Notes on exporting Transport Layer Security (TLS) certificates using OpenSSL. Clients must import Certificate Authority (CA) certificates to verify the security of connections to servers. Clients use different formats and mechanisms to import certificates.
The Simple SCEP client for Unix (SSCEP) may be worth investigating for the secure issuance of certificates to networked devices.
- Export from website via Common Gateway Interface (CGI).
- Export from website.
- Converting Type
The following Unix CGI will return the certificate information from the /path/to/cacert.pem file with the application/x-x509-ca-cert Multipurpose Internet Mail Extensions (MIME) type set.
echo "Content-Type: application/x-x509-ca-cert"
To avoid using CGI scripts, serve out certificates with the proper MIME type set. The Apache web server supports the AddType directive for this purpose.
AddType application/x-x509-ca-cert .crt .cert
Restart Apache, and then save the certificate data into a file named *.crt or *.cert.
Some applications, like Eudora on legacy Mac OS systems read certificates from Keychain Access. Under Mac OS 9, Keychain Access requires certificates in DER format instead of the usual PEM format. The openssl utility can convert certificates to different formats.
$ mkdir ../der
$ for f in *.crt; do openssl x509 < $f -outform der > ../der/$f; done
$ cd ..
$ zip -r der der
The resulting der.zip can be transfered to the client and expanded for import into Keychain Access. An archive prevents browsers from corrupting or attempting to import the certificates.
Use configuration management software such as cfengine to distribute a local root certificates to supported client systems.
certdir = ( /System/Library/OpenSSL/certs )
certdir = ( /usr/share/ssl/certs )
owner=0 group=0 mode=444
The certdir directory should contain root certificates named like 57692373.0. To convert *.crt certificate files, use the following command.
$ for f in *.crt; do cp -n $f `openssl x509 -noout -hash < $f`.0; done
If the certificate file names match *.pem, the c_rehash command distributed with OpenSSL is an option. This script has the advantage of incrementing the numeric suffix given to files if two certificates share the same short hash name.
$ c_rehash /some/dir/with/dot/pem/files/
Use the openssl verify command to check the validity of a certificate.
$ openssl verify -issuer_checks host.cert
If the certificate is self-signed, compare the fingerprint with someone who can check the certificate on the server.
$ openssl x509 -noout -fingerprint < host.cert
Comparing such fingerprints is difficult. The perl module Digest::BubbleBabble can convert the fingerprint into a human readable format. Use the md52bb utility to display fingerprints in bubble-babble format.
# openssl x509 -noout -fingerprint < host.cert | md52bb