# Welche Schritte sind notwendig um ein Zertifikat zu validieren / zu prüfen? http://www.globaltrust.eu/php/cms_monitor.php?q=PUB&s=20446cuj # Manually verify a certificate against a CRL https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html # Download Files from blocklist.gespa.ch ######################################### # blocklist file wget --quiet -O gespa_blocklist.txt https://blocklist.gespa.ch/gespa_blocklist.txt # signature wget --quiet -O gespa_blocklist.txt.sign https://blocklist.gespa.ch/gespa_blocklist.txt.sign # diff file wget --quiet -O gespa_blocklist.diff https://blocklist.gespa.ch/gespa_blocklist.diff # siff signature wget --quiet -O gespa_blocklist.diff.sign https://blocklist.gespa.ch/gespa_blocklist.diff.sign # pdf file wget --quiet -O gespa_blocklist.pdf https://blocklist.gespa.ch/gespa_blocklist.pdf # pdf signature wget --quiet -O gespa_blocklist.pdf.sign https://blocklist.gespa.ch/gespa_blocklist.pdf.sign # gespa certificate wget --quiet -O blocklist.gespa.ch.pub https://blocklist.gespa.ch/blocklist.gespa.ch.pub # root wget --quiet -O ca.pem https://blocklist.gespa.ch/ca.pem # intermediate wget --quiet -O intermediate.pem https://blocklist.gespa.ch/intermediate.pem # Show contents of certificate openssl x509 -in blocklist.gespa.ch.pub -text -noout # Verify signature ################## # Ensure the file was signed using blocklist.gespa.ch.pub # convert der (binary) to PEM (base64 encoded DER) format openssl base64 -d -in gespa_blocklist.txt.sign -out gespa_blocklist.txt.der # verify the file was singed using blocklist.gespa.ch.pub openssl dgst -sha256 -verify blocklist.gespa.ch.pub -signature gespa_blocklist.txt.der gespa_blocklist.txt # Convert and validate in 1 step: openssl base64 -d -in gespa_blocklist.txt.sign \ | openssl dgst -sha256 -verify blocklist.gespa.ch.pub -signature /dev/stdin gespa_blocklist.txt openssl base64 -d -in gespa_blocklist.diff.sign \ | openssl dgst -sha256 -verify blocklist.gespa.ch.pub -signature /dev/stdin gespa_blocklist.diff openssl base64 -d -in gespa_blocklist.pdf.sign \ | openssl dgst -sha256 -verify blocklist.gespa.ch.pub -signature /dev/stdin gespa_blocklist.pdf # Verify certificate chain ########################## # Verify the integrity of the files downloaded from blocklist.gespa.ch # Create a file with the full chain cat ca.pem intermediate.pem > chain.pem # Verify the certificate against this chain openssl verify -verbose -CAfile chain.pem blocklist.gespa.ch.pub # Verify the certificates downloaded from blocklist.gespa.ch are issued by QuoVadis #################################################################################### # QuoVadis certificates can be downloaded from: https://www.quovadisglobal.com/repository/ # Intermediate: http://trust.quovadisglobal.com/quovadisswissregulatedcag3.crt # Root: http://trust.quovadisglobal.com/qvrca1g3.crt # Extract the URL and Key-ID to the intermediate certificate openssl x509 -in blocklist.gespa.ch.pub -text -noout # Find the section 'X509v3 Authority Key Identifier' and 'Authority Information Access' # Key-ID and URL must match: # Key ID: 71:01:1A:8B:46:0C:E0:35:45:4E:D6:7E:EC:D0:ED:39:8D:46:D6:69 # URL: http://trust.quovadisglobal.com/quovadisswissregulatedcag3.crt # Download it wget --quiet -O quovadisswissregulatedcag3.crt http://trust.quovadisglobal.com/quovadisswissregulatedcag3.crt # Convert the certificate to x509 openssl x509 -inform der -in quovadisswissregulatedcag3.crt -out quovadisswissregulatedcag3.x509 # Both intermediate.pem and quovadisswissregulatedcag3.x509 must be equal openssl x509 -in intermediate.pem -text -noout openssl x509 -in quovadisswissregulatedcag3.x509 -text -noout diff intermediate.pem quovadisswissregulatedcag3.x509 # Find the section 'X509v3 Authority Key Identifier' and 'Authority Information Access' # Key ID: A3:97:D6:F3:5E:A2:10:E1:AB:45:9F:3C:17:64:3C:EE:01:70:9C:CC # URL: http://trust.quovadisglobal.com/qvrca1g3.crt # Get the root certificate from QuoVadis: wget --quiet -O ca-from-quovadis.der http://trust.quovadisglobal.com/qvrca1g3.crt # convert the certificate to x509 openssl x509 -inform der -in ca-from-quovadis.der -out ca-from-quovadis.crt openssl x509 -in ca.pem -text -noout openssl x509 -in ca-from-quovadis.crt -text -noout diff ca.pem ca-from-quovadis.crt # Both Serial Number need to be: # 78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 # Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 1 G3 # Verify the certificate has not been revoked ############################################# # Get the url to the revocation list in Section X509v3 CRL Distribution Points openssl x509 -noout -text -in blocklist.gespa.ch.pub openssl x509 -noout -text -in blocklist.gespa.ch.pub | grep -A 4 'X509v3 CRL Distribution Points' | grep URI | awk -FURI: '{ print $2}' # URL: http://crl.quovadisglobal.com/quovadisswissregulatedcag3.crl # Download the CRL wget --quiet -O revocation.der http://crl.quovadisglobal.com/quovadisswissregulatedcag3.crl # Convert the CRL DER (binary) format to PEM (base64 encoded DER) format openssl crl -inform DER -in revocation.der -outform PEM -out revocation.pem # Create a certificate chain file cat intermediate.pem ca.pem revocation.pem > chain.pem # Verify this certificate has not been revoked openssl verify -crl_check -CAfile chain.pem blocklist.gespa.ch.pub