How to validate a SSL certificate file and its Bundle file?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux
    • 6.x
    • 7.x
    • 8.x
    • 9.x
    • 10.x

Issue

  • Usually when investigating SSL related issues it is useful to confirm if the Bundle file contains all the required Issuers for a signed certificate:
  • How to examine an SSL bundle file chain?
  • How to verify that the SSL certificate chain is not broken?
  • How to verify that there are no missing server names in the Alternative Names section of an SSL certificate?
  • How to verify that an SSL certificate has not expired?

Resolution

  • The attached script certcheck.py.txt performs multiple checks on the given Certificate, Bundle and ServerName. Download it and rename it to certcheck.py.

  • The script requires python3-cryptography, install it using next command

    dnf install python3-cryptography

      usage: certcheck.py [-h] [-c CERT] [-b BUNDLE] [-s SERVERNAME]

  `certcheck` performs some validations on Certificate `PEM` files.

  options:
  -h, --help            show this help message and exit
  -c, --cert CERT       Signed certificate file path.
  -b, --bundle BUNDLE   CA Bundle file path.
  -s, --servername SERVERNAME
                        Hostname.

  • Example output

      $ certcheck.py -c cert_file.pem -b bundle_file.pem -s other_server_name.example.com
  ### Certificate `1cert.pem`
    - Subject: server.example.com
    - AltNames:
      - server.example.com
      - satellite.example.com
    - Issuer: MY3 EXAMPLE COM
    - Valid from: 2025-04-24 15:21:22+00:00
    - Valid to: 2026-04-24 15:21:22+00:00
  ### Bundle `1bundle.pem`
    - Issuers:
      - MY3 EXAMPLE COM
        - Issuer: MY2 EXAMPLE COM
        - Valid from: 2023-01-03 11:15:00+00:00
        - Valid to: 2024-12-31 11:14:59+00:00
      - MY2 EXAMPLE COM
        - Issuer: ROOTCA EXAMPLE COM
        - Valid from: 2021-09-02 07:41:55+00:00
        - Valid to: 2029-08-31 07:41:54+00:00

  ################################################################################
  # CRITICAL
  ################################################################################
    - Chain is broken. `ROOTCA EXAMPLE COM` for Subject `MY2 EXAMPLE COM` is missing.
    - `other_server_name.example.com` not included in Alternative Names `['server.example.com', 'satellite.example.com']`.
    - Subject `MY3 EXAMPLE COM` expired on `2024-12-31 11:14:59+00:00`.
SBR
Product(s)
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.