16

We are wanting to use two way certificate authentication using open ssl.

When we open s_server as follows, the client is able to connect to my server:

openssl s_server -accept 12345 -cert our-cert.pem

(our-cert.pem is our certificate.)

This works fine. However, my requirements are:

  1. Verify that the incoming certificate is valid with a trusted CA, and
  2. Verify the common name is what we expect it to be.

I have tried this:

openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/

This allows the client to connect. But my questions are:

  1. How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
  2. How can I validate the Common Name is what I expect?
Improve this question

2 Answers 2

Reset to default
8

For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.

That should take care of question #1.

For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.

You can see the OpenSSL documentation for the server/client commands here:

s_server

s_client

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

8

To test the CA use this:

/usr/local/ssl/bin/openssl s_server -accept 7569 -cert /opt/GCTI/cert/host1_cert.pem -CAfile /opt/GCTI/cert/ca_cert.pem -key /opt/GCTI/cert/host1_priv_key.pem              

-cert is the public key file for this host
-key is the private key file for this host
-CAfile is the CA file, needed for self signed certificate
-port is the port number to open up

This will open up a listen port 7569 that will accept TLS connections with the certificate specified.

if the CA is not valid then the last line will look like this

Verify return code: 21 (unable to verify the first certificate)

To connect to this server, full end to end test (not really the question asked)

openssl s_client -showcerts -connect host1:7569 -CAfile  /opt/GCTI/cert/ca_cert.pem

replace host1 with your actual host. This will verify the TLS service is valid and running a certificate signed by the same CA.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.