2

I am trying to write a code which receives a pcap file as an input and returns invalid certificates from it.

I have parsed certificate chains, and I'm trying to verify them. Because I get the certificates chains out of a pcap the chain length are not constant (sometimes they includes only 1 certificate that is selfsigned (and valid)).

Let cert0.pem be the servers certificate and certk.pem the root CAs certificate.

According to my research online I'm trying to verify the certificate as follows:

  1. Create a file certs.pem which contains the certificate chain in the order:
    certk.pem, certk-1.pem,... ,cert0.pem

  2. use the command (ca.pem is a file containing root certificates): 

    openssl verify -CAfile ca.pem certs.pem

But sometimes the verification goes wrong even for valid certificates, as in the following output: 

C = US, O = GeoTrust Inc., CN = GeoTrust Global CA <br>
error 20 at 0 depth lookup: unable to get local issuer certificate<br> 
error certs.pem: verification failed

please help me, how can I verify the certificate chain ?

Additionally is there a way to add a host name verification in the same line? (I have tried to add "-verify_hostname name" but again, the output was unexpected).

Improve this question
3
  • What do you mean it was unexpected? With that error the cert is probably not valid. Maybe because it's missing intermediate certs.
    – Seth
    Commented Apr 5, 2017 at 12:41
  • Thank you for your reply, I extracted the certificate chain from ssl handshake (from traffic to google) so the chain is complete and valid for sure.. Even though the openssl's output is "unable to get local issuer certificate". See the attached pastebin: pastebin.com/gMQeNudu
    – kobibo
    Commented Apr 5, 2017 at 12:49
  • Looking at this and this it would appear your pem doesn't have the right format. For me it jsut changed the error message.
    – Seth
    Commented Apr 5, 2017 at 13:15

1 Answer 1

Reset to default
1

For remote certificate validation the error you mentioned here says that the first local certificate (depth 0) in your chain file that you are trying to verify namely being certk.pem as root CA certificate has to exist / imported in your local client trusted certificates store that you are performing your verification from.

As stated at thawte.com support site:

This is the verification output of the Server Certificate sent by the server. The server sends its complete chain consisting of 2 certificates, one (depth 0) being the server's certificate "CN=www.yourdomain.com" and the other one being the CA certificate "CN=Thawte Server CA". As all root certificates, this certificate is self-signed.

In order to avoid this error, your client must have a local copy of the root CA certificate in their trusted certificate store, either in CAfile of CApath.

ALSO: Consider using -show_chain verify option to view more details and/or errors in your certificate chain. Note that this error behavior is expected and by default when verifying a certificate from a non-trusted CA. You can check for the error codes in the openssl wiki.

Improve this answer
3
  • Thank you very much for your reply, for some reason I have seen it just now. I have not found a solution yet. My code has to run in windows environment, I have tried to run exactly the same command in Linox environment and it actuolly works, but tring to copy the certs folder (\etc\ssl\certs) from my ubuntu machine to windows and run the command with the copied folder as CApath parameter did not solve the problem I have also tried to use -show_chain according to your suggestion, but the output remained unchanged... Do you have an idea where did I go wrong ? again, Thank you very much !
    – kobibo
    Commented Apr 17, 2017 at 17:52
  • In case you are running your PEM program with your windows browser (eg: Opera, IE etc.) please see that the certificates with the erroneous response are first imported to your browser's certif. store. Not sure if that affects your program that you are writing but it should not affect the output from openssl. Also: You can use the -partial_chain option if there are incomplete or erroneous certificates -during verification- in your chain file.
    – Hskdopi
    Commented Apr 18, 2017 at 0:34
  • I am not quite sure I understand you. Verifying the chain in pairs (certk.pem<->certk-1.pem, .. cert1.pem<->cert0.pem) using -partial_chain works properly for all the pairs, but the problem appears only when verifying the root against the local store. No browser alerted that the certificate chain is invalid so I conclude that the given root is in the browsers' store (even though the openssl use the given ca.pem file as a ca store). Even using the Linux complete store doesn't solve the problem (when in linux there is no problem..), do you have an idea what am I still doing wrong ?
    – kobibo
    Commented Apr 19, 2017 at 9:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .