Tuesday, December 19, 2023

Oracle Linux 7 -- How To Get A Topmost Root CA Of A Web Resource


You need to extract the topmost root CA certificate from the certificate chain of a web resource


First identify the certificate chain:

$ openssl s_client -connect google.com:443 -showcerts < /dev/null
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com

The topmost root CA will be the one with highest depth (depth=3 in the case above), but it will probably be missing on the displayed chain of certificates, the last displayed certificate is for depth=2 in the case above:

 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Save content of the last certificate in a temp file and issue the command against it:

$ openssl x509 -in /tmp/cert2.cert -text

Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/gsr1
CA Issuers - URI:http://pki.goog/gsr1/gsr1.crt

Download the root CA certificate file (in this case gsr1.crt) and verify that certificate matches the root CA reported in the first output above (with depth=3):

$ wget http://pki.goog/gsr1/gsr1.crt

$ openssl x509 -in gsr1.crt -text -inform DER

Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

The certificates matches

Optionally save the certificate in a PEM format file (the data block enclosed with BEGIN CERTIFICATE and END CERTIFICATE lines)

No comments: