How to check if a SSL/TLS certificate is trusted by a Java-based software on Red Hat Enterprise Linux?
Environment
- Red Hat Enterprise Linux
Issue
- Usually when investigating SSL related issues it is useful to know if a certificate is trusted or not for a Java Application. And if it isn't which Issuer in the chain is the missing one.
- SSL Certificate Trust Check.
Resolution
- Get the trusted CA list and save it to
/tmp/trusted-list-java.
keytool -list -keystore $PATH_TO_CASTORE -rfc | awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' | sed 's/subject=//' > /tmp/trusted-list-java
-
Save the the certificate to
/tmp/cert.pem.-
To save a remote certificate: (Replace example.com:443)
echo | openssl s_client -showcerts -connect example.com:443 > /tmp/cert.pem -
To save a local certificate file: (Replace $PATH_TO_PEM)
ISSUERS=$(openssl x509 -in $PATH_TO_PEM -text | grep -E "^ *Issuer:" | sed 's/ *Issuer: //')
-
-
Next code will iterate over all Issuers in the certificate and show if they are trusted or not.
CERTPATH=/tmp/cert.pem
TRUSTED=$(cat /tmp/trusted-list-java | sed 's/subject=//')
ISSUERS=$(cat ${CERTPATH} | grep issuer | sed 's/issuer=//')
while IFS= read -r ISSUER; do
if [[ "$TRUSTED" =~ "$ISSUER" ]]; then
echo "Certificate issuer <$ISSUER> is Trusted"
else
echo "Certificate issuer <$ISSUER> is Not Trusted"
fi
done <<< "$ISSUERS"
- Note that depending on the Product services, some may rely on the Operating System while others on the Java keystore. In such case refer to How to check if a SSL/TLS certificate is trusted by Red Hat Enterprise Linux?
SBR
Product(s)
Tags
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.