OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Changing SSL certificates - switching from self-signed to RapidSSL

From: Viktor Dukhovni (postfix-usersdukhovni.org)
Date: Sat Apr 19 2014 - 11:36:01 CDT


On Sat, Apr 19, 2014 at 07:06:31AM -0400, Charles Marcus wrote:

> I hate to keep imposing on you, but since I don't have the postfinger tool,

Your submission service configuration is now correct. In each pair
of lines the "issuer" is the name of the certification authority
that signed the certificate and the "subject" is the certified name
of the owner of the public key in the certificate.

    subject=/serialNumber=7XqE1Qv/zhjR5gwi8OBh94adXjYVaaDs/OU=GT32586886/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.media-brokers.com
    issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA

    subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
    issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

    subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

In a well-formed chain (such as above), the subject in each pair
of lines after the first is the same as the issuer in the previous
pair lines.

If you don't have posttls-finger, for the purpose of examining the
peer certificate chain you get functionally equivalent output from:

    (sleep 2; echo QUIT) |
    openssl s_client -starttls smtp -showcerts \
        -connect smtp.media-brokers.com:587 2>/dev/null | ...

In other words:

    (sleep 2; echo QUIT) |
        openssl s_client -starttls smtp -showcerts \
            -connect smtp.media-brokers.com:587 2>/dev/null |
        openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
        openssl pkcs7 -print_certs -noout

The last two commands in the pipeline convert a sequence of PEM
certificates to PKCS#7 format for the sole purpose of printing the
subject and issuer of each one (without printing the actual
certificate content). This PKCS#7 conversion is a work-around for
the absense of a multi-certificate input loop option in the x509(1)
sub-command of openssl(1), which currently will only print the
first certificate in the input file.

Note that since you have the complete chain in a file, you don't
have to connect to the server over the network with either
posttls-finger(1) or s_client(1). Rather you can simply run:

    chainfile=/some/where/chain-filename.pem
    openssl crl2pkcs7 -nocrl -certfile "${chainfile}" |
        openssl pkcs7 -print_certs -noout

Therefore, for any other software whose configuration supports
loading a PEM chain file (consult the documentation), you can verify
the correctness of the chain file locally.

For even more detail, you can append "-text" after the "-noout"
option, and see a fully decoded verbose output of each certificate
showing validity dates, and various X.509 extensions including any
"subject alternative names" you might expect in the leaf certificate
and subject and authority key identifiers that link the issuer and
subject more precisely than just the names in the concise output.

--
        Viktor.