General
Certificate authorities
System cert store
/etc/ssl/etc/ca-certificates- Arch/Manjaro: See
/usr/share/ca-certificates/trust-source/README
Network Security Services (NSS)
- Chromium, Firefox, Thunderbird, Evolution, SeaMonkey use NSS for retrieving trusted CAs.
- Firefox wiki: Network Security Services (NSS)
Usage:
List certs:
certutil -d sql:$HOME/.pki/nssdb/ -L
Add cert:
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n test-cert -i test.cert
Add multiple certs:
for n in *.crt; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
OpenSSL
Show all certs in cert chain
openssl crl2pkcs7 -nocrl -certfile lets-encrypt-root.pem \
| openssl pkcs7 -print_certs -text -noout
openssl crl2pkcs7 -nocrl -certfile lets-encrypt-root.pem \
| openssl pkcs7 -print_certs -text -noout | grep -A4 Issuer:
CAs
Add custom CA
i.e. hackint root CA:
sudo wget https://www.hackint.org/crt/rootca.crt -O /usr/local/share/ca-certificates/hackint-rootca.crt
Check fp:
openssl x509 -noout -fingerprint -sha256 -in /usr/local/share/ca-certificates/hackint-rootca.crt
Update system CA certs:
sudo update-ca-certificates
Test:
gnutls-cli irc.hackint.org -p 6697 --print-cert < /dev/null
gnutls-cli irc.hackint.org -p 6697 --print-cert < /dev/null \
| certtool --verify-chain \
< /usr/local/share/ca-certificates/hackint-rootca.crt
Search CAs
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' \
< /etc/ssl/certs/ca-certificates.crt
Inspect cert
openssl x509 -text -in /etc/openvpn/cougar.leap.se/keys/ca.cr
Cert Validation with openssl
Check remote cert:
echo | openssl s_client -showcerts -connect example.com:443 2>/dev/null | \
openssl x509 -text
Check local cert:
openssl x509 -in www.example.org.crt -noout -dates
Check validity via network connection:
openssl s_client -connect jabber.org:5222 -starttls xmpp
openssl s_client -servername bitmask.net -connect bitmask.net:443 -CApath /etc/ssl/certs
openssl s_client -connect mail.bitrigger.de:25 -starttls smtp
openssl s_client -connect hbci-pintan.gad.de:443 -CApath /etc/ssl/certs \
< /dev/null | grep Verify
Show cert:
true | openssl s_client -connect k8s-at-home.com:443 -showcerts
echo | openssl s_client -showcerts -servername google.com \
-connect charts.gabe565.com:443 2>/dev/null | openssl x509 -inform pem -noout -tex
Fingerprints
openssl x509 -noout -in cert.pem -fingerprint -startdate
TLS smtp with openssl
openssl s_client -connect mail.riseup.net:25 -starttls smtp \
-CApath /etc/ssl/certs |grep Verify
Imap:
openssl s_client -connect bitrigger.de:993 -CApath /etc/ssl/certs |grep Verify
Convert p7b to pem/txt format
openssl pkcs7 -inform der -in IdenTrustCommercialRootCA.p7b -out IdenTrustCommercialRootCA.p7b.txt
openssl pkcs7 -print_certs -in IdenTrustCommercialRootCA.p7b.txt -out IdenTrustCommercialRootCA.pem