Lets say I start with a certificate.
Using openssl I can print it out like this:
openssl x509 -in cert.pem -text -noout
And I'll get some output such as Validity
, Issuer
and Subject
along with Authority Key Identifier
and Subject Key Identifier
.
How do I use these fields to work out the next certificate in the chain?
And then once I obtain the next certificate, work out what that next certificate should be etc.
Basically I'm wanting to work out the full chain and get things in the right order for the EC2 load balancer. Since Network Solutions don't seem to just give you a bundle that works. They give you individual certs and I've tried and tried lots of different orderings for EC2 and still haven't gotten it to work. My last bet is to try openssl and work this out manually rather than guessing.
Best Answer
The
X509v3 Authority Key Identifier
in theopenssl
output for the child key will match theX509v3 Subject Key Identifier
for the signing key.For example, for this site's SSL cert and its parent certificate:
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
is what establishes on the child cert what cert signed it, you should be able to use that to find the correct authority certificates.