  • The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.

TechStump.com: How to Rearrange a Certificate Chain using OpenSSL

http://www.techstump.com/2012/10/how-to-rearrange-certificate-chain.html

..you do need to know the correct certificate order. The first two are easy, the key should be first and the Server Certificate should be second. Generally the third certificate will be an intermediate and the last will be a root. If you look at each section, you’ll see a -------Begin Certificate------ and -------End Certificate------ section preceded by a header. In the header you’ll see what certificate is what.

keytool-Key and Certificate Management Tool

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html
-importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg</pre>
 {-v} {-protected} {-Jjavaoption}

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.

.. keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".

Option defaults for keytool

-storetype the value of the "keystore.type" property in the security properties file,
           which is returned by the static getDefaultType method in
           java.security.KeyStore

Help - IBM SDK and Runtime Environment Java Technology Edition Version 6

http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FkeytoolDocs%2Fsupportedkeystoretypes.html

Supported Key Store Types

  • JKS
  • JCEKS . This keystore implementation employs a much stronger protection of private keys (using password-based encryption with Triple DES) than JKS. You can upgrade your keystore of type "JKS" to type "JCEKS" by changing the password of a private-key entry in your keystore.
  • PKCS12. There is a difference between PKCS12 type keystore created on the keytool provided in the IBM JVM and the keytool provided in an Oracle JVM. The keytool in an IBM JVM uses a PKCS12 keystore to store both key entries and certificate entries.The keytool in an Oracle JVM uses a PKCS12 keystore to store key entries. The keytool program in IBM's JVM can read the keystore created by the keytool program provided by an Oracle JVM, but not the other way around.
  • PKCS12S2. This is a second version of PKCS12 type keystore. It can be read by the keytool program in an Oracle JVM.
  • JCERACFKS. This is a RACF® keyring keystore. This type is available only on z/OS® systems with RACF installed.

OpenSSL: Documents, pkcs7(1)

http://www.openssl.org/docs/apps/pkcs7.html

A different way to package a keystore. Like JKS, only different format.

Creating a PKCS7 (P7B) Using OpenSSL

https://langui.sh/2009/03/20/creating-a-pkcs7-p7b-using-openssl/

This example assumes that you have 2 different certificate files, each in PEM (Base64) format. You can add as many -certfile elements as you want to package in the file. Additionally, concatenated certificate chains are supported.

openssl crl2pkcs7 -nocrl -certfile cert1.cer -certfile cert2.cer -out outfile.p7b

OpenSSL: Documents, verify(1)

http://www.openssl.org/docs/apps/verify.html

The verify command verifies certificate chains.

No comments:

Post a Comment