Blog Posts

Finding and verifying X509 Certificate chains

03-11-2023

Section 1 - Explanation of Certificate Chains:

Have you ever been given a certificate (end-entity/server certificate) and wondered how you can assemble its certificate chain? Maybe you are wondering how to find its CA certificates/issuers too.

A certificate chain in a short summary is a list of certificates that start with the end-entity(also called leaf or server certificates) and ends with the Root CA certificate. Between the end-entity and Root CA certificates are usually CA certificates called Intermediate CA certificates. The certificate chain enables one to verify that the end-entity and all its CAs can be trusted. The end-entity that’s first in the chain is issued by the CA below it, and the CA below that CA was issued by the CA below that one, and so on.

Say we have an end-entity certificate with the following fields.


====End-entity Certificate====

Subject: example.com 

Issuer: My Intermediate CA

This means that there's a CA out there called "My Intermediate CA". I will explain how one can find this certificate later in the article. In the chain, the next certificate should be that particular intermediate.


====End-entity Certificate====

Subject: example.com

Issuer: My Intermediate CA



====Intermediate CA Certificate====

Subject: My Intermediate CA

Issuer: My Root CA

As you can see, the Intermediate CA certificate's subject is the same as the end-entity's issuer, and the issuer of the Intermediate CA certificate is the Root CA, which is next up.

This is the completed certificate chain of authority for this example.


====End-entity Certificate====

Subject: example.com

Issuer: My Intermediate CA



====Intermediate CA Certificate====

Subject: My Intermediate CA

Issuer: My Root CA



====Root CA Certificate====

Subject: My Root CA

Issuer: My Root CA

The Root CA is a self-signed certificate, which is why the subject/issuer are the same. Remember that the Root is always on the bottom of the certificate chain file.

Section 2 - Putting together the chain and finding CA certificates:

This next section is how we can find the CA certificate in the case you may have been only given the end-entity/server certificate.

I have created a python script (linked here) that decodes a given certificate. It looks for specific fields in the certificate to help look for clues to where the Issuer may be.


Usage: 


cafinder.py -c mycertificate.pem

Note: If you don't want to use the cafinder.py script, you can use openssl (openssl x509 -in cert.pem -noout -text)

The scripts looks for these fields in the certificate. I will explain why these fields are important.

1) The Subject: shows the subject of the certificate to make sure you have included the right certificate.
2) The Issuer: shows the name of the issuing CA. The issuer should have the subject as this issuer field.
3) X509v3 Subject Key Identifier: This is a sha1 hash of the end-entity's public key
4) X509v3 Authority Key Identifier: This is a sha1 hash of the CA issuer's public key
5) Authority Information Access, CA Issuers: This can contain a location (many times a URL) of where you can find the issuer CA certificate

Knowing this information, let's perform a test. Say I have an end-entity certificate. I put it through the python script. I get this returned.


> python3 cafinder.py -c mycertificate.pem



Subject: 

Issuer: 


Subject Key Identifier: 3BDFDA903487096AAF319AF9074D0D6B51D15085


Authority Key Identifier: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27


CA Issuers: http://pki.goog/repo/certs/gts1c3.der

Knowing this, I can just go to that URL to find the DER encoded CA issuer.


> wget http://pki.goog/repo/certs/gts1c3.der



> python3 cafinder.py -c gts1c3.der



Subject: 

Issuer: 

Subject Key Identifier: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27

Authority Key Identifier: E4AF2B26711A2B4827852F52662CEFF08913713E

CA Issuers: http://pki.goog/repo/certs/gtsr1.der

And look at that, the Subject Key Identifier matches the Authority Key Identifier of the end-entity certificate. The Subject of the Intermediate has the same name as the Issuer on the end-entity as well.

You can repeat the process for however many issuers there are until you reach the root. Once you get all the issuers, you can put together the chain and verify the chain.

Make sure all the certificates are in PEM format (ascii). Here is how you can convert DER to PEM.



openssl x509 -inform der -in intermediate.der -out intermediate.pem

Create a file, like certificatechain.pem. Then, starting with the first intermediate CA, put the certificates in the file except for the end-entity/server certificate. It should look like:

Then run this command.


openssl verify -CAfile certificatechain.pem mycertificate.pem

If everything looks good, it gives an OK.


mycertificate.pem: OK

If you have the wrong chain, you might see an error:


error 20 at 0 depth lookup: unable to get local issuer certificate
error certifcate.pem: verification failed

You might ask "What if the CA Issuers field is not present? Where can I find the CA certificate?"

This part can by tricky, especially if you the end-entity certificate was issuer by a private issuer. But here is a checklist of things to do to find this.

-Google the name of the Issuer. Many times this will show the CA repository where the CA keeps its CA certificates.

-You can use the website crt.sh to search the name of issuer. It allows you to search through the certificate transparency logs if the certificate is a public certificate. Try searching the Common Name (CN=).

-If your end-entity certificate was issued by a Private Certificate Authority (maybe operated by your organization), it is most likely not on the internet anywhere, so messaging your friends or looking your organization's repositories may help.

-Remember to double check to make sure you have the right CA certificate by looking at the Subject Key Identifier/Authority Key Identifier and the verify openssl command.