Certificate Validation for Automation Suite

News Knowledge Base
1

How to validate a chain of certificates ca, intermediate, and server and combine certificates with OpenSSL commands?

The possible scenarios where certificates can be provided in one of the following three ways:s:

  1. Three crt/pem files including ca, intermediate, and server certs and a private key
  2. Two crt/pem files including ca and server certs and a private key
  3. One pfx file containing all ca/intermediate and server certs and a private key

File names used in this doc:

  • ca.crt - a CA certificate
  • intermediate.crt - an intermediate certificate
  • ca-bundle.crt - a certificate containing ca and intermediate certificates
  • server.crt - a server certificate
  • server.key - a private key used to generate the server.crt
  • server.pfx - a pfx certificate file containing ca, intermediate, server certificates, and the server private key

Scenario 1 and Scenario 2 (skip the first step)

When three different cert files (CA, intermediate, and server) are provided, follow the steps below to perform validations:

  • Combine the ca with the intermediate certs
cp ca.crt ca-bundle.crt
cat intermediate.crt >> ca-bundle.crt
  • Check the server cert contains. Especially subject alternative names and validity fields
openssl x509 -in server.crt -text -noout
  • Check if the server cert was signed by the ca server
openssl verify -CAfile ca-bundle.crt server.crt
Output
server.crt: OK
  • Check if the server cert was generated by the server private key by comparing the md5 hashes. If the following commands' outputs match, then it proves that the server cert was generated using the private key.
openssl x509 -noout -modulus -in server.crt | openssl md5

Server Cert Output
(stdin)= c9b0c5c3fe11b0b09947415236c4a441

openssl rsa -noout -modulus -in server.key | openssl md5

Server private key output
(stdin)= c9b0c5c3fe11b0b09947415236c4a441

  • Generate a PFX file from the server certificate and the private key. After running the command, a passcode will be requested twice. This passcode will be always required to decrypt the pfx file
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfx

Output

Enter Export Password:
Verifying - Enter Export Password:

Scenario 3

When working with a certificate in PFX format that contains CA, intermediate, server, and private key components, it can be used as an identity token signing certificate. However, to use it with the Automation Suite, the PFX file needs to be split into multiple certificate files.The following steps walk you through how to break the pfx file accordingly.

  • Export ca certificate (including intermediate if included in the pfx file)
openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
  • Export server certificate
openssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt
  • Export private key
openssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key