OPENSSL to verify CSF & IMG certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OPENSSL to verify CSF & IMG certificates

Jump to solution
2,051 Views
satyadamarla
Contributor III

Hello,

There are three certificates: SRK, CSF & IMG.

SRK is kind of intermediary certificate, whereas CSF and IMG are subordinate or user certificate. The SRK certificate is signed by CA whereas the CSF/IMG are signed by SRK.

I tried to verify the SRK and it works well:


openssl verify -CAfile CA1_sha256_3072_65537_v3_ca_crt.pem SRK1_sha256_3072_65537_v3_ca_crt.pem
SRK1_sha256_3072_65537_v3_ca_crt.pem: OK

Whereas when I try to verify the IMG and CSF with SRK or CA, it doesn't work:

openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate

openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate

Can anyone suggest me how to verify CSF & IMG certificates properly?

Greets,

Satya

Labels (2)
Tags (2)
1 Solution
1,760 Views
satyadamarla
Contributor III

Hi, 

I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following

cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem

openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK

openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK

Greets,

Satya

View solution in original post

0 Kudos
Reply
3 Replies
1,760 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Hope the following helps.

https://knowledge.symantec.com/support/mpki-support/index?page=content&id=SO12792&actp=RSS&viewlocal... 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,760 Views
satyadamarla
Contributor III

Thanks Yuri.

That is exactly what I did. I combined the certificates of CA and SRK1 into one (CA-SRK1-chain.pem) and then I used that to verify. It worked.

Greetsm

Satya

1,761 Views
satyadamarla
Contributor III

Hi, 

I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following

cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem

openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK

openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK

Greets,

Satya

0 Kudos
Reply