Skip to content

Instantly share code, notes, and snippets.

@rglastra

rglastra/gist:3ef9582c6292470a1743

Last active September 2, 2022 16:23
Show Gist options
  • Star 17 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save rglastra/3ef9582c6292470a1743 to your computer and use it in GitHub Desktop.
Save rglastra/3ef9582c6292470a1743 to your computer and use it in GitHub Desktop.
Download ZIP
Check available certs in ca-certificates.crt by subject.
Raw
gistfile1.sh
#!/bin/bash
echo "All certificates in ca-certificates.crt, listed by subject:"
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
echo "All certificates in ca-certificates.crt, listed by subject, check for presence of VeriSign's 'Class 3 Public Primary - G5':"
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep "G5"
@roman-mueller
Copy link

On Red Hat based systems you need to change the path to /etc/pki/tls/certs/ca-bundle.crt.

@cyphix333
Copy link

Using CentOS and the above couldn't find the store.

I suggest reading: https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

@harvest
Copy link

harvest commented Sep 30, 2015

wrt to PayPal's SHA-256, if the following shows up, are we all set?

subject= /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
subject= /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority

@wutzebaer
Copy link

suse 13.2:

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /var/lib/ca-certificates/ca-bundle.pem | grep "G5"

@alexzeit
Copy link

hi there, ihave started the script and got this mesage, wha does i mean, do i have VeriSign G5-Root-Zertifikat on root?

subject= /CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
subject= /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
subject= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
All certificates in ca-certificates.crt, listed by subject, check for presence of VeriSign's 'Class 3 Public Primary - G5':
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
root@vm:~# ^C

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment