On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
I already tried this command, but its not giving any information
showing wheter its a root certificate or a client certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm <jb-open...@wisemo.com
<mailto:jb-open...@wisemo.com>> wrote:
On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
Hi,
In openssl is there some method using which i can find
whether the cerficiate in a file a Client Certificate or a
CA/Root Certificate?
- H S
Try the following command, at look for the CA property and also see
if the certificate lists itself or someone else as issuer:
openssl x509 -in somecert.cer -noout -text >somecert.txt
(somecert.txt will then contain a nice human readable printout of
the certificate)
Look for the following three things in somecert.txt:
1. Look at the "Issuer:" and "Subject:" lines.
If they are identical, this is a self-signed certificate and thus
either a CA root or a useless test certificate.
If they are different this is either an end certificate (client or
server)
or an intermediary CA.
2. Look under "X509v3 extensions:" for "X509v3 Basic Constraints:".
If it is there and the next line says "CA:TRUE", it is a CA.
If it is there and the next line says "CA:FALSE", it is
an end certifcate (client or server).
If it is not there, and the next item below is not there either, it is
an end certificate (client or server).
3. Look under "X509v3 extensions:" for "X509v3 Key Usage:".
If it is there and the next line includes the phrase "Certificate
Sign", it is a CA.
If it is there and the next line does not include the phrase
"Certificate Sign",
it is an end certificate (client or server).
If it is not there, and the item above is not there either, it is
an end certificate (client of server).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
