Validating certificate chain  |  Apigee Edge  |  Apigee Docs (2024)

Table of Contents
Before you begin Validating the certificate subject and issuer for the complete chain Splitting the certificate chain Verifying the certificate subject and issuer Verifying the certificate subject and issuer hash Verifying the certificate expiry FAQs

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

This document explains how to validate a certificate chain before you upload the certificate to a keystore or a truststore in Apigee Edge. The process relies on the OpenSSL toolkit to validate the certificate chain and is applicable on any environment where OpenSSL is available.

Before you begin

Before you use the steps in this document, be sure you understand the following topics:

  • If you aren’t familiar with a certificate chain, read Chain of trust.
  • If you aren’t familiar with the OpenSSL library, read OpenSSL.
  • If you want to use the command-line examples in this guide, install or update to the latest version of OpenSSL client.
  • Ensure the certificates are in PEM format. If the certificates are not in PEM format, use the instructions in Converting certificates to supported format to convert them into PEM format.

Validating the certificate subject and issuer for the complete chain

To validate the certificate chain using OpenSSL commands, complete the steps described in the following sections:

  • Splitting the certificate chain
  • Verifying the certificate subject and issuer
  • Verifying the certificate subject and issuer hash
  • Verifying the certificate expiry

Splitting the certificate chain

Before validating the certificate, you need to split the certificate chain into separate certificates using the following steps:

  1. Login to the server where the OpenSSL client exists.
  2. Split the certificate chain into the following certificates (if not already done):
  • Entity certificate: entity.pem
  • Intermediate certificate: intermediate.pem
  • Root certificate: root.pem

The following figure shows an example certificate chain:

Validating certificate chain | Apigee Edge | Apigee Docs (1)

Verifying the certificate subject and issuer

This section describes how to get the subject and issuer of the certificates and verify that you have a valid certificate chain.

See Also
The Difference in Root Certificates vs Intermediate CertificatesWhat is a Root Certificate? Its Role in Internet SecurityRoot certificate which is not trusted by the trust provider. (0x800b0109) - Microsoft Q&AWhat's the potential fallout for sharing my internal PKI Root cert with a vendor

  1. Run the following OpenSSL command to get the Subject and Issuer for each certificate in the chain from entity to root and verify that they form a proper certificate chain: 
    openssl x509 -text -in certificate | grep -E '(Subject|Issuer):'

    Where certificate is the name of the certificate.

  2. Verify that the certificates in the chain adhere to the following guidelines:
    • Subject of each certificate matches the Issuer of the preceding certificate in the chain (except for the Entity certificate).
    • Subject and Issuer are the same for the root certificate.

    If the certificates in the chain adhere to these guidelines, then the certificate chain is considered to be complete and valid.

    Sample certificate chain validation

    The following example is the output of the OpenSSL commands for a sample certificate chain containing three certificates:

    Entity certificate 

    openssl x509 -text -in entity.pem | grep -E '(Subject|Issuer):'Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.enterprise.apigee.com

    Intermediate certificate 

    openssl x509 -text -in intermediate.pem | grep -E '(Subject|Issuer):'Issuer: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSignSubject: C = US, O = Google Trust Services, CN = GTS CA 1O1

    Root certificate 

    openssl x509 -text -in root.pem | grep -E '(Subject|Issuer):'Issuer: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSignSubject: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign

    In the example shown above, notice the following:

    See Also
    Root vs Intermediate Certificate Authorities

    • The Subject of the intermediate certificate matches the Issuer of the entity certificate.
    • The Subject of the root certificate matches the Issuer of the intermediate certificate.
    • The Subject and Issuer are the same in the root certificate.

    From the example above, you can confirm that the sample certificate chain is valid.

Verifying the certificate subject and issuer hash

This section explains how to get the hash of the subject and issuer of the certificates and verify that you have a valid certificate chain.

It is always a good practice to verify the hash sequence of certificates as it can help in identifying issues such as the Common Name (CN) of the certificate having unwanted space or special characters.

  1. Run the following OpenSSL command to get the hash sequence for each certificate in the chain from entity to root and verify that they form a proper certificate chain. 
    2. openssl x509 -hash -issuer_hash -noout -in certificate

    Where certificate is the name of the certificate.

  2. Verify that the certificates in the chain adhere to the following guidelines:
  • Subject of each certificate matches the Issuer of the preceding certificate in the chain (except for the Entity certificate).
  • Subject and Issuer are the same for the root certificate.

If the certificates in the chain adhere to these guidelines, then the certificate chain is considered to be complete and valid.

Sample certificate chain validation through hash sequence

The following example is the output of the OpenSSL commands for a sample certificate chain containing three certificates: 

openssl x509 -in entity.pem -hash -issuer_hash -nooutc54c66ba #this is subject hash99bdd351 #this is issuer hash 
openssl x509 -in intermediate.pem -hash -issuer_hash -noout99bdd3514a6481c9 
openssl x509 -in root.pem -hash -issuer_hash -noout4a6481c94a6481c9

In the example shown above, notice the following:

  • The subject hash of the intermediate certificate matches the issuer hash of the entity certificate.
  • The subject hash of the root certificate matches the issuer hash of the issuer certificate.
  • The subject and issuer hash are the same in the root certificate.

From the example above, you can confirm that the sample certificate chain is valid.

Verifying the certificate expiry

This section explains how to verify whether or not all the certificates in the chain are expired using of the following methods:

  • Get the start and end date of the certificate.
  • Get the expiry status.

Start and end date

Run the following OpenSSL command to get the start and end date for each certificate in the chain from entity to root and verify that all the certificates in the chain are in force (start date is before today) and are not expired.

Sample certificate expiry validation through start and end dates 

openssl x509 -startdate -enddate -noout -in entity.pemnotBefore=Feb 6 21:57:21 2020 GMTnotAfter=Feb 4 21:57:21 2021 GMT
openssl x509 -startdate -enddate -noout -in intermediate.pemnotBefore=Jun 15 00:00:42 2017 GMTnotAfter=Dec 15 00:00:42 2021 GMT
openssl x509 -startdate -enddate -noout -in root.pemnotBefore=Apr 13 10:00:00 2011 GMTnotAfter=Apr 13 10:00:00 2022 GMT

Expiry status

Run the following OpenSSL command to check whether the certificate has already expired or is going to expire in next N seconds. This returns the expiry status of the certificate in the context of the current system date. 

openssl x509 -checkend <N Seconds> -noout -in certificate

Where certificate is the name of the certificate.

Sample certificate expiry validation through checkend option

The following command uses 0 seconds to check if the certificate is alread expired or not: 

openssl x509 -checkend 0 -noout -in entity.pemCertificate will not expire
openssl x509 -checkend 0 -noout -in intermediate.pemCertificate will not expire
openssl x509 -checkend 0 -noout -in root.pemCertificate will not expire

In this example, the message Certificate will not expireindicates that the certificate has not yet expired.

Validating certificate chain  |  Apigee Edge  |  Apigee Docs (2024)

FAQs

How do I resolve a certificate chain issue? ›

To resolve the chain issue: Search your Certificate Authority's (CA) website to download their intermediate CA file. This file links all of the trusted CA certificates needed to reach the root certificate. When this Intermediate CA file has been downloaded, you must upload it to the LoadMaster.

Read On
How to check certificate chain in browser? ›

Go to an HTTPS-enabled website and click on the Padlock Icon of the address bar. A dropdown will appear where you can see the name of the certificate authority (CA) that has issued the SSL certificate. Click on the Arrow on the right side of the dropdown.

Discover More Details
How do you trust a certificate chain? ›

To establish trust in the certificate chain, the web browser or client software relies on a list of trusted Root Certificate Authorities (Root CAs). These Root CAs are pre-installed in the operating system or browser and are considered inherently trusted.

Continue Reading
How can I validate a certificate? ›

Chrome has streamlined the process for users to access a website's certificate details in just a few steps:
  1. Select the padlock icon located in the address bar of the website.
  2. In the pop-up window, choose "Certificate (Valid)."
  3. Review the "Valid from" dates to ensure the SSL certificate is up-to-date.

See Details
What is a chain validation? ›

​ Validation chains are created by functions such as body() , param() , query() , and so on. They have this name because they wrap the value of a field with validations (or sanitizations), and each of its methods returns itself. This pattern is usually called method chaining, hence why the name validation chain.

Find Out More
How do you Untrust a certificate? ›

Instructions for Android
  1. Open the Settings application, and select the Security option.
  2. Navigate to the Trusted Credentials.
  3. Tap on the certificate that you would like to delete.
  4. Tap Disable.

Tell Me More
How do I resolve an SSL certificate issue? ›

How to Fix SSL Certificate Error
  1. Diagnose the problem with an online tool.
  2. Install an intermediate certificate on my web server.
  3. Generate a new Certificate Signing Request.
  4. Upgrade to a dedicated IP address.
  5. Get a wildcard SSL certificate.
  6. Change all URLS to HTTPS.
  7. Renew my SSL certificate.
Jul 19, 2024

Show Me More
What order should a certificate chain be in? ›

When using a certificate chain, the SSL certificates in the chain must be listed in the following order:
  • ilom. cer.
  • intermediate. cer(s)
  • root. trusted_CA. cer.

Explore More
How to check certificate in Edge browser? ›

Certificate checking: Microsoft Edge
  1. Click the lock in the address line.
  2. Click Connection is secure.
  3. Click on the certificate symbol left of the "X"
  4. Select Details tab.
  5. Scroll to the end of the window and click Thumbprint.

Continue Reading
How does a browser validate a certificate? ›

The browser verifies the signature of the certificate: The certificate contains a digital signature that has been created using the CA's private key. The browser checks this signature using the CA's public key, which is stored in the browser's certificate store.

Show Me More

What is trust chain validation? ›

In computer security, a chain of trust is established by validating each component of hardware and software from the end entity up to the root certificate. It is intended to ensure that only trusted software and hardware can be used while still retaining flexibility.

Read The Full Story
What is the purpose of a certificate chain? ›

A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enables the receiver to verify that the sender and all CA's are trustworthy.

See Details
How to validate a certificate using OpenSSL? ›

If you need to check the information within a Certificate, CSR or Private Key, use these commands.
  1. Check a Certificate Signing Request (CSR) openssl req -text -noout -verify -in CSR.csr.
  2. Check a private key openssl rsa -in privateKey.key -check.
  3. Check a certificate openssl x509 -in certificate.crt -text -noout.
Mar 29, 2022

Get More Info Here
Can you verify the authenticity of a certificate? ›

– If you have doubts about the authenticity of a COA, don't hesitate to contact the issuing authority directly. They should be able to verify the document's legitimacy and provide additional information about the item.

Continue Reading
How to validate certificate chain in Java? ›

Certificate chain validation using java, checking revokation and...
  1. Load the JDK keystore, with something like this //Load the JDK's cacerts keystore file String filename = System. ...
  2. CertPathValidator certPathValidator = CertPathValidator. ...
  3. I am assuming if this is not a valid chain it would throw an exception.
Dec 21, 2020

View More
How to validate a PKI certificate? ›

For public PKI certificates, also known as TLS/SSL certificates, the validation process entails going through a background check of sorts to ensure the certificate is issued by a trusted Certificate Authority (CA) to the proper identified person or organization.

View Details
What is chain verification? ›

Certificate chain verification is the process of making sure a given certificate chain is well-formed, valid, properly signed, and trustworthy.

See More
Top Articles
High Demand And Low Supply - oboloo
Solo vs. Pool Crypto Mining: Which Is More Profitable?
Craigslist Niles Ohio
Http://N14.Ultipro.com
Pangphip Application
Nco Leadership Center Of Excellence
Mopaga Game
La connexion à Mon Compte
2013 Chevy Cruze Coolant Hose Diagram
104 Presidential Ct Lafayette La 70503
The Connecticut Daily Lottery Hub
4302024447
Thotsbook Com
O'reilly's Auto Parts Closest To My Location
Calmspirits Clapper
Craigslist Pets Athens Ohio
Foodland Weekly Ad Waxahachie Tx
Eva Mastromatteo Erie Pa
Beebe Portal Athena
Swedestats
Zalog Forum
Rondom Ajax: ME grijpt in tijdens protest Ajax-fans bij hoofdbureau politie
Daytonaskipthegames
Lisas Stamp Studio
Imouto Wa Gal Kawaii - Episode 2
Greensboro sit-in (1960) | History, Summary, Impact, & Facts
Cars & Trucks - By Owner near Kissimmee, FL - craigslist
Copper Pint Chaska
Annapolis Md Craigslist
Delta Math Login With Google
Ezstub Cross Country
Blush Bootcamp Olathe
Vlocity Clm
ShadowCat - Forestry Mulching, Land Clearing, Bush Hog, Brush, Bobcat - farm & garden services - craigslist
404-459-1280
Marine Forecast Sandy Hook To Manasquan Inlet
A Man Called Otto Showtimes Near Amc Muncie 12
Muziq Najm
RALEY MEDICAL | Oklahoma Department of Rehabilitation Services
10 games with New Game Plus modes so good you simply have to play them twice
Sun Tracker Pontoon Wiring Diagram
Pokemon Reborn Gyms
Bekah Birdsall Measurements
The Attleboro Sun Chronicle Obituaries
Garland County Mugshots Today
Frequently Asked Questions
Tropical Smoothie Address
New Starfield Deep-Dive Reveals How Shattered Space DLC Will Finally Fix The Game's Biggest Combat Flaw
Paradise leaked: An analysis of offshore data leaks
Upcoming Live Online Auctions - Online Hunting Auctions
Elizabethtown Mesothelioma Legal Question
Latest Posts
The 12 fastest-growing small businesses of 2024
What you can tell from the length of your interview
Article information

Author: Barbera Armstrong

Last Updated:

Views: 5965

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.