Verifying the CA / Router certs

As I learn more about Certificate Authorities… I am keen to better equip myself to verify the validity of certificates.

I found the following command in one of the examples that was associated with building a new certificate authority.

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem

So… I thought to adapt this and test it out using the certificates created by OpenZiti.

openssl verify -CAfile /home/opc/.ziti/quickstart/instance-20220416-1603/pki/ /home/opc/.ziti/quickstart/instance-20220416-1603/pki/routers/instance-20220416-1603-edge-router/server.cert

However, I must be doing something wrong… as I get the following error.

C = US, ST = NC, L = Charlotte, O = NetFoundry, OU = Ziti, CN = 8Zo-gTL0Ck

error 20 at 0 depth lookup: unable to get local issuer certificate

error /home/opc/.ziti/quickstart/instance-20220416-1603/pki/routers/instance-20220416-1603-edge-router/server.cert: verification failed

Any tips on how to resolve this… maybe the intermediate certs are not the right ones to use… would it be the signing certs instead?

If so… what is the difference between the intermediate and signing certs.

Any guidance on the will be greatly appreciated… I am quite overwhelmed with all of the technical aspects associated with a Certificate Authority… and need a few high level pointers to navigate.

In the future, I plan to integrate my own Certificate Authority… and implement a regular refresh of the certificates… but that is a bit further down the road for me at the moment.


Background on PKI

I really can’t explain all of PKI to you. You’re right that PKI is a very overwhelming topic and there is most definitely lots to learn in there. I would probably still consider myself a novice as there are options, upon options, upon options that I’m sure I have never bothered with. That said, there’s definitely an 80/20 type of rule going on… Maybe it’s more like a 95/5 rule… :slight_smile: I use the same 5-10 openssl commands all the time

Using Quickstart?

I will again assume you used the quickstart and that this is the edge-router that comes with the quickstart and is colocated with the controller. That’s important because the commands I’m going to show you are really only relevant on that machine…

What that ‘server’ cert is

The server cert you’re trying to validate comes from the identity.server_cert section of the configuration file of the edge router. You can show that section with a command like:

head $ZITI_HOME/$(hostname)-edge-router.yaml

This is the cert that the router will use when other routers try to connect to this server. You can use openssl to find the issuer of this cert by inspecting the output of:

openssl x509 -text -in ${ZITI_PKI}/routers/${ZITI_NETWORK}-edge-router/server.cert

(i’m pretty sure that’s the proper command. if openssl can’t find that cert, your ZITI_NETWORK variable might be the wrong choice)

When you do this, you’ll see that the Issuer will look something like mine:

Issuer: C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ip-172-31-42-64-signing-intermediate

Using the Signing CA chain

So the SIGNING CA is the cert chain you need to use… This chain from the quickstart is meant to be educational, so it’s complicated. It looks like:

└── signing-root-ca.cert
    └── signing-intermediate_spurious_intermediate.cert
        └── ip-172-31-42-64-signing-intermediate.cert

For openssl to work, you will need to cat ALL those files onto a single file and provide it to openssl because it’ll try to validate that whole chain. That’s relatively straigthforward:

    $ZITI_PKI/${ZITI_SIGNING_ROOTCA_NAME}/certs/${ZITI_SIGNING_INTERMEDIATE_NAME}_spurious_intermediate.cert \
    > $ZITI_PKI/${ZITI_SIGNING_ROOTCA_NAME}/certs/ca-chain.pem

Hey look - it works!

Ok. Now you can finally run the openssl command:

openssl verify \
  -CAfile $ZITI_PKI/${ZITI_SIGNING_ROOTCA_NAME}/certs/ca-chain.pem \

As an aside - for my machine this translates into these paths:

openssl verify \
    -CAfile /home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/ip-172-31-42-64-signing-root-ca/certs/ca-chain.pem \

You will see output like this:

/home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/routers/ip-172-31-42-64-edge-router/server.cert: OK



Cool… the hierarchy of certs really helps fill in some gaps.