Brain Droppings

From the mind of Chris Weibel


Verify the Order of Signed Certificates for BOSH and UAA

05 Aug 2016

map

Photo by Steve Smith on Unsplash

In a previous article https://www.starkandwayne.com/blog/bosh-uaa-with-signed-certificates/ we discovered how to add a multiple/intermediate level signed certificates to UAA on BOSH. Recently I discovered one of my deployments had the certs in the wrong order and a kind gentleman named Thilak showed me how to verify the order of certificates is correct. While the bosh_cli didn’t complain about the order other tools might so it’s good to get them in the right order. We should always strive to have nice things!

Start by running the openssl and use the director url and port as seen below:

me@s1:~$ openssl s_client -showcerts -connect bosh1.starkandwayne.com:25555

Now look at the output. In the example below there are 4 levels of certificates labeled 0 through 3.

The certificate issued at a level should be signed from the previous level.

pic

s: is the subject line of the certificate and i: contains information about the issuing CA.

The ideal end result of a good openssl bingo: Verify return code: 0 (ok)