Search code examples
sslopensslcertificate

How to verify a Microsoft certificate

This is the certificate https://gist.github.com/larytet/2fb447e875831577584592cd99980fd1 (x5t VjWIUjS5JS3eAFdm2dnydlZfY-I)

I am doing

openssl verify -verbose -x509_strict certificate.pen

I am getting

CN = estsclient.coreauth.outlook.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error certificate.pem: verification failed

Where do I find the certificate, the whole chain or the root which should be installed in my system?

Solution

  • You need to provide the CA certificate, and most real CAs will list locations where its certificate can be found in an extension in each certificate they issue.

    With OpenSSL, you can view this extension:

    openssl x509 -text -noout < certificate.pem

    Look for the "Authority Information Access extension", and its "CA Issuers" field to find the URL and download the certificate from Microsoft.

    Because this file is encoded with DER, it needs to be transcoded to PEM for use with openssl verify:

    openssl x509 -inform der < Microsoft\ IT\ TLS\ CA\ 2.crt > Microsoft\ IT\ TLS\ CA\ 2.pem

    Because you just downloaded this file from who knows where over HTTP, you need some way to verify its authenticity.

    You'll notice that it too lists an issuer, so you can perform this process recursively to obtain the entire certificate chain back to a root certificate that you already trust. Usually, we trust the certificates that come pre-installed on our systems. But, in theory, an attacker could have compromised that set, so people sometimes do find out-of-band means to verify their root CA certificates. What's appropriate for you depends on your application.

    The chain of certificates that you download on your way to the trust anchor are "intermediate" certificates; you don't have to trust them directly, because you'll be verifying a chain starting with one of the anchors on your system.

    Concatenate the PEM-encoded certificates, including headers and footers, together in a single file of untrusted certificates. In my case, the "Baltimore CyberTrust Root" certificate that issued the "Microsoft IT TLS CA 2" intermediate certificate is pre-installed as a root CA on my system, so I only have to download the Microsoft certificate, and it's the only one in my file of "untrusted" certificates.

    Now you have the necessary information to attempt your original command:

    openssl verify --verbose -untrusted Microsoft\ IT\ TLS\ CA\ 2.pem  -x509_strict certificate.pem