Table of Contents
- Overview
- Checking Certificates
- Certificate Serial Number & Fingerprint
- Importing Missing Certificates
Overview
This article describes how to check if the correct root certificate is installed, the certificate serial number and fingerprint, and how to import missing certificates.
Depending on the age of the distribution, the correct root certificate could already be installed pending regular updates; however, it is possible to manually check the correct certificates are installed utilising OpenSSL
and cURL
.
Please note, the certificate installation displayed below is used as an example. Please review this article for information on our current live root certificate.
Checking Certificates
You can check if the correct root certificate is installed by querying our platform using the following cURL
command: curl --verbose https://live.cardeasexml.com/pingdom
. If the connection is successful and verified by the root certificate, you will see the following entry below. Please note the line * SSL certificate verify ok.
curl --verbose https://live.cardeasexml.com/pingdom
* Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to live.cardeasexml.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=GB; L=Bristol; O=Creditcall Ltd; OU=Infrastructure; CN=live.cardeasexml.com
* start date: Aug 15 00:00:00 2018 GMT
* expire date: Aug 14 12:00:00 2020 GMT
* subjectAltName: host "live.cardeasexml.com" matched cert's "live.cardeasexml.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte TLS RSA CA G1
* SSL certificate verify ok.
> GET /ultradns.php HTTP/1.1
> Host: live.cardeasexml.com
> User-Agent: curl/7.61.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Length: 7
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
Certificate Serial Number & Fingerprint
It is important to check the serial number and fingerprint of each certificate before installation. You can verify the serial number and fingerprint of a certificate using OpenSSL
, and running the following command to return the serial number and SHA1 fingerprint: openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in RootCertificateHere.crt
Below is an example run against the DigiCertglobalRootG2 certificate file:
$ openssl x509 -noout -serial -fingerprint -sha1 -inform dem -in DigiCertGlobalRootG2.crt
serial=033AF1E6A711A9A0BB2864B11D09FAE5
SHA1 Fingerprint=DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
Importing Missing Certificates
Upon installation, Mono will attempt to copy any certificates found in the systems certificate store to Mono's certificate store. It's important to note that the expectation within this article is that the host operating system's certificate bundle/store is up-to-date and contains the latest CA roots. Running the following two commands below will copy the certificates from the Mono application's certificate store into the user's Trust certificate store.
certmgr -list -c Trust
cp -R /usr/share/.mono/certs/Trust/* ~/.config/.mono/certs/Trust/
The first command lists the existing certificates in the user's Mono Trust store. There will be none initially; but the useful side effect is that it creates the directory for that store. The second command is a simple copy of the certificate files.
In this context, the 'user' is that account under which the ChipDNA Server is run. Their Trust certificate store for Mono is the directory ~/.config/.mono/certs/Trust and this is where ChipDNA Server looks for certificates to use. You need to add the certificates to this directory, as Mono will not put them there automatically.