1 |
On Monday, 5 March 2018 14:25:40 GMT Adam Carter wrote: |
2 |
> On Monday, March 5, 2018, Walter Dnes <waltdnes@××××××××.org> wrote: |
3 |
> > app-misc/ca-certificates splatters a bunch of files all over the |
4 |
> > |
5 |
> > place. Question... is there a utility to figure out which domains any |
6 |
> > particular certificate covers |
7 |
|
8 |
I assume you mean: |
9 |
|
10 |
"... which domains any particular *CA* certificate covers"? |
11 |
|
12 |
If yes, |
13 |
|
14 |
> A ca certificate may sign any domain cert, and new domains can be signed at |
15 |
> any time. |
16 |
> |
17 |
> So any certificate is only as trusted as the least trustworthy ca in your |
18 |
> certificate store.... some people call this a dumpster fire. Certificate |
19 |
> transparency (logs of who issued what) helps reduce the risk of a dodgy ca |
20 |
> issuing a certificate they shouldn’t have without being noticed. |
21 |
|
22 |
|
23 |
If no, what you wrote is exactly what you meant to ask, |
24 |
|
25 |
> You can go the other way, and see which ca was used to sign any cert that a |
26 |
> server presents, as that info is included in the cert presented by the |
27 |
> server. |
28 |
|
29 |
In this case, to examine the DN of the CA which signed a server certificate |
30 |
you need: |
31 |
|
32 |
openssl x509 -in server.pem -issuer -noout |
33 |
|
34 |
-- |
35 |
Regards, |
36 |
Mick |