[Cryptography] How to get certificates on email server?
Viktor Dukhovni
cryptography at dukhovni.org
Tue Apr 19 14:14:30 EDT 2016
On Mon, Apr 18, 2016 at 09:59:54PM +0000, Viktor Dukhovni wrote:
> > $ openssl s_client -starttls smtp -connect hostname:port
>
> Make that:
>
> $ hostport=smtp.example:587 # Season to taste
> $ (sleep 2; printf "QUIT\r\n") |
> openssl s_client -showcerts -starttls smtp -connect $hostport |
> openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> openssl pkcs7 -print_certs -text -out chain.pem
>
> Which dumps the entire chain into "chain.pem".
Forgot to mention one thing, this dumps the certificates sent by
the server, not any chain that may or may not have been constructed
with the aid of those certificates.
To verify that chain:
$ trusted=trust-anchors.pem # Root CA certs in one file
$ untrusted=chain.pem # Intermediate certs from server
$ subject=chain.pem # Leaf cert from server
$ openssl verify -show_chain -trusted $trusted -untrusted $untrusted $subject
The "-show_certs" option may require a reasonably current OpenSSL
version, and prints the DNS of the verified chain:
$ openssl verify -show_chain \
-trusted root-cert.pem \
-untrusted ca-cert.pem \
ee-cert.pem
ee-cert.pem: OK
Chain:
depth=0: CN = server.example (untrusted)
depth=1: CN = CA (untrusted)
depth=2: CN = Root CA
--
Viktor.
More information about the cryptography
mailing list