[gnutls-help] Issue using certtool

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Nov 29 15:34:29 CET 2016 

On Mon, Nov 28, 2016 at 2:19 PM, <Patrick.Ouellet at promutuel.ca> wrote:

> I know this is quite an easy question for veteran of GNU TLS
>
> But im really used to openssl and a week ago I didn’t know there was an
> alternative to openssl
>
>
>
> So Im trying to build a ldap proxy using openldap the proxy works fine
> until I try to had TLS to it.
>
>
>
> The only error I could gather is this one.
>
>
>
> main: TLS init def ctx failed: -1
>
>
>
> That’s when I realized Ubuntu compile openldap with gnutls not with
> openssl, so I wanted to verify my certificate
>
> to be sure gnutls can read and understand them.
>
>
>
> I just need help verifying my certificate using certool.
>
>
>
> I have been able to verify my CA cert
>
>
>
> At first it didn’t work
>
>
>
> certtool -e --infile certificate_chain.cer.pem
>
> Loaded 2 certificates, 1 CAs and 0 CRLs
>
>
>
>         Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA
>
>         Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA
>
>         Output: Not verified. The certificate is NOT trusted. The
> certificate issuer is unknown.
>
>
>
> Chain verification output: Not verified. The certificate is NOT trusted.
> The certificate issuer is unknown.
>
>
>
> Then I read somewhere, don’t ask me where, that gnutls need the
> certificate in the reverse order than openssl, so
>
> I inverted the certificate order in the certificate_chain.cer.pem and it
> worked
>

Note that certtool requires a sorted (starting from the end-certificate to
root CA) chain. That is the chain order expected by TLS protocol (and
that's the chain you should setup at your server). Note that newer versions
of gnutls, will sort such lists as long as the end certificate is still
first.


certtool -e --infile certificate_chain.cer.pem.gnutls
>
> Loaded 2 certificates, 1 CAs and 0 CRLs
>
>
>
>         Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel
> HWS Intermediate CA 1
>
>         Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA
>
>         Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA
>
>         Output: Verified. The certificate is trusted.
>
>
>
> Chain verification output: Verified. The certificate is trusted.
>
> But when I try to verify my server certificate, no matter what I do I was
> unable to get a “Output: Verified. The certificate is trusted.”
>

That means that the verification chain is correct (each certificate
validates the one before that). It does not check if the intended hostname
matches, or the certificate purpose is ok. To do that you need to use (in a
recent gnutls version):
$ certtool -e --infile chain.pem --verify-hostname localhost
--verify-purpose 1.3.6.1.5.5.7.3.1

(the purpose 1.3.6.1.5.5.7.3.1 is for server TLS certificate)

regards,
Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161129/62688c28/attachment.html>

More information about the Gnutls-help mailing list