Exporting OpenSSL Certificates

Checking Certificates

Notes on exporting Transport Layer Security (TLS) certificates using OpenSSL. Clients must import Certificate Authority (CA) certificates to verify the security of connections to servers. Clients use different formats and mechanisms to import certificates.

The Simple SCEP client for Unix (SSCEP) may be worth investigating for the secure issuance of certificates to networked devices.

Checking Certificates

Use the openssl verify command to check the validity of a certificate.

$ openssl verify -issuer_checks host.cert

If the certificate is self-signed, compare the fingerprint with someone who can check the certificate on the server.

$ openssl x509 -noout -fingerprint < host.cert
MD5 Fingerprint=E9:52:39:C8:77:39:83:75:EC:E8:D9:64:A0:93:79:15

Comparing such fingerprints is difficult. The perl module Digest::BubbleBabble can convert the fingerprint into a human readable format. Use the md52bb utility to display fingerprints in bubble-babble format.

# openssl x509 -noout -fingerprint < host.cert | md52bb