ssl-cert-check icon indicating copy to clipboard operation
ssl-cert-check copied to clipboard

Published 20 hours ago verified publisher icon Matty9191

issuer requires /O, but shouldn't

Open tlhackque opened this issue 8 years ago • 4 comments

I noticed that with -i, the issuer is not reported if the name doesn't contain '/O='. E.g. OpenSSL returns "issuer= /CN=Fake LE Intermediate X1"

On the other hand, it's quite happy with: "issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3"

It sees that your regex needs tweaking.

tlhackque avatar Nov 26 '17 12:11 tlhackque

Which CA are you using to generate your certificates? All of the public CAs I've tested against define the country, organization and common name as part of the issuer. It looks like the issuer you pasted is legit according to RFC 5280 but the fix isn't exactly straight forward.

Matty9191 avatar Jan 25 '18 15:01 Matty9191

If you can provide a bit more info I'll see about adding support for this specific type of issuer.

Matty9191 avatar Jan 25 '18 15:01 Matty9191

One case is the Let's Encrypt staging CA (which is what was shown above).

You will also encounter this with embedded devices (NAS, routers, IOT, etc) that generate self-issued certificates.

I don't think the fix needs to be complicated.

You can use the CN of the issuer for these, similar to what you do for the subject. You can simplify that code, by the way - you only need to run sed once - terminate each command in the -e with ';':

openssl x509 -nameopt compat -in ww.pem -issuer  -noout -inform pem | sed -e 's/.*CN=//;s/\/.*//'
openssl x509 -nameopt compat -in ww.pem -subject -noout -inform pem | sed -e 's/.*CN=//;s/\/.*//'

I checked my bundle of public CAs, and did find a few that have /O but not /CN. So the fix would seem to be along the lines of:

ISSUER="`openssl x509 -nameopt compat -in ww.pem -issuer -noout -inform pem | \
sed -e 's/.*CN=//;s/\/.*//'`"
[ -z "$ISSUER" ] && ISSUER=(your current code)

Or, it might be less trouble to run your current code first, and fall back to the CN if it is null.

tlhackque avatar Apr 27 '19 20:04 tlhackque

Hi,

I modified and used this pattern and it seems to work for all

echo | openssl s_client -connect www.google.com:443 2>/dev/null | openssl x509 -noout -issuer -nameopt sep_comma_plus | awk 'BEGIN{RS=","} {if($0 ~ "O=") {{gsub(/O=/,"",$0)} print $0}}'

Looking for feedback if this helps

copperorange avatar Feb 05 '20 16:02 copperorange