List all available ssl ca certificates

by

My git client claims

error: Peer's Certificate issuer is not recognized.

That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5
openssl and pure bash way
One step further
Method 6
Method 7

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

It’s not SSL keys you want, it’s certificate authorities, and more precisely their certificates.

You could try:

awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

To get the “subject” of every CA certificate in /etc/ssl/certs/ca-certificates.crt

Beware that sometimes, you get that error when SSL servers forget to provide the intermediate certificates.

Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.

Method 2

Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.

  • Key files go into /etc/ssl/private
  • System-provided actual files are located at /usr/share/ca-certificates
  • Custom certificates go into /usr/local/share/ca-certificates

Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.

Method 3

I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:

locate .pem | grep ".pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}

Method 4

A quick way to list all currently trusted CA certificates by openssl (with Ubuntu default directories):

find /etc/ssl/certs -type l -iname "*.0" -exec cat "{}" ; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "n" " " ; echo' '/BEGIN/{cert=""};{cert=sprintf("%sn%s",cert,$0)};/END/{print cert | cmd ;close(cmd)}' | sed -r 's:^subject=::' | sort -u

Method 5

openssl and pure bash way

Even if Stéphane Chazelas’s answer, work fine and is efficient, I would like to post this bash script who will give near same result, but don’t use awk:

#!/bin/bash
exec {sslout}<> <(:)
cnt=1
while read -u $certs line; do
    [ "$line" ] && case $line in 
        *BEGIN*)
            exec {ssl}> >(openssl x509 -noout -subject >&${sslout})
            echo $line 1>&$ssl
        ;;
        *END*)
            echo $line 1>&$ssl
            exec {ssl}>&-
            read -u $sslout subject
            printf "%03d  %sn" $((cnt++)) "${subject#subject=}"
        ;;
        *)
            echo $line 1>&$ssl
        ;;
    esac;
done {certs}< /etc/ssl/certs/ca-certificates.crt
exec {certs}>&- {sslout}>&-

One step further

Searching for certs in all dirs mentionned by SHW’s answer, sorting by hashes and count

#!/bin/bash

exec {sslout}<> <(:)
cnt=0
hashed=()
while read -u $certs line; do
    [ "$line" ] && case $line in 
        *BEGIN*)
            exec {ssl}> >(openssl x509 -noout -hash -subject >&${sslout})
            echo $line 1>&$ssl
        ;;
        *END*)
            echo $line 1>&$ssl
            exec {ssl}>&-
            read -u $sslout hash
            read -u $sslout subject
            ((cnt++))
        hashed[16#$hash]+="${subject#subject=}"$'t'
        ;;
        *)
            echo $line 1>&$ssl
        ;;
    esac
done {certs}< <(find /etc/ssl/certs /usr/{local/,}share/ca-certificates 
                    -type f -exec cat {} +)
exec {certs}>&- {sslout}>&-
echo "$cnt certs read, ${#hashed[@]} different hashes."
for i in ${!hashed[@]};do
    IFS=$'t' read -a subj <<<"${hashed[i]}"
    printf "%8x  %sn" $i "$subj"
    ((${#subj}>1)) && printf "          %sn" "${subj[@]:1}"
done

may output something like:

    256 certs read, 128 different hashes.
 3179a64  C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA
          C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA
 62cdee6  OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
          OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
 64e0aa9  C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
          C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
...

Method 6

Another one it this one:

openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep subject

Method 7

Find with crt or key files shall also work

find / -type f -name *.key
find / -type f -name *.crt


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x